Researchers Reveal Skype Stalking Flaw

Researchers have revealed a vulnerability in the Skype voice over IP (VoIP) service that can reveal the location, identity and content of downloads.

Skype can track users because once a call is established, the IP addresses of the callers are revealed to one another’s devices. Commercial geo-IP mapping services can then show the approximate location of the callers and their Internet service providers (ISPs).

Online stalking and P2P access

By using this glitch in Skype operation, a caller can be followed – even if they are not on the tracker’s contact list and it still works if the setting to block calls from non-contacts has been set.

This was done by the researchers by initiating a call, blocking a few packets and then rapidly ending the call. If this was done fast enough, Skype did not alert the user with a pop-up, or even trigger the phone to ring. If repeated over a period of time, the sequential locations of the IP addresses can form a trace of a caller’s movements. The process is repetitive so it could be easily automated.

In a statement, the Polytechnic of New York in the US (NYU-Poly), one of the three research establishments involved, warned: “Even when a user blocks callers or connects from behind a Network Address Translation (NAT) – a common type of firewall – it does not prevent the privacy risk.”

Of greater concern is that Skype that can also reveal a user’s peer-to-peer (P2P) file-sharing activities, the researchers discovered. Also, by searching for  personal data on social sites, like Facebook or LinkedIn, a tracker could easily discover a potential target’s name, age, address, profession and employer to track down any Skype accounts.

Keith Ross, the Leonard J Shustek professor of Computer Science at NYU-Poly, said, “These findings have real security implications for the hundreds of millions of people around the world who use VoIP or P2P file-sharing service. A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user – from private citizens to celebrities and politicians – and use the information for purposes of stalking, blackmail or fraud.”

The research was undertaken by the French research institute INRIA at Sophia Antipolis, Max Planck Institute for Software Systems (MPI-SWS) in Saarbrücken, Germany, and the NYU-Poly. The team tracked the Skype accounts of about 20 volunteers as well as 10,000 random users over a two-week period.

In one example case, a volunteer was tracked through a visit to a New York university, followed by a vacation in Chicago, a return to the university, his lodgings in Brooklyn, and then to his home in France.

“If we had followed the mobility of the Facebook friends of this user as well, we likely would have determined who he was visiting and when,” the university statement said.

Skype, now owned by Microsoft, has yet to respond to the research findings.