UPDATED: Skype, like Britney Spears is everywhere. And just like queen of the teeny-bopper set, Skype has some major problems. Dmitry Goroshevsky, founder-CEO of Popular Telephony, which has come-up with a server-less peer-to-peer VoIP software called Peerio, called me this afternoon, and at the very end of the conversation, he quipped about Skype and how big a security risk it is for corporate networks.
When I pressed him more, he explained that Skype’s best feature, its ability to pass calls through firewalls and Network Address Translation (NAT) systems, is also its Achilles heel. Hackers can use the voice stream (which is nothing but data) to bypass firewalls and create havoc on the corporate networks. “You can break the whole corporate network in a matter of minutes,” he said.
Updated 06/23/2004: Karl over at Broadband Reports sent me this link, which explains some of the things we have been talking about.
Mahy thinks the Skype approach is inviting viruses, Zennstrom says this is not possible. According to Zennstrom there is little danger of a call through Skype resulting in a route for a virus because the recipient is told there is a call for him and is asked to call out to meet it. ‘Once my machine is infected with a virus, that virus can do lots of rude things with the Skype API. The virus could call a PSTN toll or international service from my account and leave it up for days. The virus could spam call my entire buddy list a few times an hour. The virus could turn my computer into a remote-control microphone. These are the kinds of issues that IT administrators are concerned about.
Aswath had written this earlier for VoIP daily:
If Supernodes need to have special capabilities, then it is likely that they will demand some form of compensation. It is not clear whether Skype is setup for this. Additionally, it is not clear how the individual clients are protected from a misbehaving Supernode. It is true that the media is encoded. But the Supernode is involved in the signaling phase. Since the Supernode has network connectivity to the client, it is tempting to use it for extra and unwanted commercial activity. So Skype may deploy their own Supernodes, eliminating one more difference between it and other VoIP providers.
Wow! There go billions of dollars in security dollars, bested by a simple piece of software. No surprise, Skype does not talk about this security risk. Not willing to take Dmitry’s word for it, I scrounged for more information, and stumbled onto the CERN website.
Skype P2P telephony software is not permitted on CERN’s computing or network facilities. The privacy policy of Skype violates CERN’s Computing Rules by bypassing firewall protections and offering services to others.
Here is Skype’s privacy policy: From time-to-time your computer may become a Supernode. A Supernode is a computer running Skype Software that has been automatically elevated to act as a hub. Supernodes may assist in helping other users to communicate or use the Skype software efficiently. This may include the ability for your computer to help anonymously and securely facilitate communications between other users of the Skype Software who, due to network and firewall constraints, cannot establish direct connections.
I am not sure, what you make of it, but to me if it is not good for CERN, then it cannot be good for any one. I think Skype CEO Niklas Zennstrom, is speaking at the SuperNova conference in Palo Alto, California this week. I am going to try and nail him down on this and get more details.
Om,
I spoke to Dmitry after some comments on your news making post was made. Here are his comments:
“1. We at Popular Telephony didnít write the article. I just said what I think and it is fact, not fiction.
2. In his response, in no way Mr.Kowalczuk is explaining why Skype is not a problem. Instead he is only saying that we can not be the source of the information. So is that information wrong only because we said it or it is really wrong? If it is wrong – that begs the question where, not if?
3. We are not the hackers and our business is not to exploit Skypeís problems. But if Mr.Kowalczuk wants to talk with us, we can explain to him how he himself can write the code to exploit the vulnerability in Skype, which is fairly simple for him to do.
4. If CERN sees the problem in Skype policy it’s because of the problem in the architecture which reflects in Skype policy.
5. We are not a Skype competitor and we said Skype is very nice program for users to use, it is just not to be used in Corporate networks. Never ever due to the security issues it creates.
6. Skype creates the problem not because it has produced the vulnurable program but because it has a lot of downloads every one of which can be used to attack a corporate network. How? We can explain to Mr.Kowalczuk in more details but it is not our business to do so.”
I hope this helps.
Om – ” but to me if it is not good for CERN, then it cannot be good for any one.” – Skype is not a CERN product – it’s a communication/entertainment product – it’s a Nokia fascia and ringtones product – it’s a lifestyle product. Skype will be fine.
Also I’m afraid the article just points out the problems with firewalls – they don’t protect you unless everything behind them is also locked down – there are going to be 2 worlds – the pseudo secure, locked down IS department corporate world, and the wide-open, roll-your-own-defences, communication is more important than security world.
Zennstrom can release a corporate skype if/when he wants -but thats’ not where the current change is happening
Jim
Hackers can use the voice stream (which is nothing but data) to bypass firewalls and create havoc on the corporate networks. ìYou can break the whole corporate network in a matter of minutes,î
This seems easier said than done…
sure marcelo, it is easier said than done for us mere mortals. but hackers are known to waltz into nasa networks quite easily, so for them, the gods of geekdom, this would be a fairly easy trick to pull
actually guys all of you make good points, and i think there is something there. i am trying to find out and hopefully by end of all this it will all be clearer – whether it is a risk or not. i think it is only going to be fair to talk to skype and have them say what really is the story.
wonder if we’ll be seeing this on henshall’s blog?
[…] aOM is an interesting, opinionated weblog that I follow. However, I do have to comment on this entry about alleged security risk of installing Skype. L […]
Cool find! Minor correction (to keep Om hip with the non-tech culture trends) –
Skype, like Britney Spears Lindsay Lohan is everywhere.
Sorry to nitpick, but Lindsay Lohan really is Hollywood’s IT girl right now. You need only look as far as ones…
hey nick – i am an avid gossip hound but “problems” part of britney spears saga was the reason i used her to compare with skype. and if you catch the “tongue in cheek” catiness, you know i am sort of predicting the skype future. 🙂
For what its worth, Ms. Spears remains the sixth most cited person in the blogosphere. Right behind John Kerry.
http://www.blogpulse.com/04_06_19/keyPeople.html
ISS says it is a high risk due to buffer overflow on callto: protocol
http://xforce.iss.net/xforce/xfdb/16405
some intrusion via data-stream is obviously possible but (it depends on what the heck that stream is and what the heck you mean by intrusion)
the damage comes when you utilize that data-stream for manipulating any insider(like some trojan).
elaborate yet not so exotic method.
if our case is a network where data-streams are looked upon as suspects then the hosts ought to have -already- been secured anyway.
That’s why this debate isn’t something for Skype company to worry about.