Skype Responds to IP Address Privacy Vulnerability
Originally posted on VoIP & Gadgets Blog, here: http://blog.tmcnet.com/blog/tom-keating/skype/skype-responds-to-ip-address-privacy-vulnerability.asp.
Yesterday it was reported that a simple script could expose any Skype user's IP address. A Microsoft representative saw my article and gave me this official response, which they also provided to other media outlets:
“We are investigating reports of a new tool that captures a Skype user’s last known IP address. This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are takings measures to help protect them.”
It's a bit of a non-answer if you ask me. True, P2P by its very nature is going to create connections between your computer/mobile and your 'target' computer/mobile. As such, it's not difficult to determine what IP addresses you are connecting to.
Adrian Asher, director of product Security, Skype
However, Skype leverages supernodes for a large portion of their infrastructure. I believe the supernodes handle authentication as well as call setup (or IM setup). So these supernodes act as an intermediary (proxy) between peer1 (your computer) and peer2 (target computer).
Thus, I wouldn't expect peer1 to see peer2's IP address. Apparently, this vulnerability leverages the search feature in Skype and viewing their vcard info and presence (online/offline). My guess is that Skype queries the supernodes when searching for a Skype user, but then once it find the user, it sets up a direct P2P session between your computer and the Skype user you searched for and pulls the relevant vcard / presence information. Game, Set, Match! IP address exposed!
If my assumptions are correct, I can see why Skype set it up this way. If they use supernodes to also "pull" the vcard and presence information, that's an additional load on the supernodes. I'm fairly sure, but not positive that your existing Skype buddies also make a direct P2P connection with each buddy to pull presence information, which also would expose IP addresses. But if you have 100 buddies, trying to figure out which 1 out of 100 buddies is their IP address would be difficult. If Skype made a technical change forcing each Skype client to pull presence info via supernodes (pseudo proxy) instead of direct P2P connections, that would drastically impact performance of the Skype network. This may be a huge architectural change to solve this IP address vulnerability.
However, Skype could simply change their search function to use supernodes (mask IP addresses) and allow the Skype client to query their buddies using P2P (IP addresses can be determined). At least this would block any non-buddy from determining your IP address. may be wrong in my technical assessment, so I will reach out to Skype for further comment on this. Stay tuned...
Tags: ip address, microsoft, presence, privacy, skype, supernodes, voip, vulnerability
Related tags: presence information, target computer, skype client, computer mobile, vcard presence, skype
Skype@Home Telephone Products Coming? - Apr 20, 2012
Google's Chrome Team Reveals WebRTC Roadmap - Apr 18, 2012
Microsoft Working on HTML5 Skype Web App? - Apr 16, 2012
Microsoft Lync 2010, Asterisk & Skype Integration Tutorial - Dec 28, 2011
It's Official - Skype Now Part of Microsoft! - Oct 14, 2011
Skype Click to Call Add-on Now Supports Firefox 5 & 6 - Aug 24, 2011
Skype (Microsoft) Blows $85 Million on GroupMe - Aug 22, 2011
Top 20 VoIP Innovators of All Time - Jun 13, 2011
Jabra SPEAK 410 Review - Apr 21, 2011
ClearOne Launches Speakerphones For Microsoft Lync & Skype - Feb 28, 2011
| Comments | Tag with del.icio.us | VoIP & Gadgets Blog Home | Permalink: Skype Responds to IP Address Privacy Vulnerability
[ Back To TMCnet.com's Homepage ]