Skype Security - Flaws and Potential Flaws

Flaws and Potential Flaws

While Skype encrypts users' sessions, other traffic including call initiation can be monitored by unauthorized parties.

The other side of security is whether Skype imposes risk on its users' computers and networks. In October 2005 a pair of security flaws were discovered and patched. Those flaws made it possible for hackers to run hostile code on computers running vulnerable versions of Skype. The first security bug affected only Microsoft Windows computers. It allowed the attacker to use a buffer overflow to crash the system or to force it to execute arbitrary code. The attacker could provide a malformed URL using the Skype URI format, and lure the user to request it to execute the attack. The second security bug affected all platforms; it used a heap-based buffer overflow to make the system vulnerable.

• 13 November 2012, a Russian user published a flaw in Skype security which allowed any non-professional attacker to take over a Skype account knowing only the victim's email using 7 simple steps. This vulnerability was claimed to exist for months, and existed for more than 12 hours since it was published widely.

• By default, Skype also records data about calls (but not the message contents) in a "History" file saved on the user's computer. Attackers who gain access to the computer can obtain the file.

• Skype can consume other users' bandwidth. Although this is documented in the license agreement (EULA), there is no way to tell how much bandwidth is being used in this manner.

• There are some 20,000 supernodes out of many millions of users logged on. Skype Guide for network administrators claims that supernodes carry only control traffic up to 10 kB/s and relays may carry other user data traffic up to 15 kB/s (for one audio conference call). A relay should not normally handle more than one "relayed connection".

• Skype's file-transfer function does not integrate with any antivirus products, although Skype claims to have tested its product against antivirus "Shield" products.

• Skype does not document all communication activities. This lack of clarity as to content means that systems administrators cannot be sure what it is doing. (The combination of an invited and a reverse-engineered study taken together suggest Skype is not doing anything hostile). Skype can be easily blocked by firewalls.

• Skype consumes network bandwidth, even when idle (even for non-supernodes, e.g., for NAT traversal). For example, if there were only 3 Skype users in the world and 2 were communicating, the 3rd computer would be taxed to support the application, even if not using Skype at the time. The large number of Skype computers means that this activity is diffuse, it can lead to performance issues on standby Skype users, and presents a conduit for security breaches.

• Skype implicitly trusts any message stream that obeys its protocols

• Skype does not prohibit a parallel Skype-like network

• Skype makes it hard to enforce a corporate security policy

• Lack of peer review prohibits external security code verification.

• Skype creates a file called 1.com in the temp directory which is capable of reading all BIOS data from a PC. According to Skype this is used to identify computers and provide DRM protection for plug-ins.

• The URI handler that checks URLs for verification of certain file extensions and file formats uses case sensitive comparison techniques and doesn’t check all potential file formats.

• While Skype does encrypt most of its communications, packets containing advertisements are unencrypted which are pulled from several places, exposing a cross-site scripting vulnerability. These ads can easily be hijacked and replaced with malicious data.

• The privacy of Skype traffic may have limits. Although Skype encrypts communication between users, a Skype spokesman did not deny the company's ability to intercept the communication. On the question of whether Skype could listen in on their users' communication, Kurt Sauer, head of the security division of Skype, replied evasively: "We provide a secure means of communication. I will not say if we are listening in or not." In China text is filtered according to government requirements. This suggests that Skype has the capacity to eavesdrop on connections. One of Skype's minority owners, eBay, has divulged user information to the U.S. government.

• Security researchers Biondi and Desclaux have speculated that Skype may have a back door, since Skype sends traffic even when it is turned off and because Skype has taken extreme measures to obfuscate their traffic and functioning of their program. Several media sources have reported that at a meeting about the "Lawful interception of IP based services" held on 25 June 2008, high-ranking but not named officials at the Austrian interior ministry said that they could listen in on Skype conversations without problems. Austrian public broadcasting service ORF, citing minutes from the meeting, have reported that "the Austrian police are able to listen in on Skype connections". Skype declined to comment on the reports.

• The Skype client for Linux has been observed accessing the /etc/passwd file during execution. This file contains a list of all user accounts on the system and may also include hashed passwords. Access to this file can be confirmed by tracing system calls made by the Skype binary during execution. As this file contains sensitive system information related to logins which are not used in the Skype system, there is not a legitimate use for accessing this file and thus Skype's motives for doing so must be questioned. It must be noted, however, that newer Linux systems store sensitive password information in /etc/shadow, with access only provided to privileged applications, which Skype is not.

• The Skype client for Mac has been observed accessing protected information in the system Address Book even when integration with the Address Book (on by default) is disabled in the Skype preferences. Users may see a warning about Skype.app attempting to access protected information in address book under certain conditions, e.g. launching Skype while syncing with a mobile device. Skype has no legitimate reason to access the Address Book if the integration is not enabled. Further, the extent of the integration is to add all cards from the Address Book to the list of Skype contacts along with their phone numbers, which can be accomplished without accessing any protected information (neither the name nor numbers on cards are protected) and thus the attempt to access information beyond the scope of the integration, regardless of whether or not that integration is enabled, raises deeper questions as to possible spying on users.

• The United States Federal Communications Commission (FCC) has interpreted the Communications Assistance for Law Enforcement Act (CALEA) as requiring digital phone networks to allow wiretapping if authorized by an FBI warrant, in the same way as other phone services. In February 2009 Skype said that, not being a telephone company owning phone lines, it is exempt from CALEA and similar laws which regulate US phone companies, and in fact it is not clear whether Skype could support wiretapping even if it wanted to. According to the ACLU, the Act is inconsistent with the original intent of the Fourth Amendment to the U.S. Constitution; more recently, the ACLU has expressed the concern that the FCC interpretation of the Act is incorrect.