Sites Inria

Version française


Françoise Breton - Céline Acharian - 21/10/2011

How to Skype without being seen!

© Alterfalter -

Skype is a Voice over Internet Protocol (VoIP) solution used by hundreds of millions of people the world over. Inria researchers (Stevens Le Blond, Arnaud Legout and Walid Dabbous) in partnership with a team at the Polytechnic Institute of New York University have demonstrated that a malicious user could invade the privacy of any Skype user.

What is the security breach you have highlighted in Skype?

Arnaud Legout :  we have shown that individuals without any specific resources and especially without legal permission could tie in a social identity to an IP address. We worked with researchers at the Polytechnic Institute of New York University to show that in using Skype it was possible not only to connect a social identity with an IP address but also that movements by Skype users could be tracked along with their BitTorrent downloads. Skype users cannot detect this attack, which is not blocked by privacy protection settings currently available.

Is this security breach easy to exploit?

Arnaud Legout : we demonstrated that it was possible to track somewhere in the region of 10,000 Skype users every hour at a cost in the region of €400 per week without optimisation. This means it is even possible to identify users behind NATs (Network Address Translations in internal networks) or IPv6/IPv4 gateways. Consequently, anyone with IT skills can track Skype user movements and their BitTorrent downloads (with details about downloaded content). There is therefore reason to fear industrial espionage or malicious use of personal information because on-line activity, travel and social interaction between users can be transparent for whomever knows how to track Skype users.

The breach arises from the fact that these services use peer-to-peer communication. Should the technology change?

Arnaud Legout :   simply put, two security breaches have been brought to light. The first concerns the very nature of peer-to-peer (P2P) communications, which makes it possible to exchange data with anyone. It is currently impossible for a P2P protocol user to block all communication. The simple act of establishing a connection between two peers (even if the connection is immediately closed) is enough to make the other peer’s address visible. The other breach relates to the use of directories used in VoIP protocols. A directory can find the name of a person and call him or her. Even if this person then refuses the call, P2P communication has been established and is sufficient to make the IP address visible.
This simplified explanation shows that the security breach stems from the open nature of the Internet. It is consequently difficult to offer a quick and global response to this type of attack. We are starting an ambitious project to study solutions that could make such attacks difficult whilst upholding the open and non-monitored ideals of the Internet.

In the meantime, what kind of protection is available?

Arnaud Legout : using Skype or BitTorrent is not in itself a risk of privacy invasion. However, it is more dangerous if Skype and BitTorrent clients remain active all the time when not in use. Specifically, all you have to do is terminate the Skype client to make localisation impossible for the attack we have described – provided that the client was not launched in the 72 hours preceding the attack. It is therefore recommended to terminate the Skype client if there is network activity you wish to keep confidential or if you wish to move around without being located.

Social identity and IP address

A social identity is the set of all the information used to identify a person (surname, first name, etc.). An IP address is the network ID used for all communication over the Internet. This means that by looking at Internet traffic it is possible to know that a user with a given IP address is viewing a specific website and downloading specific content.
It is difficult, however, to tie in an IP address with a social identity and thus put a name to specific on-line activity. In practice, to link a name with Internet activity, a formal request must be made to the user’s ISP (Internet service provider). In fact, only the ISP has the information matching IP addresses to social identities. Without legal evidence, it is very difficult to obtain such information from the ISP. This is particularly the case when the party making the request is not in the same country as the person to be identified. Major Internet corporations such as Google and Facebook can also make the connection, although they are bound by non-disclosure rules and subject to laws protecting user privacy. The confidence of their users and their continuing activity are contingent on such requirements.

Keywords: PLANETE project-team Polytechnic Institute Inria - Sophia Antipolis - Méditerranée Identity Privacy IP