CybersecurityPrivacy flaws can reveal users’ identities, locations, and digital files
Researchers will soon notify Internet scholars of flaws in Skype and other Internet-based phone systems that could potentially disclose the identities, locations, and even digital files of the hundreds of millions of users of these systems
Researchers at Polytechnic Institute of New York University (NYU-Poly) and colleagues in France and Germany will soon notify Internet scholars of flaws in Skype and other Internet-based phone systems that could potentially disclose the identities, locations and even digital files of the hundreds of millions of users of these systems.
Their paper, “I Know Where You are and What You are Sharing,” will be presented during the Internet Measurement Conference 2011 in Berlin on 2 November 2011. The authors are Chao Zhang and Keith Ross of NYU-Poly; Stevens Le Blond of the Max Planck Institute for Software Systems (MPI-SWS), Germany; and Arnaud Legout and Walid Dabbous of the French research institute I.N.R.I.A Sophia Antipolis.
An NYU-Poly release reports that Ross, the Leonard J. Shustek Professor of Computer Science at NYU-Poly, explained that the team uncovered several properties of Skype that can track not only users’ locations over time but also their peer-to-peer (P2P) file-sharing activity. Even when a user blocks callers or connects from behind a Network Address Translation (NAT) — a common type of firewall - it does not prevent the privacy risk, he said. The research also revealed that marketers can easily link to information such as name, age, address, profession and employer from social media sites such as Facebook and LinkedIn in order to inexpensively build profiles on a single tracked target or a database of hundreds of thousands.
“These findings have real security implications for the hundreds of millions of people around the world who use VoIP or P2P file-sharing services,” said Ross. “A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user - from private citizens to celebrities and politicians - and use the information for purposes of stalking, blackmail or fraud.” Ross explained that these privacy weaknesses are fairly easy to exploit, and that a sophisticated high school-age hacker would likely be capable of executing similar attacks.
The team first observed that with VoIP (Voice and Video over IP) systems, when Alice establishes a call with Bob, Bob reveals his IP address to Alice. Alice can then use commercial geo-IP mapping services to determine Bob’s location and Internet Service Provider (ISP).
The release notes that the team also found that Alice can initiate a Skype call, block some packets and quickly terminate the call to obtain Bob’s IP address without alerting Bob with ringing or pop-up windows. Alice
