Skype cracked?

| Comments (1) |
Biondi and Desclaux's slides from BlackHat Europe are very interesting. They seem to have done a fairly complete job of reverse engineering the binary and explain how a bunch of features work. One thing I've started hearing recently is that they've "cracked" Skype (see, for instance, this article by Ryan Singel), which is true in some technical sense, but kind of misleading.

The primary security property that you as a user of Skype care about is that other people can't listen to you communications, impersonate the person you're calling, etc. We don't have complete documentation on Skype's protocols, but neither the Biondi and Desclaux work or Tom Berson's review indicates that there's any problem there--with the obvious exception that Skype themselves can man-in-the-middle your communications, but that's inherent in them being the certificate authority, so that's no secret.

However, Skype, Inc. has a secondary security property they want to enforce: that you go through their network. They use a bunch of security techniques to tie the software to their network and Biondi and Desclaux do show how to bypass those protections. So, while they can be said to have "cracked" Skype, but it doesn't really represent a threat to your security as much as to Skype's business model. Note that Biondi and Desclaux do suggest that this could be used to attack your communications by giving you a compromised copy of Skype, but if they can convince you to install software of their choice, the game is pretty much over in any case--they can just install spyware directly--so that's not really that interesting a threat.

None of this means, of course, that Skype doesn't have vulnerabilities in their software proper, but then what software doesn't? Finding a vulnerability like that isn't really the same as breaking the protocol or the system as a whole.

1 Comments

What's scarier is just how UGLY and blackhatish the program and protocol is in an attempt to resist analysis.

IMO, given the complexity, if I was IT manager for a major institution, I'd just blanket ban that sucker.

Leave a comment