The most popular voice over IP system on the internet today has a major security bug that could leave you open to attack. Being the biggest VOiP system with just over 700 million users worldwide, 20 million of which are in China and more in the middle east.

The group called Privacy International has identified multiple areas where Skype is open to attack:

  • The Skype interface names can be changed, instead of unique IDs, meaning people can be impersonated.
  • Skype downloads are not done over a secure connection (https://) which means other sites can provide a compromised copy of the software.
  • Audio compression in Skype allows audio to be stolen, even with encryption.

“If the company cannot address and resolve these issues for those who are seeking secure communications, then vulnerable users will continue to be exposed to avoidable risks,”said Eric King an adviser for Privacy International. “Skype’s misleading security assurances continue to expose users around the world to unnecessary and dangerous risk. It’s time for Skype to own up to the reality of its security and to take a leadership position in global communications.” Having so many security holes is bad for a company that handles so many private calls.

Most of this information has not been brought up to Skype’s attention and were not aware about it until today when the report was released. In response Skype said, “Privacy International has not been in touch with us so it will take us some time to read and digest the report before we are in a position to respond. We will look into the points they have raised and will reach out to them. Skype takes these issues seriously and aims to provide users with the best possible levels of privacy and security.”

Skype is a free system that provides peer-to-peer voice-over-internet called, in which Skype claims that its calls are encrypted between the two ends using a proprietary system. Skype is a very private company that refuses to produce a method to let other VOiP companies to hook up to the system. On top of that, Skype does not use standard VOiP protocols either.

Making around $860 million in revenues last year, Skype is not a force to play around with when making accusations like this.

Among the criticisms that Privacy International has brought to the table they seem to take user IDs as their main point:

When you create a Skype account, you are asked to register a unique user name and password, in conjunction with an arbitrary profile name. This arbitrary profile name is what appears on your contact list, and permits people to easily impersonate others. Average users are easily tricked as a result. Does Skype intend to remedy this security flaw in its user interface?

Back in 2006, it was brought to the publics attention that China was filtering text in Skype chats, in which words would no be displayed. Skype claimed that it did not affect the security of the product but pointed that there is a strong possibility for someone to interfere with the app.

The lack of SSL for downloading of the application means that a attack is possible for someone who distributes trojan-infected Skype distributions. Privacy International accuses that the Chinese government has produced a modified version of Skype, that leaves users exposed to surveillance. With security being a bigger issue services like Twitter, Google and Facebook offer default SSL connections with visiting the sites. Why isn’t Skype looking the same way as these other companies?

Lastly, Privacy International points out that VBR audio compression is extremely vulnerable, despite encryption within the app. Researchers at the University of North Carolina have found positive evidence that phrases can be identified with a high degree of confidence.

Comments