[EN] Posibil backdoor in skype

[Guest Nemessis]

According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations.

This has been confirmed to heise online by a number of the parties present at the meeting. Skype declined to give a detailed response to specific enquiries from heise online as to whether Skype contains a back door and whether specific clients allowing access to a system or a specific key for decrypting data streams exist. The response from the eBay subsidiary's press spokesman was brief, "Skype does not comment on media speculation. Skype has no further comment at this time." There have been rumours of the existence of a special listening device which Skype is reported to offer for sale to interested states.

There has long been speculation that Skype may contain a back door. Because the vendor has not revealed details of its proprietary Skype protocol or of how the client works, questions as to what else Skype is capable of and what risks are involved in deploying it in an enterprise environment remain open.

Last week, Austrian broadcaster ORF, citing minutes from the meeting, reported that the Austrian police are able to listen in on Skype connections. Interior ministry spokesman Rudolf Gollia declined to provide heise online with a comment on the matter. He did, however, offer general comments on the meeting, which were, however, contradicted by other attendees.

In contrast to statements from the interior ministry, the meeting was not attended solely by technical staff; those present included lawyers, regulatory experts and staff at the regulator. Neither were the ministry representatives mere technicians, rather they were high-ranking officials in management positions. They demanded from the ISP representatives present an "Austrian industry solution" for accessing data traffic. They called for ISPs to allow the interior ministry to install network bridges and Linux computers in their network centres. These would be used to copy and filter data traffic and forward it to the interior ministry via an encrypted connection. To facilitate filtering, ISPs should assign fixed IP addresses to customers being monitored.

it was made clear that should ISPs oppose these demands, monitoring legislation would be revised at some future time-point to prescribe the use of the ETSI ES 201 671 Version 3.1.1. monitoring standard. This would be legally binding and would require significantly more time and effort and be more expensive to implement. The reason given for not updating the legislation right away was that, in view of the present absence of terrorist activity, it would not currently be possible to mobilise political support for such a move. The officials are reported to have made clear that they were well aware that their monitoring plans would only catch the more gauche end of the criminal spectrum. Professionally organised criminals would utilise encryption algorithms that would not allow easy decryption.

It was also put about that two major ISPs had already succumbed to this pressure. The network bridges requested by the interior ministry have reportedly already been installed on their systems. This was confirmed by both companies, off the record. UPC/Inode was willing to "definitively deny" that a network bridge had been installed on its network and stated that there were also no plans to do so. Monitoring was carried out in individual cases only and only when instructed by a court order.

According to Mobilkom Austria, "the authorities have no access and will not be granted access." Likewise its fixed line affiliate Telekom Austria. Mobilkom has informed heise online, that, in response to a court order, on a single occasion it stored the total data traffic for one customer over a number of days and forwarded it to the police. In such cases, the interior ministry now wants to replace the use of physical media, with the inevitable delays this entails, with an encrypted connection. ISPs will, however, remain responsible for separating the monitored data stream from overall traffic.

For reasons of redundancy, Mobilkom's network does not have a central point from which all traffic can be accessed. Because the plan has now been made public, the money-saving idea of assigning fixed IP addresses to customers who are to be monitored is unlikely to be able to be implemented. More expensive solutions are likely to be required, though it remains unclear who will bear the ensuing costs.

Sursa: http://www.heise-online.co.uk/security/Speculation-over-back-door-in-Skype--/news/111170

Un alt articol ce face referire la acest subiect:

Off the cuff remarks by Austrian government officials suggest that Skype conversations might be intercepted.

Speaking at a recent meeting on lawful interception between ISPs and Austrian regulators, an unnamed "high-ranking" official at Austria's interior ministry said that listening into a conversation over Skype presented no particular problems, Heise security reports.

The opinion contrasts with the view of Joerg Ziercke, president of Germany's Federal Police Office (BKA). At a meeting last November Ziercke said that the inability to decipher the encryption used by Skype in order to intercept VoIP calls had become a problem in counter-terrorism investigations. Weeks after this, leaked documents outlining plans by German firm Digitask to develop software to intercept Skype VoIP communications and SSL transmissions, along with related costing and licensing proposals, surfaced through Wikileaks.

Skype runs using a proprietary protocol. Unlike Phil Zimmermann's Zfone project, for example, its source code has not been publicly released. So even though Skype has commissioned security experts to audit its technology (which incorporates trusted encryption techniques, such as Advanced Encryption Standard, to encrypt conversations and RSA for key negotiation) doubts have remained.

For example, security experts Philippe Biondi and Fabrice Desclaux have voiced concerns) that Skype has the keys to decrypt calls or sessions, a claim Skype denies.

Access to such keys would provide backdoor access to conversations but it's worth remembering, as is the case with warrants for regular phone conversations, that law enforcement agencies are more often interested in knowing who an investigative target is talking to than what they are saying. Skype offers confidentiality, but it makes no claims of offering anonymity.

For example two years ago, a fugitive chief exec was tracked to Sri Lanka after his location was given away by a conversation made using Skype. Papers on tracking anonymous peer-to-peer VoIP traffic provide clues on how this might have been accomplished. ®

Sursa: http://www.theregister.co.uk/2008/07/25/skype_backdoor_rumours/