Security risks & vulnerabilities in

Skype

Kelum Senanayake

Introduction

Skype proclaims that it provides a secure

method of communication.

Hundreds of millions of people have chosen to

use Skype, often on the basis of this assurance.

But there are some security risk and

vulnerabilities of Skype.

The user interface does not display a "real

Skype username" in the contact list

Skype's interface relies on the use of full names

on the contact list rather than unique user

names.

It easy to impersonate other users and

introduces substantial security risks.

Average users are easily tricked as a result.

Skype's software downloads are not

delivered over a HTTPS / SSL connection

Downloads may be tampered with by a third

party.

China has been known to produce its own

Trojan-infected version of Skype.

Users are exposed to interception,

impersonation and surveillance.

Skype could provide a backdoor entry

Skype allows users to establish direct connections with each other.

It's also "port agile"

− If a firewall port is blocked Skype will look around for other

open ports that it can use to establish a connection.

If you put Skype behind a firewall or NAT layer, 99% it will work without

any special configuration.

Skype could provide a backdoor entry into secure networks for Trojans,

worms, and viruses.

It could also provide a channel for corporate data to be freely shared

between users without any of the usual security considerations.

Skype's proprietary protocol

Skype uses a proprietary protocol instead of a

standard one such as the SIP.

This makes it an unknown from the point of view of

the vulnerabilities that might be there.

Every nonstandard application can add

unnecessary risks to your environment.

In the end no one really knows what all is built into

such an application.

References

[1] Privacy International, "Skype Called Answer Mounting Security

Concerns", [Online]. Available:

https://www.privacyinternational.org/article/skype-called-

answer-mounting-security-concerns.[Accessed: Oct. 31, 2011].

[2] Jaikumar Vijayan, "Does Skype Face Security Threat?",

[Online]. Available:

http://www.pcworld.com/article/123279/does_skype_face_secur

ity_threat.html.[Accessed: Oct. 31, 2011].