[ISN] How dangerous is Skype?

From: InfoSec News (alerts@private)
Date: Thu Mar 08 2007 - 01:06:14 PST


By Michael Gough
March 06, 2007 

There's been a lot information -- and misinformation -- available about 
whether Skype is dangerous to corporate networks and individual users. 
How dangerous is it? In this article, I'll separate the truth from the 
myths when it comes to Skype vulnerabilities.

Understanding Skype's basic architecture

Skype is a peer-to-peer (P2P) application, meaning that users connect to 
one another directly and not through a central server for communication. 
Skype initially uses Internet-based servers to authenticate users when 
they log in and to track their status, but when a "chat" or instant 
message, "voice call" or "file transfer" is initiated, the parties 
involved in the communication do so in a P2P direct connection. If one 
or both of the users are behind a typical corporate Network Address 
Translation (NAT) firewall, the communication can be relayed through a 
Supernode because a direct P2P can't be established behind a NAT. In the 
case of a file transfer, you will see a message indicating your transfer 
is being relayed.

One of security professionals' primary concerns about Skype are it's so 
easy for a Skype client to find a way around a secure corporate firewall 
configuration. Skype does this by using ports 80 and 443, which are open 
in most firewalls to allow Web browsing. In addition, Skype may reroute 
traffic if the initial port assigned during the Skype installation isn't 
available. This makes blocking Skype at a firewall more difficult since 
the ports Skype uses can change as needed.

Skype also encrypts each communication with a unique AES 25-bit 
encryption key, meaning each communication will use a different key each 
time you communicate, making eavesdropping communications almost 

One more thing to keep in mind about Skype security is its Supernodes, 
which route Skype traffic. A Supernode is a computer with a specific 
configuration that must have a direct connection to the Internet and 
can't be behind a firewall using NAT. And they must have a "real" public 
routable IP address. Beyond those restrictions, these Supernodes can be 
any Skype user computer that meets the minimum hardware and 
configuration requirements.

There's a lot more you can learn about Skype's security architecture. 
For details, visit the Skype Security Resource Center.

Skype FUD

Now that you have an understanding of how Skype works, we can look at 
whether it's dangerous. There are a lot of misconceptions floating 
around about Skype. Here are the five most common:

   1. Skype uses a lot of bandwidth on a network.
   2. Any computer can be a Supernode.
   3. Skype is like any other IM application and susceptible to IM worms 
      and viruses.
   4. Skype is hard to stop on my network.
   5. Skype is encrypted so I cannot archive IM messages.

Let's take a look at each of them in turn:

Myth No. 1: Skype uses a lot of bandwidth on my network

Skype actually uses very little bandwidth, approximately 30Kbit/sec. per 
voice call. If a user's computer becomes a Supernode, then yes, a 
Supernode will consume a tremendous amount of bandwidth. But remember 
you must be on a system directly connected to the Internet in order to 
become a Supernode, and in most corporate configurations PCs aren't 
directly connected to the Internet, so this is normally not an issue.

Myth No. 2: Any computer can be a Supernode

We've already learned that a system must have a routable IP address and 
sit directly on the Internet to become a Supernode. If a computer 
resides in a typical company network protected by a firewall that 
provides NAT, using a 192.168.x.x or 10.x.x.x private IP address scheme, 
then it's impossible for it to become a Supernode. NAT firewalls and 
even home routers prevent many systems from becoming Supernodes.

Myth No. 3: Skype is susceptible to IM worms and viruses

Last year, there were 1,355 virus or worms that affected IM clients 
through early December, according to Akonix Systems Inc., and not one of 
those affected Skype. Though Skype did have two security alerts in 2006, 
four in 2005 and one in 2004, none of these has been exploited.

The main vulnerability of IM applications is their file transfer 
feature, which can be exploited to allow anyone to send a file that 
contains possible malware. To protect against this, Skype file transfers 
can be scanned with any antivirus application that is up to date and 
current and running in "auto-protect" mode. In addition, many antivirus 
applications have specific IM-scanning options. So if you have a 
current, up-to-date antivirus application that runs in "auto-protect" 
mode, you have little to worry about. You can also disable Skype's file 
transfer feature.

Myth No. 4: Skype is hard to stop on my network

Skype is only hard to block if you don't know what is on your network or 
if you don't have good configuration management of your clients. There 
are many ways you can block Skype, ranging from scripts to using network 
management software, to blocking Skype at the network layer. For 
details, see this article.

Myth No. 5: Skype is encrypted, so I can't archive IM messages

This one's not really a myth. Skype sessions are encrypted, so yes, you 
can't capture or archive Skype communications. The same is true of many 
IM applications, though, so it's not less secure than other IM programs 
that can use encryption.


So far, Skype hasn't suffered from the ills that bedevil most of the IM 
applications regarding viruses and worms. But it's most likely only a 
matter of time before a vulnerability is discovered and exploited. Any 
application that allows file transfers, IM or voice that can't be 
monitored, archived or recorded, has some level of risk.

However, Skype's architecture is more difficult to crack than other IM 
applications open to the Internet, and so it's the safest of those, but 
there are non-Internet applications like Jabber that are even safer for 
internal-only IM communication. But if asked if Skype is safer than MSN 
Messenger, Yahoo Messenger, AIM or ICQ, the answer is "yes" for now.

For more information:

Skype Slips into business

Skype aims to meet more business needs

Skype Security Blog

Skype - Wikipedia, the free encyclopedia



Michael Gough is host and webmaster of SkypeTips.com and 

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Thu Mar 08 2007 - 01:14:14 PST