Many of our employees frequently use Skype for work. I'm concerned about the Web-based tool that displays a Skype...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
user's last known IP address. Should we stop allowing Skype use until this issue is resolved, or is this a common issue with other IP-based teleconferencing services?
Ask a Question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email at email@example.com.
Skype is a useful, cost-saving tool for many businesses. A decision to ban its use will not go well with your employees unless you can demonstrate the legitimacy of your Skype security concerns. The Web-based tool referenced in your question enables an attacker to find the last known public IP address of a Skype user by exposing addresses that enable Skype servers to make contact with them. If a Skype username is exposed, additional user information such as city, country, Internet provider and the internal user IP address can be obtained.
Researchers from the French research institute Inria and the Polytechnic Institute of New York University informed Skype of this security flaw (just as it was being bought by Microsoft). In October 2011, those researchers published results showing how to clandestinely track the city-level location of 10,000 Skype users for two weeks. The team discovered that brief calls to Skype users could be stopped from appearing on the recipient's computer or device by preventing pop-up notifications and call histories that would identify them. The recipients didn't know they had missed a call and didn't have to answer the call in order to be identified. After the call, researchers could obtain the user's IP address from packets of information automatically sent to the caller from the receiving end. The same technique can be used for mobile devices that have Skype as an app, though with less accuracy than on a desktop.
IP addresses can be used to track a user to a specific company or city, sometimes to within 700 yards of their location. Though legal experts have said IP addresses themselves are not personally identifiable data, law enforcement officers have sought this level of information in obtaining evidence on suspects' Internet activities. Researchers have also demonstrated that, with access to certain databases, it may be possible to deduce users from addresses they have used.
This type of information could be used to conduct corporate espionage by tracking the movements of rival employees as they travel to determine where they're doing business and with whom. The information could be used as part of fingerprinting an individual's machine prior to an attack. If you have employees whose location needs to be kept secret or you are concerned in any way about their privacy, banning Skype is an option.
These Skype security concerns may not be resolved in the near future as Skype is based on peer-to-peer architecture, which means each peer has by design knowledge of the other's address. Not surprising then that a Skype spokesperson said in a statement, "This is an ongoing, industry-wide issue faced by all peer-to-peer software companies." If an organization determines that a user's security needs necessitate avoiding Skype due to these issues, similar services are unlikely to offer a safer alternative.
Dig Deeper on Network Protocols and Security
Related Q&A from Michael Cobb
SandJacking, a new iOS attack technique, uses an XCode certificate flaw to load malicious apps onto devices. Expert Michael Cobb explains how the ...continue reading
Oracle has moved from using a modified version of CVSS v2.0 to CVSS v3.0. Expert Michael Cobb explains criticism of the old version, and the changes ...continue reading
QuickTime for Windows was found to have two zero-day vulnerabilities, and was then suddenly moved to end of life by Apple. Expert Michael Cobb ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.