If you have an account with Skype you are at risk of hackers discovering your online location, even if you never log on with the service. If that thought worries you, read on and discover how to protect yourself.
Skype is the undisputed king of voice over IP, text and video chat with over 50 million concurrent users spending a record 2 billion minutes a day on the service (as the blog entry announcing that statistic proudly states, that’s the equivalent of 38 centuries). It’s now such a ubiquitous part of life online I’m willing to bet that most people you know, young and old, have a Skype account. In my own experience my retired neighbour asked for advice last year to connect her home up to broadband specifically to be able to Skype with her son and his family who were moving to Australia. First released back in August 2003, the company has been such a phenomenal success it was purchased by Microsoft in 2011 for $8.5 billion.
With such a fine internet pedigree and in use by so many non-technical people, you would think they have your personal security pretty much sewn up – but that is worryingly not the case. The world’s most popular online telephony tool has a major security flaw that causes it to ‘leak’ your location to anyone who attempts to connect to your Skype handle, and you might never even know about it.
The vulnerability is known as a Skype resolver, and it’s been on the radar of hackers (and allegedly Skype themselves) since 2010.
The way it works – in a very dumbed-down nutshell because we are going pretty deep technically now – is that services running an adapted debugging program (something commonly used by web developers to test that the code on their website is working) can attempt to add the target Skype username, and when that connection is not made the Skype service sends a message back to the caller terminating the connection… Nothing untoward there, BUT as the message is bounced back the Skype resolver programme collects a packet of debugging data which contains the target’s IP address – in other words their exact connection location on the world wide web. Your IP address is unique to you – it’s how all the services you use know where to find you, and once the hackers have it they can use it to launch a DDoS attack, which is also know as a denial-of-service attack where an IP address is flooded with data in order to interrupt access to the web or bring a website down.
You might think its unlikely that you’ll become a target of this kind of annoying and disruptive attack, but if you have a teenager playing online games in your house there is a growing culture in some circles of playing out rivalries off the virtual battlefield in this way. Businesses can also be at risk as choking a competitor’s Net connection during key periods could put them at a serious commercial disadvantage. It’s remarkably easy and inexpensive to organise if you know the target address – and thanks the Skype resolvers, that is not a problem. The vulnerability could also help stalkers or corporate spies track a person’s physical movements as they log on from different locations around the world. According to this article by security expert Brian Krebs (which is worth a read if you want more technical detail) there are a growing number of websites offering free Skype resolver look up services;
Typically, these Skype resolvers are offered in tandem with “booter” or “stresser” services, online attack tools-for-hire than can be rented to launch denial-of-service attacks.
What’s even more sinister is this little detail from further down the page;
Many of these resolver services offer “blacklisting,” which for a fee will allow users to prevent other users from looking up the IP address attached to a specific Skype account, said Brandon Levene, an independent security researcher.
So essentially it is a protection racket – the online equivalent of ‘insurance’ offered by ‘the Mob’.
But before you all rip your Net connections out and go back to banging on drums to talk to your neighbours, there is a solution to the common Skype resolver exploit – it’s just that not many people know about it.
Back in April 2013 Skype launched 6.5 beta and it has a fix buried in the port settings. Rather unhelpfully to the non-techie Skype user it’s an OPT IN tick box that instructs Skype only to send your IP address in response to callers who are already on your contact list (so as long as you’re discerning about your online friends you should be OK). Head over to the Skype site and download the FULL version to make sure you’re running the latest beta – but make sure you un-tick all the annoying set up extras if you don’t want to make Bing your default search engine and MSN your homepage [AARGH! Why do you do that Microsoft!!??]. Once installed log in to Skype, open up the OPTIONS panel and you’ll find the tick box under ADVANCED>CONNECTION as indicted below – MAKE SURE IT IS TICKED and then click SAVE;
So, if you follow those simple steps and make sure you clear anyone out of your contacts that you do not fully trust, you should be protected from the common ‘Skype resolver’ location leak. While you’re at it knock on your neighbour’s/parent’s/friend’s door and check that they have the vulnerability locked down as well! (and don’t forget to share this article on your social networks!)
Huge thanks to Fhoto for putting me onto this vulnerability and helping me understand the technical details to share with you 🙂 He has kindly offered to reply to any tweets if you have more questions, so send a tweet to@Fhotog.
UPDATE: For Mac users the preference is in a slightly different place… thanks to James Cooper (@jpc101) for discovering and screen capturing it for you below. Make sure the option ALLOW DIRECT CONNECTIONS TO MY CONTACTS ONLY is ticked: