December 03, 2011

A Possible Fix for Location Tracking Attack on Skype

A couple of days back, my Twitter stream saw a few mentions about a story that suggested potential privacy issue due to a flaw in Skype. A quick tracing of the origin of the story pointed to a research paper published by a few associated with NYU-Poly, which is about six weeks old. It is not clear why it surfaced this late. Nonetheless it is instructive to study the paper and understand the root cause of the flaw.

The paper is clearly written and is based on a well designed experiment. Apparently, the authors have alerted Skype of the problem and the authors lament that Skype has not taken any steps to address the issues. But it looks, on the surface at least, it is simple to thwart the attack.

What the study found out is that it is able to

  1. easily identify the Skype Id of a person using some commonly known information of a user
  2. determine the IP address of a Skype user and track this information with out the user being aware of
  3. use the learnt IP address to see whether any Bit Torrent activity going on at that address to conclude the user behind that activity.

I donít think that many will find it very alarming that one can so easily find out the Skype ID aof a person. After all it is widely known that Skype provides a directory service. After all, with White Pages, we could reasonably get a personís address. Also, determining Bit Torrent activity is outside the scope of Skype. So our focus really is how are they able to determine the IP address at which a Skype user is connected.

It turns out that Skype clients and the supernodes generate a signature pattern of datagrams during a session setup, thereby identifying the IP address of the target Skype client. In the following A is the Skype client originating the session and B is the target Skype client. When A initiates a session with B, A is given the IP addresses of a bunch of supernodes AND that of B (if B is not currently connected then the last connected address). Even though A does not know which is Bís, the researchers have identified a weakness in Skypeís protocol design that can be exploited to identify Bís address.

As part of session initiation, Skype protocol initiates TCP connection to all of them. If the TCP connection attempt to B fails, then A and B exchange bunch of UDP datagrams of predetermined length. Interestingly, this does not happen with other nodes. Additionally, if the TCP connection between A and B fails, then B does not indicate the presence of an incoming call on the UI. In other words, the user of B does not know of a malicious call attempt. The researchers suggest that one can exploit these two flaws to determine and track the IP address at which B is connected to the Internet. Specifically, the researchers prevented the establishment of any new TCP connection by dropping all outgoing and incoming SYN packets to all IP addresses. Then monitor UDP traffic to identify Bís IP address.

It is not clear why Skype has not addressed this issue thus far. A simple solution is clear: Skype needs to hide B in plain sight. They just have to make all the nodes to behave the same way when TCP connection fails. In other words all the nodes have to exchange UDP packets. Since the content is encrypted and obfuscated, the infrastructure nodes can be saying ďlet us pretend to talkĒ. As an added mesaure the length of UDP packets should be varying from instance to instance. It is simple to add a random length of padded bytes. The fact that they have not fixed the flaw suggests that there must be operational reasons why this apparently simple solution will not work.

In any event, Skype must add these malicious call attempts to the call logs, even if they do not want to inform the user via UI. The call logs can give the information of the Skype ID, their IP address (isnít that poetic justice?) who made these surreptitious call attempts. This way at least users will be aware of they being tracked.

It is likely that this is a known flaw. I recall that one of the suspects in the murder of a British student in Italy was tracked in Germany after he attempted to use Skype. It is possible that the authorities used this mechanism.

Posted by aswath at December 3, 2011 10:18 AM
Related Posts Widget for Blogs by LinkWithin
If you do not have an OpenID, then please use



Of course Skype took no notice: Big companies never think they are wrong! And also won't admit to errors!

Posted by: jason @ voip at December 9, 2011 06:12 PM

Copyright © 2003-2014 Moca Educational Products.