Researchers uncover privacy flaws that can reveal users' identities, locations and digital files

Oct 21, 2011
A team of researchers, including Keith Ross (pictured), the Leonard J. Shustek Professor of Computer Science at NYU-Poly, has uncovered privacy risks connected to using Skype.

(PhysOrg.com) -- Researchers at Polytechnic Institute of New York University (NYU-Poly) and colleagues in France and Germany will soon notify Internet scholars of flaws in Skype and other Internet-based phone systems that could potentially disclose the identities, locations and even digital files of the hundreds of millions of users of these systems.

Their paper, “I Know Where You are and What You are Sharing," will be presented during the Internet Measurement Conference 2011 in Berlin on November 2, 2011. The authors are Chao Zhang and Keith Ross of NYU-Poly; Stevens Le Blond of the Max Planck Institute for Software Systems (MPI-SWS), Germany; and Arnaud Legout and Walid Dabbous of the French research institute I.N.R.I.A Sophia Antipolis.

Ross, the Leonard J. Shustek Professor of Computer Science at NYU-Poly, explained that the team uncovered several properties of Skype that can track not only users’ locations over time but also their peer-to-peer (P2P) file-sharing activity. Even when a user blocks callers or connects from behind a Network Address Translation (NAT) - a common type of firewall - it does not prevent the privacy risk, he said. The research also revealed that marketers can easily link to information such as name, age, address, profession and employer from social media sites such as Facebook and LinkedIn in order to inexpensively build profiles on a single tracked target or a database of hundreds of thousands.

“These findings have real security implications for the hundreds of millions of people around the world who use VoIP or P2P file-sharing services,” said Ross. “A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user - from private citizens to celebrities and politicians - and use the information for purposes of stalking, blackmail or fraud.” Ross explained that these privacy weaknesses are fairly easy to exploit, and that a sophisticated high school-age hacker would likely be capable of executing similar attacks.

The team first observed that with VoIP (Voice and Video over IP) systems, when Alice establishes a call with Bob, Bob reveals his IP address to Alice. Alice can then use commercial geo-IP mapping services to determine Bob’s location and Internet Service Provider (ISP).

The team also found that Alice can initiate a Skype call, block some packets and quickly terminate the call to obtain Bob’s IP address without alerting Bob with ringing or pop-up windows. Alice can make this attack even when Bob is not on her contact list or even when Bob explicitly configures Skype to block calls from non-contacts. By repeating the process on, say, an hourly basis, Alice can track the locations and movements of any Skype user over weeks or months, without the user having any idea that he is being tracked.

To demonstrate the potential severity of these security vulnerabilities, the researchers tracked the Skype accounts of about 20 volunteers as well as 10,000 random users over a two-week period, using techniques that neither harmed nor disrupted the service, utilized any requests for which the service was not designed nor interfered with users. All data were anonymized for user safety. Skype and Microsoft Corp. were informed of the researchers’ findings.

The researchers used commercial geo-location mapping services and found that they could construct a detailed account of a user’s daily activities even if the user had not turned on Skype for 72 hours. In one example, they accurately tracked one volunteer researcher from his visit at a New York university to a vacation in Chicago, a return to a New York university, lodging in Brooklyn, then to his home in France. “If we had followed the mobility of the Facebook friends of this user as well, we likely would have determined who he was visiting and when,” the authors said.

They calculated it would cost a marketer who wanted to create a database only $500 per week to track 10,000 users - and perhaps less, since they did not delve deeply into optimization.

In another experiment, they queried the 50,000 most popular downloads on BitTorrent, a popular P2P file-sharing system. Because it enables sharing of large files, it is a favorite of digital pirates. When a common IP address was found on both Skype and BitTorrent, the researchers were able to determine the files that identified individuals downloaded or shared. They noted that the same information could be obtained from other P2P applications, such as eMule or Xunlei.

A fairly straightforward and inexpensive fix would prevent hackers from taking the critical first step in this security breach - that of obtaining users’ IP addresses through inconspicuous calling. The researchers say that redesigning the Skype protocol so that a user’s IP address is never revealed unless the call is accepted would offer substantially greater privacy.

Skype claims it has more than a half-billion registered users and a monthly average of 170 million active ones who use its application for phoning, texting, instant messaging and video conferencing. By one report, one in five overseas calls is made via Skype. One study found BitTorrent may account for a quarter to more than a half of all Internet traffic.

While Skype was the only service tested in this study, the researchers claim that some of the security issues are fundamental to all real-time P2P communication systems, and that the proposed defenses may offer guidelines for enhancing privacy of other popular applications.

Explore further: Ride-sharing could cut cabs' road time by 30 percent

Related Stories

Skype scrambles after service trouble

May 26, 2011

Skype on Thursday was scrambling to fix a problem that caused the globally popular Internet telephone service to be inaccessible for a "small number" of users.

Facebook joins forces with Skype

Oct 14, 2010

Skype and Facebook joined forces Thursday to let users of the popular Internet communications service chat with their friends on the booming social network.

Researchers enhance spam call filtering

Apr 03, 2009

Researchers in Helsinki Institute for Information Technology HIIT are developing a new system for filtering spam calls in a flexible way. Spam calls (junk calls or Spam for Internet Telephony, SPIT) are unwanted calls often ...

Skype comes to iPhones on Tuesday

Mar 30, 2009

Skype has confirmed that a free software application enabling iPhone owners to use its Internet telephone service will be available in Apple's online App Store beginning Tuesday.

Recommended for you

Ride-sharing could cut cabs' road time by 30 percent

Sep 01, 2014

Cellphone apps that find users car rides in real time are exploding in popularity: The car-service company Uber was recently valued at $18 billion, and even as it faces legal wrangles, a number of companies ...

Avatars make the Internet sign to deaf people

Aug 29, 2014

It is challenging for deaf people to learn a sound-based language, since they are physically not able to hear those sounds. Hence, most of them struggle with written language as well as with text reading ...

Chameleon: Cloud computing for computer science

Aug 26, 2014

Cloud computing has changed the way we work, the way we communicate online, even the way we relax at night with a movie. But even as "the cloud" starts to cross over into popular parlance, the full potential ...

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

hush1
not rated yet Oct 21, 2011
I need a second opinion.
Did you invite NSA?
Skultch
not rated yet Oct 21, 2011
Do you really think the NSA would willingly give away such a valuable tool?
Skultch
5 / 5 (1) Oct 21, 2011
No, I guess you wouldn't. That was dumb. I shouldn't post while drinking craft beer.

This actually isn't that interesting, now that I let myself think it through. Any web admin can track people's locations by their public IP address; or tie that IP to bittorrent tracking. It's just that Skype has stupidly allowed it's users to see other user's IPs. Dumb.
hush1
not rated yet Oct 21, 2011
:)