Skype is investigating a tool published recently on Pastebin that captures the last-known IP address of the VoIP service’s users.
“This is an ongoing, industry-wide issue faced by all peer-to-peer software companies,” Adrian Asher, Skype’s director of product security, told TechNewsWorld. “We are committed to the safety and security of our customers and we are taking measures to help protect them.”
This particular flaw was discussed in a paper presented by an international team of researchers in November at the Internet Measurement Conference 2011 in Berlin.
The flaw could lead to serious attacks, warned Randy Abrams, a security consultant.
“There’s a lot more at risk than simply IP disclosure,” Abrams told TechNewsWorld. “The ability to redirect to another Web page implies the ability to frame someone for accessing child pornography, among other non-trivial attacks, for example.”
It’s Tool Time!
The tool exploits a patched version of Skype 5.5. Skype’s flaw lets anyone see another person’s vCard and get that person’s real user IP address and the IP address of the internal network card on that person’s PC.
A vCard is a file format standard for electronic business cards.
More information about the target, such as the city and country where he or she is located, and the Internet service provider the target is using, can be obtained by going to a Whois service.
Whois is used to get information on registered users or assignees of domain names and IP address blocks, among other things.
Findings of the Research Team
The researchers stated that the flaw could let Voice over IP (VoIP) phone systems, including Skype, be exploited by third parties to ascertain users’ identities, locations and digital files. The flaw can be exploited by a sophisticated hacker of high school age, they said.
Tracking Skype accounts and combining this with commercial geo-location services let the researchers construct a detailed account of a user’s daily activities even if the user had not accessed Skype for 72 hours.
By repeatedly calling targets over Skype and terminating the calls regularly, perhaps hourly, attackers could find out the locations and movements of any Skype user over weeks or months without the targets’ knowledge, the researchers said. They could discover which digital files targets downloaded by combining this attack with tracking targets’ activities on popular peer-to-peer file sharing systems such as BitTorrent.
Linking data obtained from VoIP systems through the flaw to personal information from social media sites would let marketers create profiles on large numbers of people, the researchers said. They estimate it will cost a marketer only about US$500 a week to track 10,000 users.
The researchers notified both Skype and Microsoft, which purchased Skype last year, of their findings.
Hitting Gamers and Mobile Devices
Skype service is now available on the Windows Phone and the PlayStation Vita, and this may open up new areas of attack.
“The potential of abuse on these platforms needs to be carefully reviewed,” Abrams warned. “The problem itself may well exist in other undiscovered areas, as programming logic errors are commonly repeated.”
The Art of VoIP Self-Defense
The researchers suggested various tactics VoIP service providers can use to protect users.
One approach is for the designer of the VoIP signaling protocol to ensure that a user’s IP address is not revealed to callers unless the user accepts the call. If a user blocks all calls from people not on their contact list then anyone not on that list won’t be able to determine the user’s IP address. The researchers recommend this solution for all VoIP applications. Think of this as Caller ID in reverse.
Users may also want to block people on their contact list from getting their IP address. To do this, the researchers suggested VoIP service providers pass all calls through relays. This will attach the IP address of the relay to the data. However, this solution increases VoIP traffic and slows P2P communication.