Sunday, April 29, 2012

Skype IP addresses - in the clear







The security forums and blogosphere have been buzzing for the past few days with an 'undocumented feature' of Skype, the ability to discover the internal and external IP addresses of any Skype account currently logged in.  I don't mean people on your buddy list - I mean ANYONE!

Knowledge of this is critical if you use Skype in any situations where your location needs to remain secure or simply if you are interested in personal privacy.

I've tested this and it does what it says on the tin.  I was able to extract the external and internal IP's of a friend in the US to within a few miles of his house, a buddy in Asia to within a few streets and my own to just a few miles down the road.  More concerningly the internal IP combined with the internet facing address provides the basis for a direct probe and then attack of any individual on Skype's global address book.

The details seem to have come initially from Russian hackers and appeared on PasteBin on April 26th but there is a site which will do it all for you.  I won't copy the whole thing as there is a perl script to assist with parsing the logs but here is the gist:-

http://pastebin.com/rBu4jDm8

1. Downloading this patched version of Skype 5.5:
http://skype-open-source.blogspot.com/2012/03/skype55-deobfuscated-released.html

2. Turn on debug-log file creation via adding a few registry keys.
https://github.com/skypeopensource/skypeopensource/wiki/skype-3.x-4.x-5.x-enable-logging

3. Make "add a Skype contact" action, but not send add request, just click on user, to view his vcard(general info about user). This will be enough.

4. Take look in the log of the desired skypename.
The record will be like this for real user ip: -r195.100.213.25:31101
And like this for user internal network card ip: -l172.10.5.17

21:16:45.818 T # 3668 PresenceManager: aїљ noticing skypetestuser1 0x3e54a539a91a19fc-s-s65.55.223.23 :40013-r195 .100.213.25:31101-l172 .10.5.17:22960 23d23109 82f328ff

5. Catch user via whois service.
http://nic.ru/whois/?query=195.100.213.25

This is help you to get info about skype user: City, Country, Internet provider and internal user ip-address. 
I don't want to overstate this, but this is a big deal.

There is also a web site now if you don't want to bother with the log route - http://skype-ip-finder.tk/, just type in your targets Skype name and bingo, the IP's are even helpfully linked to!  If they are not currently online it does not seem to provide the last known address, only if they are currently online.  Please be cautious with this URL, I have not tested it for a browser payload etc and wouldn't be surprised if something nasty awaits!  However, using it on a VM would be advisable.

Also if you are going to try the patched Skype be 'super' cautious and also some users have reported having their Skype accounts terminated.

I appreciate that Skype is both free and P2P meaning that IP's are often visible when in a conversation, file transfer etc but at least you are in a conversation with a 'known' person.  This technique can be used by and against, anyone with a Skype account, regardless of whether they are a buddy.

I hope that Skype take a serious look at this, simply proxying contact requests would likely solve it which wouldn't be awfully hard for them.  I for one really appreciate the Skype service and use it daily, however, I live in nice, reasonably safe England, not one of the many Countries where it is used for secure comms, free from Government intervention.  For them alone, this needs to be solved.