Skype security flaw allows location tracking

A glaring security flaw’s been uncovered in Skype and other VoIP systems, potentially allowing hackers to access users’ identities, locations and even files.

Skype claims more than a half-billion registered users, and one report suggests that one in five overseas calls is made using the service.

But researchers headed by a team at the Polytechnic Institute of New York University say that Skype can be used to track not only users’ locations over time but also their peer-to-peer file-sharing activity. It works even when a user’s blocked callers or used a Network Address Translation (NAT) firewall.

And having done this, says the team, it’s easy to link to information such as name, age, address, profession and employer using social media sites such as Facebook and LinkedIn in order to build profiles on a single tracked target or a database of hundreds of thousands.

“These findings have real security implications for the hundreds of millions of people around the world who use VoIP or P2P file-sharing services,” says Keith Ross of NYU-Poly.

“A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user – from private citizens to celebrities and politicians – and use the information for purposes of stalking, blackmail or fraud.”

When a call is initiated, the IP address of the recipient is revealed to the caller, who can then use commercial geo-IP mapping services to determine their location and Internet Service Provider (ISP).

And the team says it’s possible to initiate a Skype call, block some packets and quickly terminate the call to obtain the recipient’s IP address without any ringing or pop-up windows to provide an alert.

The attack can be made when the recipient isn’t on the caller’s  contact list – and even when the recipient’s explicitly configured Skype to block calls from non-contacts.

The researchers tested the flaw by repeating this process on an hourly basis to track the Skype accounts of about 20 volunteers as well as 10,000 random users over a two-week period – with all data anonymized.

They then used commercial geo-location mapping services and found that they could construct a detailed account of a user’s daily activities – even if the user hadn’t turned on Skype for 72 hours.

In one example, they accurately tracked a volunteer researcher from his visit at a New York university to a vacation in Chicago, a return to a New York university, lodging in Brooklyn, then to his home in France.

“If we had followed the mobility of the Facebook friends of this user as well, we likely would have determined who he was visiting and when,” they say.

In another experiment, they queried the 50,000 most popular downloads on BitTorrent. When a common IP address was found on both Skype and BitTorrent, the researchers were able to work out which files individuals downloaded or shared.

They say the flaw – which they’ve revealed to Skype and Microsoft – could be fixed relatively easily by redesigning the Skype protocol so that a user’s IP address is never revealed unless the call is accepted.