Many of our employees frequently use Skype for work. I'm concerned about the Web-based tool that displays a Skype user's last known IP address. Should we stop allowing Skype use until this issue is resolved, or is this a common issue with other IP-based teleconferencing services?
Ask a Question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email at firstname.lastname@example.org.
Skype is a useful, cost-saving tool for many businesses. A decision to ban its use will not go well with your employees unless you can demonstrate the legitimacy of your Skype security concerns. The Web-based tool referenced in your question enables an attacker to find the last known public IP address of a Skype user by exposing addresses that enable Skype servers to make contact with them. If a Skype username is exposed, additional user information such as city, country, Internet provider and the internal user IP address can be obtained.
Researchers from the French research institute Inria and the Polytechnic Institute of New York University informed Skype of this security flaw (just as it was being bought by Microsoft). In October 2011, those researchers published results showing how to clandestinely track the city-level location of 10,000 Skype users for two weeks. The team discovered that brief calls to Skype users could be stopped from appearing on the recipient's computer or device by preventing pop-up notifications and call histories that would identify them. The recipients didn't know they had missed a call and didn't have to answer the call in order to be identified. After the call, researchers could obtain the user's IP address from packets of information automatically sent to the caller from the receiving end. The same technique can be used for mobile devices that have Skype as an app, though with less accuracy than on a desktop.
IP addresses can be used to track a user to a specific company or city, sometimes to within 700 yards of their location. Though legal experts have said IP addresses themselves are not personally identifiable data, law enforcement officers have sought this level of information in obtaining evidence on suspects' Internet activities. Researchers have also demonstrated that, with access to certain databases, it may be possible to deduce users from addresses they have used.
This type of information could be used to conduct corporate espionage by tracking the movements of rival employees as they travel to determine where they're doing business and with whom. The information could be used as part of fingerprinting an individual's machine prior to an attack. If you have employees whose location needs to be kept secret or you are concerned in any way about their privacy, banning Skype is an option.
These Skype security concerns may not be resolved in the near future as Skype is based on peer-to-peer architecture, which means each peer has by design knowledge of the other's address. Not surprising then that a Skype spokesperson said in a statement, "This is an ongoing, industry-wide issue faced by all peer-to-peer software companies." If an organization determines that a user's security needs necessitate avoiding Skype due to these issues, similar services are unlikely to offer a safer alternative.
This was first published in November 2012