The debate about Skype security refuses to die down. In March, I wrote about a report from Privacy International which reportedly claimed that Skype’s security vulnerabilities could put the lives of those using it in repressive regimes in danger.
The scenario became even more interesting in June when Efim Bushmanov - a Russian freelance researcher claimed that he has successfully been able to reverse engineer the official Skype desktop implementation in an attempt to make the service open source. And now Skype is back in the news for the wrong reasons – security researchers claim to have uncovered a new security flaw which could provide hackers with easy access to a Skype user’s IP address.
Researchers claim that it would be foolish to ignore such major flaws in Skype security as they can be used by terrorists or criminals to determine the locations of groups of government officials or employees of a large organization.
The study co-authored by Keith Ross – a NYU-Poly professor claims that this flaw lets hackers determine the IP address from which a Skype user is logged in. Since the IP address usually maps directly to a user’s physical location, it makes them vulnerable. They claim that hackers can tap these IP addresses via simulated calls that would never be detected. Further, the situation is grave because blocking callers or working from behind a firewall won’t solve the problem.
To prove their point, the researchers used the flaw to successfully track one of their own teammates as he traveled from New York to Chicago, back to New York and then to his home in France. Researchers say other video-chat services such as MSN Live, QQ and Google Talk may be suffering from the same flaw. The results of the study — titled “I Know Where You are and What You are Sharing” — will be presented at a computer security conference in Germany next week.
Skype neither acknowledged nor denied the researcher claims, instead stating that IP addresses are easily uncovered in most web communications clients.
With 700 million users worldwide, Skype is widely regarded as the “Big Daddy of Internet Telephony” and is arguably the most popular free online phone and chat service on the web. Though several hackers have targeted Skype, they’ve had little success till date as Skype managed to keep its ‘protocol’ under the wraps. Though Bushmanov & company claimed to have reverse engineered Skype’s protocol, the service continues to be the ‘safest bet’ among all Internet Telephony services. Whether this study changes the public perception about Skype security remains to be seen.