Skype's Impact on Enterprise Security

Written by Greg Schmidt ~ Thursday, 13 April 2006 [VoIP Magazine]

Skype could be a ticking time-bomb with it's security vulnerabilities, and most of the millions of Skypers aren't even aware of it. Even as a telecom security specialists working for a company that produces voice security products, I use Skype even thought it regularly breaches our network firewalls. The problem is that Skype is just too easy to use, the voice quality is superb, and I can't argue with the cost.

So even though Skype has some potentially serious security issues, it's hard to argue about the amount of buzz that Skype has generated recently. Consider what Skype has accomplished:

• It is the fastest growing Internet communications application ever launched with around 150,000 users being added daily and over 200 million downloads.


• It has reached more than 70 million users and has logged close to 20 billion VoIP minutes, giving it the highest share of VoIP minutes.


• It is easy to install and works within minutes with practically no configuration required.


• It is easy to use and works just about everywhere, even behind corporate firewalls.


• It allows free calling with exceptional voice quality between any of the millions of Skype users around the world.


• It allows calls to and from the PSTN for a nominal charge.


• It includes an IM client and file transfer capability all conveniently encrypted for maximum privacy.


• It recently added video conferencing with its most recent 2.0 release.


• It received quite a boost in market acceptance when, in September 2004, it was acquired by E-bay, with all its impressive financial backing.

At the 2005 International Consumer Electronics Show in Las Vegas, Skype established itself as a mainstream product with a major presence at the show. It was the debutante of the ball, flirting with mainstream consumer electronics brands, such as Kodak, Philips, D-Link, and Panasonic who were lining up to be its partner. These giants in consumer electronics have been racing each other to introduce the latest Skype-enabled gadgets, from end-user devices such as USB Phones and Skype Wi-Fi phones to Skype-enabled routers.

Skype recently announced a partnership with Radio Shack to begin offering a Skype Starter Kit in all of the consumer electronics chain's 3,000 stores. The Skype Starter Kit includes the Skype software, a Skype-certified headset, and 30 minutes of SkypeOut, the service that allows Skype users to call PSTN phones and cell phones.

So, given all that Skype has going for it a new parent with deep-pockets, a hugely devoted user-base of millions, and the acceptance by mainstream consumer electronics companies, security still appears to be the only stumbling block it has yet to overcome.

While Skype maintains that it is a secure protocol and uses encryption to protect communications sessions, its claims pertaining to security cannot be confirmed because it is a closed proprietary protocol. Since its public release in August of 2003 the security community has pressured Skype to open up the protocol for review. This pressure was in part a result of the pedigree of Skype.

Skype is the brainchild of Niklas Zennstrom and Janus Friis, the same folks who brought us the Kazaa P2P file sharing application. Like Kazaa, Skype uses an overlay peer-to-peer network that promotes some of the publicly addressable clients within the network to Supernode status. The Skype application relies on the Supernodes as the backbone of the Skype network. Any Skype client with enough bandwidth, memory, and CPU processing power and having a public IP address has the potential to be a Supernode in the Skype network.

So why are IT admins and other security types wary of Skype? The problem stems from the tarnished reputation of Skype's predecessor, Kazaa, which had a nasty reputation of installing spyware and adware on its users desktops and was the bane of many an IT administrator. To counter this initial skepticism, Skype from its first release has worked hard to project a clean upright image. The Skype website plasters the "No Spyware, Adware, Malware" label on its homepage right next to the download button. Skype needed to advertise this good netizen badge right out of the gate due to its founders checkered past.

Bowing to industry pressure to open up the Skype protocol to check for security vulnerabilities, Skype allowed Tom Berson of Anagram Laboratories, a cryptographer and computer security expert with 35-years of experience in the field, to have a peek under the hood so to speak. Berson was allowed unimpeded access to Skype engineers and to the Skype source code (at least the parts pertaining to the cryptosystem).

Berson concluded that Skype uses standard cryptographic primitives and implemented the primitives correctly. These primitives include 256-bit AES for bulk payload encryption, the RSA public-key cryptosystem to exchange keys, the ISO 9796-2 signature padding method, the SHA-1 hash function, and the RC4 stream cipher. He verified each cryptographic primitive against reference implementations and found that Skype engineered them correctly and efficiently. In his conclusions, Berson stated that he started the project as a skeptic but, by the end of the evaluation, his confidence in Skype was growing. He seemed impressed with Skype's security implementation.

