The issues with Skype - continued

Last week I wrote a column for the Wall Street Journal Europe discussing a couple of hidden issues related to the design of the hugely popular Voice-over-IP Skype service (which lets you "phone" for free or near-free over the Internet, do video, IM, and transfer files). In particular I described the way it distributes traffic, exploiting users' bandwidth and processing power, and bypasses network firewalls, creating potential vulnerabilities - to the point that an increasing number of companies and organizations, including CERN (the birthplace of the Web), have banned it from their networks.

Some readers disagreed with the column, like Garnet Stone who said basically that my arguments were weak or exaggerated, while others, such as Nicholas Carr (author of "Does IT Matter?") agreed with what i wrote.

Garnet also said that there are more Skype-related threats that I didn't mention in the column, and he is totally right: there are a number of other serious issues with Skype, both related to its design and to security. (Let me state, for perspective, that I'm an enthusiastic Skype user).

In the article I briefly mentioned a study done by Philippe Biondi and Fabrice Desclaux at EADS' research center in Suresnes, France (that's the European Aeronautic Defense and Space company) and which they presented at the Black Hat conference in the Netherlands in early March. The handouts of their presentation are available on the event's website as a PDF. Most of the content of those slides is way beyond the outer limits of my technology understanding (so any translation by more tech-literate readers is warmly welcome). I contacted Biondi asking for an interview, but he gently declined. Here is what I think I get: Biondi and Desclaux did some very serious Skype dissecting and while acknowledging (slide 113) that Skype was "made by clever people" and "makes good use of cryptography", they concluded that it introduces significant potential vulnerabilities in corporate and other networks. What they seem to describe in their presentation is that Skype's is a network layered over the existing networks and working with end-to-end connections, so that when a Skype user is active there are no more traditional notions of "inside" and "outside" a corporate network - obviously, corporate IT administrators are not very comfortable with this. The two researchers say (slide 113): "impossible to protect from attacks (which would be obfuscated)", and obfuscation is another thing admins dislike (this seems to point to a market for Skype-blocking tools, by the way). They use expressions such as "the biggest botnet ever" (slide 112), "total blackbox", "lacking transparency", "no way to know if there is a backdoor" (all in slide 113 - that's the "conclusions" page).

All these quotes suggest that the designers of Skype did all they could to make their software as ambiguous and obscure as possible - maybe as a way to prevent others to clone it. But Biondi and Desclaux have an interesting sentence in slide 64, where they say that they wrote a piece of software that "can assemble Skype packets and speak Skype". To me that means that it is possible to "clone" Skype and create a parallel system that can interoperate with it (nobody has done it before to my knowledge) and be fully transparent to the rest of the Skype network and users (slide 101: a step-by-step guide to "build your own Skype Private Network"; slide 113: Skype "fully trusts anyone who speaks Skype"). This doesn't mean that the person in control of the modified Skype "rogue network" could intercept and decrypt session keys and communications, but I guess it does mean that (s)he could at least abuse the Skype network to have it transport its datastreams.

As I already wrote in that WSJE column, success brings scrutiny and size raises new issues. The discussion on Skype is just starting and is relevant to all. Consider this post by Skype-Watch's Jan Geirnaert, offering an overview of some additional security issues and flaws in Skype (including the possibility of botnet attacks; several operational flaws such as multiple userlogin, clear-text password reset and others; hacked supernodes; spoofing of corporate networks, and more). Asks Geirnaert: "Do the internal corporate offices of Skype and eBay use the same public version of Skype"?

We all love it - Skype. My friend Yossi Vardi, the Israeli investor, calls it "tool lust". Skype is empowering. Fast, easy, cheap, it does whatt it does better than anyone else. Considering that their software has been downloaded more than 250 million times in less than three years though (with a few million users logged in at any time) and that the word "Skype" sometimes sounds like a placeholder for "future of telecommunications", its flaws and security issues are not highlighted and discussed enough.

[tags: Skype security Skype security VoIP EADS supernodes WSJE]

Comments

With the caveat that I also don't understand much of what's in the slide deck you reference, here are the basic messages I took away from it:

- If you are the maker of Skype, it should be possible to eavesdrop on conversations... if you've deliberately broken the encryption so that you can put a back door into it. If you're not Skype, eavesdropping requires making your own Skype client with a backdoor in it, convincing people to use it, and then you could evesdrop on those conversations, if you could capture those bits. Because this scenario is pretty unlikely, the main risk of eavesdropping is that an entity could intercept your conversation and subpoena a decrypt key from Skype.

- Skype transmits data whether or not you're making a call. This could be status data - you're available to receive a call - that is heavily obscured with empty bits... but the fact that this traffic is not constant but ebbs and flows suggests that something else is going on. Perhaps you're helping route traffic for other Skype users? Or perhaps something more sinister is going on. People who analyze for security risk really dislike scenarios like this, where you can't tell why a piece of software is generating traffic.

- Because Skype is a black box (you can't see the code inside it), and you can't really analyze it from the outside (because what comes into and out of it is encrypted), there's no promises that Skype isn't doing something very, very bad... or couldn't be made to do something very, very bad. Since Skype can send arbitrary packets to arbitrary IPs, who's to say that the whole network can't be made to act as a tool for conducting distributed denial of service attacks?

These concerns aren't going to stop me from using Skype... but they help me understand why some of cryptoenthusiast friends won't use it, and why it would be really nice to have an open source, transparent, encrypted tool for VOIP.

Posted by: Ethan | April 06, 2006 at 03:57 AM

you know on the matter of security. i have been talking to some SIP guys. So of course Skype is not like their friend. So the question raised : how to make money with it, is it safe and can it be managed. Meaning is it a business-tool. My answer to that is if you make into one yes. Is it safe than pop/smtp email on a provider it's box ? No it is not (yet). Maybe a little bit safer... Can it be managed ? Maybe if you create a tool and policy around it. Ask the Skype and Ebay guy how they manage it. So the point is : use it and see what it does. Don't use it, well then don't. It will cut short many of the security discussions going on. Since when are IM chat-boxes something that should be safe and secure ?

Posted by: Jan Geirnaert | callto://tropicaljantie | August 29, 2006 at 10:07 AM

after two the dual login without notification is still in place. nothing has changed.

Posted by: Jan Geirnaert | Tropicaljantie | April 06, 2007 at 12:11 AM