Tapping Skype VoIP calls

It was only a matter of time and it is finally here. There is now a program that can listen in on Skype calls. Even though it is called a virus, I think the virus part is just the method of delivery. The program was actually developed by a Swiss programmer (Ruben Unteregger) and he has released the code to the world.

Skype encrypts VoIP calls when they are being transmitted over the network. But this program does not need to break the encryption because it intercepts the traffic before it is even encrypted by Skype. It does not matter how strong the encryption algorithm used by Skype itself is. This is something that I keep mentioning when the topic is SSL/TLS. When SSL/TLS is used, it only provides protection during transit, not at either end of the communication channel. The data still needs to be protected there. It is easy to attack the end points when the data is not encrypted, rather than trying to break the encryption.

Coming back to topic, this program actually hooks into the Windows audio processing functionality, intercepts all the communication traffic and saves them as mp3 files. The mp3 files can be delivered to a specific location controlled by the attacker. Now, this is not a very feasible method for large scale interception for several thousand users. But it can be very useful in targeted attacks of a few individuals. Deliver the program to the target’s computer and wait for the mp3 files to play them back later.

The mp3 files have caller, date, day and time stamps to identify them, and SkypeOut and SkypeIn call designations. Since the code for the program is open-source, it will certainly be modified over time to include efforts to mask these files and also vary the locations. The program also attempts to upload the recordings to pre-defined locations after detecting and attempting to bypass named firewall filters.

This program has apparently been around since at least 2006. I am sure a few governments have looked at this as a law enforcement or even intelligence gathering tool. Skype is quite popular and lots of people use it. I am sure terrorists use Skype too in place of regular phone lines. It is very cheap, mobile and supposedly secure. Anyone can create an account, use it for whatever purpose and discard that account in favor of a new account. But using different accounts from the same computer does not offer any protection if this interceptor program is installed on the computer.

If you use Skype, how do you know if your calls are not monitored? We go back to safe computer use for mitigation. The first thing to know is that the risk of infection is low. This looks more like an espionage tool than a classic virus that infects tens of thousands of users. So, someone should have a reason to target you.

The next thing to look at is how the program gets into your computer. Since the delivery mode in most cases seems to be similar to a virus, the logical thing to do would be to run anti-virus scans. Since this program stores calls as mp3 files, it might be possible to find if you have this on your computer by looking for mp3 files that have the name format mentioned above on your computer and validating them.

The most important thing to remember is that we live in a time when we have to assume that we don’t have any privacy the moment we turn on our computers.

Link to news story:
Wiretapping Skype calls: virus eavesdrops on VoIP