Yet even assuming that the Skype protocol is implemented with a high degree of security and employs the best standards-based cryptography widely and well, it is still a security threat to the enterprise based solely on its basic feature set. While Skype may provide authentication and confidentiality between the parties communicating via the Skype peer-to-peer network, it also provides a secure tunnel into the enterprise network.

Skype is so agile at getting through corporate firewalls that it has become a vector to spread viruses, worms, trojans, and other forms of malware. While Skype is known primarily for its free VoIP telephony feature, it also includes an IM client and file transfer feature. The IM messages and files transferred over Skype are both protected by the Skype built-in VPN to deliver IM and files from one desktop to another desktop peer-to-peer without any knowledge of the IT administration or the security tools they employ.

With the increased popularity of IM clients, such as those from AOL,MSN, and Yahoo, hackers are exploiting these new channels to spread their host of malware. In 2005, Akonix Systems Inc., which specializes in IM security, reported that 25 new viruses were reported on IM during last September alone. Another company specializing in IM security, IMlogic, noted that the number of threats detected for IM and peer-to-peer networks rose a whopping 3,295 percent in the third quarter of 2005, compared with the year before. Given that Skype now has millions of users and comes with an IM client, it won't be long before it will be targeted by hackers to become a vector for their worms and viruses.

Skype also includes a file transfer mechanism that allows peer-to-peer file transfers using the same VPN-like tunnel provided by the Skype network for voice. Files from other Skype users are transferred in encrypted form over the Skype network preventing them from being scanned by corporate anti-virus software or screened by the corporate firewall. While files attached to emails are routinely scanned by corporate anti-virus software before desktop delivery, this security check is not available when the file is transferred via the Skype network.

I have studied the Skype protocol since I first downloaded it in April of 2004. Skype has been engineered from the beginning to be evasive and stealthy when traveling over the network. Beyond encrypting the packet for security purposes, the Skype signaling packets are purposefully obfuscated to make it difficult to identify a packet as a Skype packet. Even if a Skype session is detected, it is difficult to determine without performing some type of packet rate analysis what type of communications is taking place. Is the session a voice, video, IM, or file transfer? While there are now some security tools available from firms such as Verso Technologies, Packateer, and SonicWall that perform packet inspection to block Skype completely, it would be advantageous to conduct policy on individual Skype sessions, such that Skype voice is allowed, but file transfers are not allowed. Such policy enforcement would allow IT admins to limit the network bandwidth used by Skype, such as allowing voice but blocking Skype video. The ability to conduct allow/disallow policies on individual Skype sessions would make Skype more acceptable in the corporate environment.

Corporate IT departments typically maintain a list of the standard approved applications that can be installed on the desktop. However, regardless of this "sanctioned list" of applications, one of the fastest growing sectors in PC application development is in communications apps such as instant messaging (IM) and peer-to-peer (P2P). One of the jobs routinely performed by the corporate IT department is to scan their users' desktops to ensure that a rogue application hasn't been installed.

Just a few years ago, it wasn't hard to pick out the apps of undesirable status on networked machines. Today, that's just not the case. The distinction between the sanctioned and non-sanctioned app has become blurred. There are now apps routinely installed on the desktop that are considered indispensable tools in the corporate environment, but still cause many a sleepless night for the IT admin. These applications tend to be downloaded and installed by the end user without permission from the IT department and use encryption and obfuscation to stealthily send their packets across the corporate network. In many cases, the IT department is fully aware of these underground, unofficial apps but chooses to allow it because the app has become an indispensable tool. Skype is by far the fastest growing in this category of underground apps. It is tolerated by some IT admins because it has become such a useful corporate tool.

So what can the IT admin do? Blocking Skype outright is downright difficult and extremely unpopular among end users who find it to be a really handy tool. What's needed is the ability to finely manage the Skype application by letting the IT department perform policy on individual Skype sessions, using policy rules that are built using attributes of the Skype session, such as session type (voice, video, IM, file transfer), source, destination, and time of day.

Now that Skype is reaching the mainstream, it has the impetus to keep growing without recognizing the need of the corporate IT admin to build in security checks. Ideally, Skype would recognize this need and develop a corporate-friendly version that allows IT admins to easily detect and conduct policy on Skype sessions. If not, Skype's cat-and-mouse game could result in a very useful app that won't ever be fully welcomed into the enterprise.