Skype flaw exposes users’ location, identity

NYU (US) — Flaws in Skype and similar Internet phone systems could potentially disclose the identities, locations, and even digital files of hundreds of millions of users, a new study finds.

Researchers at Polytechnic Institute of New York University (NYU-Poly) and colleagues in France and Germany will present the findings at the Internet Measurement Conference 2011 in Berlin on November 2, 2011.

Keith Ross, a professor of computer science at NYU-Poly, explains that the team uncovered several properties of Skype that can track not only users’ locations over time but also their peer-to-peer (P2P) file-sharing activity. Even when a user blocks callers or connects from behind a Network Address Translation (NAT)—a common type of firewall—it does not prevent the privacy risk, he says.

Skype’s privacy weaknesses are fairly easy to exploit, says Keith Ross (above), who notes that a sophisticated high school-age hacker would likely be capable of executing similar attacks. (Credit: NYU-Poly)

The research also revealed that marketers can easily link to information such as name, age, address, profession, and employer from social media sites such as Facebook and LinkedIn in order to inexpensively build profiles on a single tracked target or a database of hundreds of thousands.

“These findings have real security implications for the hundreds of millions of people around the world who use VoIP or P2P file-sharing services,” says Ross. “A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user—from private citizens to celebrities and politicians—and use the information for purposes of stalking, blackmail, or fraud.”

These privacy weaknesses are fairly easy to exploit, says Ross, who notes that a sophisticated high school-age hacker would likely be capable of executing similar attacks.

Alice calls Bob

The team first observed that with VoIP (Voice and Video over IP) systems, when a caller A (Alice) establishes a call with caller B (Bob), Bob reveals his IP address to Alice. Alice can then use commercial geo-IP mapping services to determine Bob’s location and Internet Service Provider (ISP).

The team also found that Alice can initiate a Skype call, block some packets and quickly terminate the call to obtain Bob’s IP address without alerting Bob with ringing or pop-up windows. Alice can make this attack even when Bob is not on her contact list or even when Bob explicitly configures Skype to block calls from non-contacts.

By repeating the process on, say, an hourly basis, Alice can track the locations and movements of any Skype user over weeks or months, without the user having any idea that he is being tracked.

To demonstrate the potential severity of these security vulnerabilities, the researchers tracked the Skype accounts of about 20 volunteers as well as 10,000 random users over a two-week period, using techniques that neither harmed nor disrupted the service, utilized any requests for which the service was not designed nor interfered with users.

All data were anonymized for user safety. Skype and Microsoft Corp. were informed of the researchers’ findings.

Tracked for 72 hours

The researchers used commercial geo-location mapping services and found that they could construct a detailed account of a user’s daily activities even if the user had not turned on Skype for 72 hours.

In one example, they accurately tracked one volunteer researcher from his visit at a New York university to a vacation in Chicago, a return to a New York university, lodging in Brooklyn, then to his home in France.

“If we had followed the mobility of the Facebook friends of this user as well, we likely would have determined who he was visiting and when,” the authors says.

They calculated it would cost a marketer who wanted to create a database only $500 per week to track 10,000 users—and perhaps less, since they did not delve deeply into optimization.

In another experiment, they queried the 50,000 most popular downloads on BitTorrent, a popular P2P file-sharing system. Because it enables sharing of large files, it is a favorite of digital pirates. When a common IP address was found on both Skype and BitTorrent, the researchers were able to determine the files that identified individuals downloaded or shared.

They noted that the same information could be obtained from other P2P applications, such as eMule or Xunlei.

A fairly straightforward and inexpensive fix would prevent hackers from taking the critical first step in this security breach – that of obtaining users’ IP addresses through inconspicuous calling. The researchers say that redesigning the Skype protocol so that a user’s IP address is never revealed unless the call is accepted would offer substantially greater privacy.

Skype claims it has more than a half-billion registered users and a monthly average of 170 million active ones who use its application for phoning, texting, instant messaging and video conferencing. By one report, one in five overseas calls is made via Skype. One study found BitTorrent may account for a quarter to more than a half of all Internet traffic.

While Skype was the only service tested in this study, the researchers claim that some of the security issues are fundamental to all real-time P2P communication systems, and that the proposed defenses may offer guidelines for enhancing privacy of other popular applications.

The authors of the study are Chao Zhang and Ross of NYU-Poly; Stevens Le Blond of the Max Planck Institute for Software Systems (MPI-SWS), Germany; and Arnaud Legout and Walid Dabbous of the French research institute I.N.R.I.A Sophia Antipolis.

More news from NYU-Poly: