Feeds

Skype hits back at angry wiretap reports: Rat finks? Not us

'Supernodes' are not for spooks, they're to make service better for YOU

Choosing a cloud hosting partner with confidence

Not that easy to tap – unless you're a cop with a court order

During a visit to Estonia in June, Tiit Paananen, manager of Skype's engineering centre in Tallinn, Estonia, told The Register that it was easier to plant malware on targeted machines than to "decrypt and de-obfuscate Skype chats and calls".

Skype operates a hybrid peer-to-peer and client–server system, in common with other VoIP services. The architecture is perhaps more difficult to tap than conventional PSTNs. In response, police agencies in the West and secret police agencies in the Middle East have taken to using indirect methods involving viruses and the like.

Trojans, including one disguised as a Skype encryption utility, have been deployed as tools to spy on Syrian dissidents, for example. Last October, German white-hat hackers captured a Trojan which they discovered was capable of tapping Skype calls and IM chats made from infected devices.

That's not to say Skype is a insurmountable barrier to surveillance. In fact, the recent headlines in the mainstream press expressing outrage are based on a false premise that hasn't been already going on for years. Skype itself states it has maintained a law enforcement request compliance team since 2005.

A 2007 vintage Skype law enforcement handbook – which has been available on cryptome.org for years – shows that in response to a court order, Skype will provide all sorts of data, including destination phone numbers for calls, billing information and the email addresses of users. It is unclear whether or not IP address session logs are available.

This was five years ago, when Skype was owned by eBay, and long before Microsoft picked up the firm in May 2011.

Recent Skype wiretap shocka stories are also unfair because they fail to point out that telcos and ISPs routinely supply communication data to police.

It's still unclear to what extent governments can intercept the contents of Skype voice calls. Skype offers end-to-end encryption but it doesn't say how it handles encryption keys.

Christopher Soghoian, a security and privacy researcher, argued convincingly in a blog piece that, like Dropbox and iCloud, Skype probably has unencrypted access to user data, and can therefore be forced to hand it over to the government (thereby failing the so-called "mud puddle" test for data recovery, where a user destroys his computer and forgets his password to encrypted content).

The handling of encryption keys by Skype compares unfavourably to the ZRTP-encrypted VoIP protocol, created by Phil Zimmermann of PGP fame, according to Soghoian:

In contrast to the complex, user-visible fingerprint exchange and verification methods employed by OTR and ZRTP, Skype does nothing at all. Skype handles all the crypto and key exchange behind the scenes. When a Skype user installs the software on a brand new device and initiates a conversation with a friend already in their contact list, that friend is not told that the caller's device/software has a new crypto key and that it should be verified. Instead, the call just connects.

I suspect that Skype does not create a new private encryption key for each device running Skype. Instead, my guess is that it creates a key once, when the user sets up their account, and then stores this online, along with the user's contact list. When the user installs Skype on a new device, the key is downloaded, along with all of their other account data. In this regard, Skype is actually surprisingly similar to Dropbox and iCloud - while you are not storing your tax documents and family photos on Skype's servers, you are storing your communications encryption keys...and when faced with the mud puddle test, Skype fails.

The handling of keys is important because access to crypto keys can allow law enforcement to tap into Skype calls without built-in wiretapping capabilities, as Soghoian explains:

Skype may in fact be telling the truth when it tells journalists that it does not provide CALEA-style wiretap capabilities to governments. It may not need to. If governments can intercept and record the encrypted communications of users (via assistance provided by Internet Service Providers), and have the encryption keys used by both ends of the conversation – or can impersonate Skype users and perform man-in-the middle attacks on their conversations, then they can decrypt the voice communications without any further assistance from Skype.

This analysis is well-informed, albeit speculative. Soghaian concluded that Skype users should avoid the trap of thinking that the service is inherently secure, a comforting notion that seems to have spawned the excitable shock-horror stories over recent days:

Skype is not transparent about its surveillance capabilities. It will not tell us how it handles keys, what kind of assistance it provides governments, under what circumstances, or which governments it will and won't assist. Until it is more transparent, Skype should be assumed to be insecure, and not safe for those whose physical safety depends upon confidentiality of their calls.

Skype of course can't talk about the requests for assistance it has received from intelligence agencies, since such requests are almost certainly classified. However, Skype could, if it wished to, tell users about its surveillance capabilities. It doesn't.

Soghoian's thoughtful essay can be found here. ®

Beginner's guide to SSL certificates

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.