There’s something particularly spooky about some findings in a paper that was recently published by a group of researchers at NYU Polytechnic Institute on VoIP and P2P communications – particularly if you rely on real-time communications apps to do business.
Skype seems to be the scapegoat in this study, which found that with some rudimentary techniques, it’s possible to easily retrieve IP address information from Skype users. Skype clearly owns this market and has a critical mass of over 560M users, so while other competing apps like Google Voice, MSN Live and QQ boast healthy usage also, Skype is the only app of the four that has a directory service AND employs P2P technology, and was the focus of the study.
What’s spooky is what a would-be attacker can learn about a user or group of users, as reported in this study. Without a lot of heavy lifting, it’s possible to learn extremely accurate mobility patterns of users, as well as file-sharing patterns. What this means is that researchers have found some easy ways to stalk Internet users:
How’d they do it? They called random Skype users and over time and logged mobility patterns to determine where users are based and locations they frequent. What they found was that even if a user had a network address translation to prevent his/her information to be shown, it was easy to circumvent.
The study conducted encompassed random users, but that doesn’t mean the sample isn’t part of a business or enterprise Skype license, or that the user doesn’t use Skype for business purposes. This brings up a whole new slew of problems, less focused on privacy and more focused on what a would-be attacker could potentially identify as data they might want to steal.
With the P2P file sharing capabilities in real-time communications apps, since an attacker might already have a user’s IP address, they can use that to map to file-sharing applications. This means that exposure to files is a very real possibility, and something that organizations might want to know if they are using Skype on a regular basis.
In a lot of ways, this is just another example of a vulnerable web-based application. And given that Microsoft is putting muscle behind Skype, I have to believe that this report wasn’t exactly shocking. And as reported in Network World last week, just because Microsoft didn’t comment, that doesn’t necessarily mean they aren’t conducting their own research to remediate those issues either.
Skype publishes a number of security best practices for users, and third party security checklists exist that include recommendations for how to configure Skype, like UNC-Chapel Hill’s IT Security recommendations.
One very easy and very smart move that organizations should think about if this is arousing concern in the management ranks is training employees. Both technical and non-technical. This could go a long way to educating them on how to use and how not to use applications that might introduce an entry point for vulnerabilities to be exploited.
Organizations should also refine policies if not already in place, so that best practices are implemented when using any open application like a real-time communications application, for any purpose.
It’s a spooky time of year but every day doesn’t have to be Halloween. These findings represent some privacy issues but it’s up to individual users and companies to implement processes to protect themselves from the lurking ghouls.