The Public Eye with Eric Chabrow

Child's Play: Pilfering PII Via Skype

Researchers Unveil Flaws in IP-Phone Services

It's so easy that a child could uncover personally identifiable information of millions upon millions of Internet phone users, if the child is a sophisticated, high-school-age hacker.

That's how researchers from the Polytechnic Institute of New York University describe an easily exploitable flaw in Skype and other IP-based phone systems that could potentially disclose the identifies, locations and digital files of hundreds of millions of users, according to a new paper, "I Know Where You are and What You are Sharing."

"A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user - from private citizens to celebrities and politicians - and use the information for purposes of stalking, blackmail or fraud," Keith Ross, an NYU-Poly computer science professor who headed the research team, says in a statement issued by the school.

The flaw, for instance, could allow marketers to link effortlessly information such as name, age, address, profession and employer from social media sites such as Facebook and Linkedin in order to build inexpensive profiles, costing them pennies for each individual profile, a bargain.

Ross' research team, including colleagues in France and Germany, uncovered several properties of Skype that track users' locations over time as well as their peer-to-peer file-sharing activity, even when a user blocks callers or connects from behind a common type of firewall. Though researchers studied only Skype, they say their findings also apply to other IP-based phone systems. Their findings will be presented next month at the Internet Measurement Conference 2011 in Berlin.

Using commercial geo-location mapping services, researchers found they could construct a detailed account of a user's daily activities even if the user had not turned on Skype for 72 hours. In one example, researchers say, they accurately tracked a volunteer from his visit at a New York university to a vacation in Chicago, a return to a New York university, lodging in Brooklyn, then to his home in France. "If we had followed the mobility of the Facebook friends of this user as well, we likely would have determined who he was visiting and when," the study says.

Stealth Observation

To explain the flaw, researchers conjured two Skype users, Alice and Bob. When Alice calls Bob over Voice of Internet Protocol - or VoIP, the protocol Skype employs - Bob's machine reveals his IP address to Alice. Using a geo-IP mapping service, Alice can determine Bob's location and Internet service provider. Alice also could initiate a Skype call, block some packets and quickly terminate the call to obtain Bob's IP address without alerting Bob with ringing or pop-up windows. Alice could attack Bob even when Bob isn't on her contact list or even when Bob configures Skype to block calls from non-contacts. By repeating the process on, say, an hourly basis, Alice could track the locations and movements of any Skype user over weeks or months, without the user having any idea that he or she is being tracked.

Also, when a common IP address was found on Skype and BitTorrent, a popular peer-to-peer sharing system, researchers say they could identify files individuals downloaded or shared.

Researchers say they tracked the Skype accounts of about 20 volunteers as well as 10,000 random users over a two-week period, using techniques that neither harmed nor disrupted the service, utilized any requests for which the service was not designed nor interfered with users. All data were anonymized.

Skype and its new owner Microsoft were informed of the researchers' findings. I sent an e-mail to Skype's public relations official to get its response, and received this boilerplate reply attributed to Adrian Asher, Skype's chief information security officer:

"We value the privacy of our users and are committed to making our products as secure as possible. Just as with typical Internet communications software, Skype users who are connected may be able to determine each other's IP addresses. Through research and development, we will continue to make advances in this area and improvements to our software."

Skype's response wasn't clear on specific steps it has taken to address the vulnerabilities the researchers discovered.

The researchers, however, contend there's a fairly straightforward and inexpensive fix to prevent hackers from taking the critical first step in this security breach, that of obtaining users' IP addresses through inconspicuous calling. By redesigning the Skype protocol, a user's IP address would never be revealed unless the call is accepted. That, researchers say, would offer substantially greater privacy. Sounds simple, right?

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.