Skype has been a very popular means to make voice and video calls for the past few years. Its popularity is in no small part due to the ease of use, which leads to a big user base and a plus in attractiveness.

From a user’s point of view, Skype has many advantages. From the point of view of a company that is concerned about the protection of its own network, however, Skype turns out to be a nightmare. This article takes a look at the difficulties Skype brings as well as the resulting risks.

Ban the Client

The simplest solution to the entire issue would be to just ban the Skype client from the network. Using this simple measure, installing or starting the client can be prevented. In multi user environments, the rights needed for installation or use of the standard Skype client can be taken away from the users. This solves the problem for the most part. There are means and methods, though, that can’t be stopped that easily.

Skype Portable without Installation

Normally the standard Skype client has to be installed. However, Skype Portable is a special version of the software that does not need a separate installation. Because an install usually requires elevated rights on a system, a big hurdle that users would be facing when wanting to install is moot.

The avoiding of execution of foreign software is still something that is implemented in very few environments. Whitelisting, using Windows with AppLocker for example, could achieve this goal. However, many a company doesn’t like to make the effort connected to such a granulated restriction. Most often, an attacker can go by this creed: As soon as my binary is on the system, I can use it.

Skype on Mobile Devices in a WLAN

In the past few years saw a dramatic rise in wireless communication. More devices bring more flexibility, less wires bring more comfort in working with them. Tablets and smart phones are the forerunners of this trend.

The popularity of these solutions can be traced back to the fact that most of the functions known from laptops or desktop computers is offered by the mobile devices as well. This includes the Skype client, which is available for most mobile operating systems. Even in the age of Bring Your Own Device, restrictive mobile device management is only rarely implemented. Therefore, evasion can simply be done by using another platform.

Block Network Communication

If the installation of Skype can’t be blocked, it’s worth to attempt to block communications so that Skype because completely harmless. But even here, there are pitfalls that are due to the fact that communication should be as simple as possible for the users

Outbound Connections

In the age of firewalls and Network Address Translation (NAT), it has become increasingly difficult for distributed systems to establish communication. Because inbound communication hasn’t been possible without further issues, outbound connections have been the go-to solution.

Outbound connections usually aren’t controlled and limited that due to the fact that egress filtering is, similar to the whitelisting approach, connected to proportionately high effort.

Dynamic Port Use

Classic network applications tend to use static ports. The target ports are always the same. By default:

• 21 for FTP
• 22 for SSH
• 23 for Telnet
• etc.

If port blocking is used, the Skype client can change its port use dynamically. This makes it possible to find permitted means of connection. Among other things, there’s a conscious attempt to use the ports tcp/80 and tcp/443. These standard web ports are permitted for use in most environments and are being used by Skype as well. Thus, as long as any a port is permitted, Skype can theoretically use it.

Protocol-Tunnelling

Basically, an application gateway with its proxies attempts to validate communications on the application level. Because Skype communication does not look like HTTP, a connection using tcp/80 would be seen as illegitimate and blocked.

Skype, however, circumvents this restriction by protocol tunnelling. This method embeds Skype data in a regular HTTP transmission. Subsequently, the web proxy usually can’t determine whether or not it should permit communication or not. Only with big effort to equip the proxy with a targeted Deep Inspection can control be regained. An additional effort in development and additional loss in performance would be the consequences.

Minimize Attack Surface

Skype is not just a problem due to the difficulties in controlling it but also in cases where the solution and its inherent risks are accepted. Because Skype adds to the attack surface not just on the user level but also his communications as well as the entire network.

Complex Client

Even though the functionality of Skype can be grasped quite easily, the client itself is much more complex. A first indicator for that is the binary. It’s comparatively big and clunky. This indicates that the development of the client can only provide the necessary security with additional effort, if they bothered at all.

Closed Source

Skype has been negatively stigmatized as closed source since it first came out. There are no known official details as to how the protocol functions internally. This makes it difficult to see and evaluate the given dependencies, potential vulnerabilities and effective risks.

A reverse engineering of the Windows binary illustrates nicely that the high level of complexity is intentional. It is probably seen as part of the anti-reverse engineering. In general, there are many indicators that point towards the developers intentionally making it hard for third parties to understand the functionality. This is also one of the reasons why even after all these years of Skype being on the scene, there’s still no alternative client.

Data Exchange

Skype is, first and foremost, a solution for voice and video calls over the internet. But there’s more to it than just that. It supports chatting that includes file transfers. This opens the floodgates to any company’s network that can’t be controlled given certain circumstances. Proxies and anti-virus solutions can keep unwanted files from spreading – for example using email or the web. But Skype does not support any such mechanisms.

Leaking of Data

Communication is always a risk that the engaging parties take knowingly or unknowingly. By establishing connections and exchanging files and data, the chance of making an error exists or errors can be exploited. Starting with social engineering attacks and ending with very complex technical attacks, Skype users endanger not just themselves, but the infrastructure they’re working on and the data contained therein.

Third Party Infrastructure

A large part of Skype’s communication takes place on third party infrastructure. In 2011, Microsoft took over. Therefore, there’s no real control over the functionality and the use of the data. A malicious node could make effort to read communication or manipulate file transfers.

Unknown Vulnerabilities

The fact that Skype is closed source makes it very difficult to see its vulnerabilities. Vulnerabilities can be built into a solution by design by introducing secret backdoors, for example. Given certain circumstances, calls from a certain Skype user can be used to turn on the camera on his or her computer without their knowledge. Or a specific command sent to the network port could get an attacker access to the victim’s file system.

Summary

From a user’s perspective, Skype is a convenient solution. However, if an administrator, concerned with network security in his company, looks at it, Skype Is everything but convenient and comfortable. There are many risks that are either introduced or significantly increased in size due to Skype. Only with additional effort is it possible to block or limit the use of the product.

About the Author

Marc Ruef has been working in information security since the late 1990s. He is well-known for his many publications and books. The last one called The Art of Penetration Testing is discussing security testing in detail. He is a lecturer at several faculties, like ETH, HWZ, HSLU and IKF. (ORCID 0000-0002-1328-6357)

Links

• http://kara.allthingsd.com/20110509/microsoft-will-announce-acquistion-of-skype-tomorrow-morning
• http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
• http://www.oklabs.net/skype-reverse-engineering-the-long-journey/
• http://www.secdev.org/conf/skype_BHEU06.handout.pdf
• http://www.skype.com
• https://www.computec.ch/news.php?item.262