Big privacy flaw in Skype

In this photo illustration, the Skype Internet phone program is seen Sept. 1, 2009 in New York City.

Keith Ross is a professor of computer science at the Polytechnic Institute of NYU. He's presenting some research on Skype at a conference next week in Berlin. The problem, he says, has to do with Skype's use of the Internet Protocol, or IP address on your computer and your ISP, or Internet service provider.

"If you have Skype running in your laptop," he says, "then I or any other attacker can inconspicuously call you, obtain your current IP address and your current location without you ever knowing about it."

While it's not exactly a GPS determination of where you are, Ross says the IP address can show, "The city you're in and also determine if you're at work or at home because your IP address not only exposes your location but also exposes the ISP you're using and from that we can determine if it's your employer or residential ISP or whatever."

Ross says that an advanced high school hacker can pull off this sort of invasion, "they just have to have a computer and an Internet connection. Operating from anywhere in the world. One thing we also showed is the attacker can scale to track thousands of users, tracking 10,000 random users over a two-week period."

Chester Wisniewski from the security firm Sophos, however, cautions that an IP address is not necessarily a homing beacon to where you are right at the moment. "An example that might be you know I'm traveling today on business," he explains, "I appear to be on the Internet in Vancouver. If someone were to look at this, they would think I'm in Vancouver, although I happen to be in another city entirely. So this information isn't all that accurate as to where you specifically might be. And you know, it is a little bit of an information disclosure, but I think that goes hand-in-hand with simply being available and communicating. It's kind of the equivalent in saying you have a 212 area code, you must be in New York City. With cell phones we know that's not the case, and that's true on the Internet as well. IP addresses to a degree are an indicator of a location to a small amount of security, but- it's not he same as somebody having your home address."

We reached out to Skype, which is owned by Microsoft, about this. In a written statement attributed to Adrian Asher, Skype's chief information security officer, the company said, "Just as with typical Internet communications software, Skype users who are connected may be able to determine each other's IP address. Through research and development, we will continue to make advances in this area and improvements to our software."

In the meantime, says Ross, you can always just start over on Skype. "You can create a new Skype account and choose a Skype ID that's very anonymous, that people won't be able to figure out that it's you. So you share that with people you can trust, that way, no one would think of tracking you."

Also in today's program, a Dutch scientist is trying to make a hamburger. Needs to be made with meat but not animal meat. He's growing test tube meat.

About the author

John Moe is the host of Marketplace Tech Report, where he provides an insightful overview of the latest tech news.

Comments

I agree to American Public Media's Terms and Conditions.
With Generous Support From...