Skype security problems

[wanghx]

http://en.wikipedia.org/wiki/Skype

Security features

Main article: Skype security

Secure communication is a feature of Skype; encryption cannot be disabled, and is invisible to the user. Skype reportedly uses non-proprietary, widely trusted encryption techniques: RSA for key negotiation and the Advanced Encryption Standard to encrypt conversations.^[12] Skype provides an uncontrolled registration system for users with absolutely no proof of identity. This permits users to use the system without revealing their identity to other users. It is trivial, of course, for anybody to set up an account using any name; the displayed caller's name is no guarantee of authenticity.

[edit] Issues

[edit] Security concerns

A third party paper analyzing the security and methodology of Skype was presented at Black Hat Europe 2006.^[13] It analysed Skype and made these observations:

• Skype keeps chatting on the network, even when idle (even for non-supernodes. May be used for NAT traversal)
• Assumes a 'blind trust' of anything else speaking Skype
• Ability to build a parallel Skype network
• Skype makes it hard to enforce a (corporate) security policy
• No way to know if there is or will be a 'backdoor'
• In February 2007 it became known that Skype creates a file called 1.com in the temp directory which is capable of reading all BIOS data^[14] from a PC. According to Skype this is used to identify individual computers and provide DRM protection for plug-ins.^[15][16]
• Skype is owned by eBay, whose privacy policy is perhaps the least protective of customers of any large corporation. eBay claims it goes above and beyond what it is required to do by law, seeking out and giving police all the information it stores about users excluding some financial data, for which they require a subpoena.^[17]
• The security and protection of privacy of traffic through Skype is controversial. Although Skype offers an encryption for the direct communcation between users, a spokesperson of Skype did not want to deny the ability to intercept the communiction.^[18] On the question of whether Skype could listen in on their users' communication, Kurt Sauer, head of the security division of Skype, replied evasively: "We provide a secure means of communication. I will not say if we are listening in or not." The implementation of a text filter in China ^[19] suggests that Skype makes use of its eavesdropping capabilities if necessary, or whenever it is in their economic interest. It is also well known that the owner of Skype, eBay, is a close and reliable partner of US authories when it comes to divulging private information of their users. ^[20][21]

Skype service issues

• There have been a multitude of complaints about Skype's poor customer support.^[22] As of September 2008, Skype did not provide a way to contact customer support, offering indirect assistance through its web portal only. There have also been criticisms of Skype blocking and disabling customer accounts from using the SkypeOut service.^[23]
• While available for Windows, Mac OS X and Linux (i386 platform) operating systems, there is no Skype version for the Palm OS, used in mobile devices like the Treo 700p smartphone.
• Skype has been criticized for bugs and delays in its Linux version, which is relatively undeveloped compared to the Mac and Windows versions and many features included in the other versions are not found in the Linux client.^[24]
• SkypeOut does not support storing or (automatically) calling numbers with extensions.^[25] Instead, a user must call the number (without the extension), wait for the call to connect and then manually enter the extension. This means that many business customers in practice need a separate contact list that includes extensions, causing the built-in contact list to be of little use. This is by many customers considered a fairly basic feature, and other phone services typically support it by allowing numbers to contain a symbol to represent a pause, as in "1-800-123-4567 x54321" or "1-800-123-4567,,,54321" where 54321 is the extension.

[edit] Compliance with the Communications Assistance for Law Enforcement Act

In the United States, the FCC has interpreted the Communications Assistance for Law Enforcement Act as requiring digital phone networks to allow wiretapping in the presence of an FBI warrant, in the same way as traditional phone service. Skype is not yet compliant with the act and has, so far, stated that it does not plan to comply.^[26]

[edit] German wiretapping

It has been reported that German authorities have been wiretapping Skype conversations using a trojan horse.^[27] A number of individuals involved in publicly disclosing this information have been placed under investigation.^[27]

[edit] Censorship in China

Skype is one of many companies (others include AOL, Google, Microsoft, Yahoo, Cisco) which has cooperated with the Chinese government in implementing a system of Internet censorship in the People's Republic of China. Niklas Zennström, chief executive to Skype, told reporters that its joint venture partner in China is operating in compliance with domestic law. "TOM Online had implemented a text filter, which is what everyone else in that market is doing," said Zennström. "Those are the regulations," he said. "I may like or not like the laws and regulations to operate businesses in the UK or Germany or the US, but if I do business there I choose to comply with those laws and regulations. I can try to lobby to change them, but I need to comply with them. China in that way is not different."^[28]

Since late September, users in China trying to download the Skype software are redirected to the TOM site from which a modified Chinese version can be downloaded. Activists in China are warned about the possibility that TOM's versions have or will have more trojan capability.^[29]

^{http://en.wikipedia.org/wiki/Skype_security}

Security flaws

The main problem when examining Skype security is that Skype is not open-source, rather it is proprietary and secret, thus one can only rely on information from Skype itself or by continuous examination of its performance under various attacks.

In an article by Simson Garfinkel - Voip and Skype Security, the author says after analyzing Skype network that it seems Skype indeed encrypts users' sessions, however other traffic on the network including initiation of calls can be monitored by other parties on the network which are not privileged to participate in the specific session. Also in terms of privacy, Skype uses a "History" file saved on the user's machine to record all communication between users. This feature is enabled as default although not many users are aware of that. This enables attackers to obtain the file through spyware or other remote-control applications.

On October 2005 a pair of security flaws were discovered. Those flaws made it possible for hackers to run hostile code on computers running vulnerable versions of Skype.
The first security bug affected only Skype for Windows. It allowed the attacker to use a buffer overflow in order to crash the system or to force it to execute arbitrary code. The attacker was able to place a malformed URL using the Skype URI format, and lure the user to use it in order to execute the attack.
The second security bug affected all platforms; it used a heap-based buffer overflow to make the system vulnerable.
Skype responded to the findings by fixing the bugs and issuing a security patch.

The Skype code is proprietary and closed source, and it is not planned to become open-source software, according to one of Skype's co-founders:

"We could do it but only if we re-engineered the way it works and we don't have the time right now."

– Niklas Zennström, co-founder of Skype, responding to the Skype security model^[1]

Que Publishing's book, Skype: The Definitive Guide^[2] points out:

• Skype can utilise other users' bandwidth. (Although this is allowed for in the EULA, there is no way to tell how much bandwidth is being used in this manner). There are some 20,000 supernodes out of many millions of users logged on. Skype Guide for network administrators[1] claims that supernodes carry only control traffic up to 5 kB/s and relays may carry other user data traffic up to 10 kB/s (for one video call). A relay should not normally handle more than one "relayed connection".
• Skype's file-transfer function does not contain any programmatic interfaces to antivirus products, although Skype claims to have tested its product against antivirus "Shield" products.
• The lack of clarity as to content means that systems administrators cannot be sure what Skype is doing. (The combination of an invited and a reverse-engineered study taken together suggest Skype is not doing anything hostile). Skype can be easily blocked by firewalls.
• The actual communication of any given Skype conversation uses modern encryption techniques to make conversations secure, as mentioned in the above studies.

[edit] Notes

1. Silver Needle in the Skype — Philippe Biondi [2]
2. Voip and Skype Security - Simson Garfinkel [3]
3. Skype Security Evaluation — Tom Berson [4]
4. Skype Official web site — Skype security resource center [5]