Skype Investigates IP Discovery Flaw
A flaw in Skype to all appearances allows users to learn the Internet protocol addresses of other users. Finding out that someone's snooped your IP address may not sound as alarming as finding out your Social Security number's been exposed, nevertheless the information could be used by a determined and talented hacker to build up more sophisticated attacks.
Skype is investigating a tool published recently on Pastebin that captures the last-known IP address of the VoIP (Voice over Internet Protocol) service's users.
This particular flaw was discussed in a paper presented by an international team of researchers in November at the Internet Measurement Conference 2011 in Berlin.
The tool exploits a patched version of Skype 5
The tool exploits a patched version of Skype 5.5. Skype's flaw lets anyone see another person's vCard and get that person's real user IP address and the IP address of the internal network card on that person's PC.
More information about the target, just as the city and country where he or she is located, and the Internet service provider the target is using, can be obtained by going to a Whois service.
The researchers stated that the flaw could let Voice over IP phone systems, including Skype, be exploited by third parties to ascertain users' identities, locations and digital files. The flaw can be exploited by a sophisticated hacker of high school age, they said.
By repeatedly calling targets over Skype and terminating the calls regularly, maybe hourly, attackers could find out the locations and movements of any Skype user over weeks or months without the targets' knowledge, the researchers said. They could discover which digital files targets downloaded by combining this attack with tracking targets' activities on popular peer-to-peer file sharing systems just as BitTorrent.
Linking data obtained from VoIP systems through the flaw to personal information from social media sites would let marketers create profiles on large numbers of people, the researchers said. They estimate it will cost a marketer only about US$500 a week to track 10,000 users.
One approach is for the designer of the VoIP signaling protocol to ensure that a user's IP address is not revealed to callers unless the user accepts the call. If a user blocks all calls from people not on their contact list at that time anyone not on that list won't be able to determine the user's IP address. The researchers recommend this solution for all VoIP applications. Think of this as Caller ID in reverse.
Users may as well want to block people on their contact list from getting their IP address. To do this, the researchers recommended VoIP service providers pass all calls through relays. This will attach the IP address of the relay to the data. Nevertheless, this solution increases VoIP traffic and slows P2P communication.
- · Rackspace debuts OpenStack cloud servers
- · America's broadband adoption challenges
- · EPAM Systems Leverages the Cloud to Enhance Its Global Delivery Model With Nimbula Director
- · Telcom & Data intros emergency VOIP phones
- · Lorton Data Announces Partnership with Krengeltech Through A-Qua⢠Integration into DocuMailer