Skype security flaw could expose users to stalking or fraud

25 Oct 2011

Microsoft completed its US$8.5bn acquisition of Skype in recent weeks

A security flaw in Skype has been discovered, that experts claim can be used to track not only users’ locations but also their peer-to-peer file-sharing activities and could open users up to fraud, stalking or blackmail.

The flaw has been discovered by a research team at the Polytechnic Institute of New York University. In recent weeks, Microsoft completed its US$8.5bn acquisition of Skype.

Prof Keith Ross, the Leonard J Shustek professor of computer science at NYU-Poly, explained that the team uncovered several properties of Skype that can track not only users’ locations over time but also their peer-to-peer (P2P) file-sharing activity.

Even when a user blocks callers or connects from behind a network address translation (NAT) – a common type of firewall – it does not prevent the privacy risk, he said.

The research also revealed that marketers can easily link to information such as name, age, address, profession and employer from social media sites, such as Facebook and LinkedIn, in order to inexpensively build profiles on a single tracked target or a database of hundreds of thousands.

“These findings have real security implications for the hundreds of millions of people around the world who use VoIP or P2P file-sharing services,” said Ross.

“A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user – from private citizens to celebrities and politicians – and use the information for purposes of stalking, blackmail or fraud.”

How the VoIP flaw works

Ross explained these privacy weaknesses are fairly easy to exploit, and a sophisticated high school-age hacker would likely be capable of executing similar attacks.

The team first observed that with VoIP (voice and video over IP) systems, when Alice establishes a call with Bob, Bob reveals his IP address to Alice. Alice can then use commercial geo-IP mapping services to determine Bob’s location and internet service provider (ISP). 

The team also found that Alice can initiate a Skype call, block some packets and quickly terminate the call to obtain Bob’s IP address without alerting Bob with ringing or pop-up windows.

Alice can make this attack even when Bob is not on her contact list or even when Bob explicitly configures Skype to block calls from non-contacts. By repeating the process on, say, an hourly basis, Alice can track the locations and movements of any Skype user over weeks or months, without the user having any idea he or she is being tracked.

To demonstrate the potential severity of these security vulnerabilities, the researchers tracked the Skype accounts of about 20 volunteers as well as 10,000 random users over a two-week period, using techniques that neither harmed nor disrupted the service, utilised any requests for which the service was not designed nor interfered with users. All data were anonymised for user safety. Skype and Microsoft Corp were informed of the researchers’ findings. 

The researchers used commercial geo-location mapping services and found they could construct a detailed account of a user’s daily activities even if the user had not turned on Skype for 72 hours.

In one example, they accurately tracked one volunteer researcher from his visit at a New York university to a vacation in Chicago, a return to a New York university, lodging in Brooklyn, then to his home in France.

“If we had followed the mobility of the Facebook friends of this user, as well, we likely would have determined who he was visiting and when,” the authors said.

They calculated it would cost a marketer who wanted to create a database only US$500 per week to track 10,000 users – and perhaps less, since they did not delve deeply into optimisation.

In another experiment, they queried the 50,000 most popular downloads on BitTorrent, a popular P2P file-sharing system. Because it enables sharing of large files, it is a favourite of digital pirates.

When a common IP address was found on both Skype and BitTorrent, the researchers were able to determine the files that identified individuals downloaded or shared. They noted that the same information could be obtained from other P2P applications, such as eMule or Xunlei.

The research team’s paper, I Know Where You are and What You are Sharing, will be presented during the Internet Measurement Conference 2011 in Berlin on 2 November 2011. The authors are Chao Zhang and Keith Ross of NYU-Poly; Stevens Le Blond of the Max Planck Institute for Software Systems (MPI-SWS), Germany; and Arnaud Legout and Walid Dabbous of the French research institute I.N.R.I.A Sophia Antipolis.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years