Feeds

Skype hits back at angry wiretap reports: Rat finks? Not us

'Supernodes' are not for spooks, they're to make service better for YOU

The Power of One eBook: Top reasons to choose HP BladeSystem

Not that easy to tap – unless you're a cop with a court order

During a visit to Estonia in June, Tiit Paananen, manager of Skype's engineering centre in Tallinn, Estonia, told The Register that it was easier to plant malware on targeted machines than to "decrypt and de-obfuscate Skype chats and calls".

Skype operates a hybrid peer-to-peer and client–server system, in common with other VoIP services. The architecture is perhaps more difficult to tap than conventional PSTNs. In response, police agencies in the West and secret police agencies in the Middle East have taken to using indirect methods involving viruses and the like.

Trojans, including one disguised as a Skype encryption utility, have been deployed as tools to spy on Syrian dissidents, for example. Last October, German white-hat hackers captured a Trojan which they discovered was capable of tapping Skype calls and IM chats made from infected devices.

That's not to say Skype is a insurmountable barrier to surveillance. In fact, the recent headlines in the mainstream press expressing outrage are based on a false premise that hasn't been already going on for years. Skype itself states it has maintained a law enforcement request compliance team since 2005.

A 2007 vintage Skype law enforcement handbook – which has been available on cryptome.org for years – shows that in response to a court order, Skype will provide all sorts of data, including destination phone numbers for calls, billing information and the email addresses of users. It is unclear whether or not IP address session logs are available.

This was five years ago, when Skype was owned by eBay, and long before Microsoft picked up the firm in May 2011.

Recent Skype wiretap shocka stories are also unfair because they fail to point out that telcos and ISPs routinely supply communication data to police.

It's still unclear to what extent governments can intercept the contents of Skype voice calls. Skype offers end-to-end encryption but it doesn't say how it handles encryption keys.

Christopher Soghoian, a security and privacy researcher, argued convincingly in a blog piece that, like Dropbox and iCloud, Skype probably has unencrypted access to user data, and can therefore be forced to hand it over to the government (thereby failing the so-called "mud puddle" test for data recovery, where a user destroys his computer and forgets his password to encrypted content).

The handling of encryption keys by Skype compares unfavourably to the ZRTP-encrypted VoIP protocol, created by Phil Zimmermann of PGP fame, according to Soghoian:

In contrast to the complex, user-visible fingerprint exchange and verification methods employed by OTR and ZRTP, Skype does nothing at all. Skype handles all the crypto and key exchange behind the scenes. When a Skype user installs the software on a brand new device and initiates a conversation with a friend already in their contact list, that friend is not told that the caller's device/software has a new crypto key and that it should be verified. Instead, the call just connects.

I suspect that Skype does not create a new private encryption key for each device running Skype. Instead, my guess is that it creates a key once, when the user sets up their account, and then stores this online, along with the user's contact list. When the user installs Skype on a new device, the key is downloaded, along with all of their other account data. In this regard, Skype is actually surprisingly similar to Dropbox and iCloud - while you are not storing your tax documents and family photos on Skype's servers, you are storing your communications encryption keys...and when faced with the mud puddle test, Skype fails.

The handling of keys is important because access to crypto keys can allow law enforcement to tap into Skype calls without built-in wiretapping capabilities, as Soghoian explains:

Skype may in fact be telling the truth when it tells journalists that it does not provide CALEA-style wiretap capabilities to governments. It may not need to. If governments can intercept and record the encrypted communications of users (via assistance provided by Internet Service Providers), and have the encryption keys used by both ends of the conversation – or can impersonate Skype users and perform man-in-the middle attacks on their conversations, then they can decrypt the voice communications without any further assistance from Skype.

This analysis is well-informed, albeit speculative. Soghaian concluded that Skype users should avoid the trap of thinking that the service is inherently secure, a comforting notion that seems to have spawned the excitable shock-horror stories over recent days:

Skype is not transparent about its surveillance capabilities. It will not tell us how it handles keys, what kind of assistance it provides governments, under what circumstances, or which governments it will and won't assist. Until it is more transparent, Skype should be assumed to be insecure, and not safe for those whose physical safety depends upon confidentiality of their calls.

Skype of course can't talk about the requests for assistance it has received from intelligence agencies, since such requests are almost certainly classified. However, Skype could, if it wished to, tell users about its surveillance capabilities. It doesn't.

Soghoian's thoughtful essay can be found here. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.