German Govt. Skype Interception Trojans Revealed

James Hardine writes "Wikileaks has released documents from the German police revealing Skype interception technology. The leaks are currently creating a storm in the German press. The first document is a communication by the Ministry of Justice to the prosecutors office, about the cost splitting for Skype interception. The second document presents the offer made by Digitask, the German company secretly developing Skype interception, and holds information on pricing and license model, high-level technology descriptions and other detail. The document is of global importance because Skype is used by tens or hundreds of millions of people daily to communicate voice calls and Skype (owned by Ebay, Inc) promotes these calls as being encrypted and secure. The technology includes interception boxes, key forwarding trojans and anonymous proxies to hide police communications."

It's NOT the german gov,...

[TransEurope]

it's the bavarian government, a federal state of germany.

http://www.heise.de/newsticker/suche/ergebnis?rm=result;q=skype;url=/newsticker/meldung/102375/;words=Skype [heise.de]
http://www.heise.de/newsticker/suche/ergebnis?rm=result;q=skype;url=/newsticker/meldung/102485/;words=Skype [heise.de]

Skype is not securely encrypted.

[WK2]

Skype is not securely encrypted. The only client is closed source, and the protocol is not open, nor peer-reviewed. The developers themselves have said that security analysts would probably quickly find holes if they opened the source.

It is less likely that thieves and spies, etc, will be able to eavesdrop on your Skype conversations than with a plain old phone. But don't treat it as secure communications.

http://en.wikipedia.org/wiki/Skype [wikipedia.org]

Re:Man-in-the-middle against SSL?

[Raven42rac]

mac spoofing, arp poisoning, dns spoofing, and a fake certificate

Re:The classic /. question.....

[maxwell demon]

According to http://www.esrockt.com/bayerntrojaner-hoert-skype-gespraeche-ab/ [esrockt.com] (German language), it only works on Windows.

Re:Man-in-the-middle against SSL?

[Anonymous Coward]

It would only require substituting your certificate for the certificate of the site they are trying to connect to. Then you make your own connection to the site and pass data between it and the client.

Usually this can be detected because the certificate is not going to match the remote site. However, it depends on how Skype is implemented. Skype may not check that the cert matches or maybe if the snoopers were somehow able to get a valid cert from one of the trusted CA's then the user would never know.

Generally speaking most developers implement their crypto poorly and it wouldn't surprise me if Skype has problems.

In this case it sounds like they are doing stuff locally on the client machine (via trojan) so they pretty much have free reign to do anything. I don't even know why they would need to do a man-in-the-middle attack.

Maybe, but...

[TransEurope]

...they were never hired by the CIA/NSA. They were all hired by the German Government to found the Bundesnachrichtendienst (Germany's Federal Secret Service) and the MAD (Military Counter Intelligence Service) in 1956 ;-)

Re:Skype is not securely encrypted.

[WK2]

It's nice that Skype is at least smart enough not to use DES, or ROT-13. AES is good encryption.

Naturally, although AES is an excellent algorithm, it will fail if the implementation is weak, especially in the key handling. I agree that the code is largely obfuscated, and without open source, it would be a nightmare to expect to rely on its security.

I couldn't agree with you more.

However, there was an "independent" review of Skype, which I understand was able to review the source code.

You put "independent" in quotes. After reading the pdf you linked to, I could see why. From the pdf:

You may imagine my delight when, in April 2005, Skype contacted me and invited me to compete for the job of performing an independent evaluation of Skype information security

Skype thinks they are hiring an independent evaluator? I wonder how many independent evaluators they had to go through before they found one who was confident in Skype's security, so that they could display how secure they are.

So to summarize, we have:

+ Skype uses a good, open, proven (no exploits yet) cryptographic algorithm
+ No security flaws have been found in Skype
+ Some guy who works for Skype testifies that Skype is good, solid code (it's worth something)
- The implementation is closed-source. Skype even goes so far as to obfuscate their code
- No independent evaluations have been done on Skype's source code
- Skype does not know what an independent evaluation is

I would recommend against using Skype if security is an issue.

Re:Skype is not securely encrypted.

[PGillingwater]

Yes, I did quote "independent", because of the conditions under which the inspection was made.

However, before everyone rushes to judgment -- the guy who did the evaluation appears to have impressive credentials for assessing the effectiveness of implementation of encryption algorithms.

Check out his page: http://www.anagram.com/berson/ [anagram.com]

In my opinion, as a crypto dilettante, this guy Tom Berson is the real deal.

Of course, Skype showed him selected parts of the code, which may or may not be in the final product. I think the more rational among us who are interested in secure communications will generally sacrifice convenience (which Skype clearly offers) for security, and use another product which may be peer reviewed. It's also interesting to follow the money -- perhaps we could look into why eBay paid US$2.6 billion for Skype, then two years later wrote off US$1.43 billion -- one wonders if there is some US government interest served by a large USA corporation having control over the closed-source Skype code.

Having said that, I am still a heavy Skype user, and will continue to use it, as it is sufficient for my needs.