Skype has rewritten the VoIP rules. In fact some see Skype as being VoIP on steroids. Tom Newton, product development manager at SmoothWall, examines the security implications of trusting Skype in the corporate environment.

VoIP has hit the headlines in recent months and while some stories have focused on the ways in which the technology is proliferating throughout the commercial world, other perhaps more alarming articles have touched on the security risks. Whilst these reports haven't quite hit levels of mass hysteria, and coverage has, by and large, been fuelled by vendor hype, the discussion surrounding VoIP security has merit.

Although the underlying technologies of VoIP have been around almost as long as IP and implementations have existed for many years, it is only now that usage is extending from intra-office systems to worldwide usage both commercially and privately. To this extent,VoIP is an immature technology.

Until commerce relies on a system, it is unlikely to be adequately tested. Before the World Wide Web was a commercial prospect it was held together by software that would now be viewed as somewhere between quaint and crazy.

VoIP has matured but is yet to really be tested. In addition a number of companies have begun offering gateway services from plain old telephone systems (POTS) to VoIP and vice versa, greatly enhancing its functionality and assisting quick take-up.

VoIP is an immature technology emerging into an increasingly hostile world, but there's little we can do about this. In a world where agility and time-to-market routinely come before cost and security, the roll-out of new technologies is as inevitable as the change of season.

IT security professionals would urge caution in a situation such as this - watch the early adopters and you might just avoid getting burned.Why this article? Surely this situation is sufficiently commonplace as to render it uninteresting? Perhaps it is, until you consider Skype.

Skype re-writes VoIP rules

Skype is VoIP on steroids. Even before eBay's muscle backed the telecom company, Skype swept all before it, becoming the de facto standard in a short space of time. The reasons for this are more than merely good timing.

The Skype client is 'free', at least to the extent that it costs no money. This, plus cross-platform compatibility, good voice quality and a range of peripheral services such as Skype Out have helped the software client to over 247 million downloads.

Other than its ubiquity, there are other interesting, and in some cases slightly disturbing, features of Skype.

One of the reasons Skype is so easy to use is that it works on almost any network, even behind a NAT or firewall with no special configuration. Such NAT traversing peer-to-peer activity is almost impossible to detect or block, especially when you factor in the encryption of Skype data.

Any network administrators reading should be worried at this point. Without resorting to client-side restrictions, Skype is very difficult to stop; layer 7 blocking may be effective, but this is rarely black and white.

Skype transfers information, including file transfer and instant messages, both in and out of the corporate network, unchecked, unrestricted and encrypted. Security professionals should be pulling their hair out because of this and there should be P45s in waiting for any IT administrator who hasn't recognised this issue.

Secrecy poses questions

Other concerns with regards to this technology stem from the closed nature of Skype's protocol. Its website gives little away and few know in detail the internal workings of Skype. It just works, apparently. This poses a number of problems.

Firstly, because Skype may route your calls through untrusted hosts, your data must be encrypted. Even if this were not the case, it is likely that you'd wish to secure your data. The encryption scheme used is, to all intents and purposes, untested. Bruce Schneier, one of the most respected security authorities, suggests that the best thing you can say about an encryption scheme is:'We can't break it.'

This is even better if other clever people can't break it either. However the encryption used in Skype is afforded little of the rigorous academic and commercial review of, say, AES or other freely examinable algorithms. Similarly the underlying peer-to-peer systems are unknown.

How peers, through which your data are routed, are chosen remains unknown. It is not impossible that a wily attacker might exploit bugs or nuances in routing to their own ends. Study of Skype's protocol for any purpose is expressly forbidden in the licence, which does not inspire confidence.

Secondly, closing the protocol necessitates closing the client. This may not appear to be a significant issue, but in this instance it means that the only skype clients are Skype clients (if you follow my capitalization). This represents a problem akin to that experienced by Microsoft Outlook users some years ago - the evolutionary 'dead-end' that is a homogeneous environment.

With one dominant client, the first email worms spread rapidly and caused significant damage. Similarly, Internet Explorer's dominance gave it a high profile to would-be attackers. Once a security flaw is found in Skype (and anyone who believes any software other than 'Hello World' is immune from security flaws has been watching cartoons), it is exploitable worldwide.

In terms of worms and viruses, this is write once, execute anywhere. Admittedly email worms have calmed somewhat, and are now more reliant on wetware flaws (human error) than bugs in a particular software client, but email is a much more mature technology.

Worms,Trojans and viruses, however, have also matured. Expect increasingly sophisticated tricks as PCs are 'owned' by hackers.

This 'one client' approach not only forcibly widens a user's circle of trust (those entities in which a user is willing to entrust their security), but it adds a well-known trouble-causer to the list. eBay, Skype's $2.5 billion new owners, have a less than exemplary record with regard to their handling of user data.

Existing articles have already flagged this salient point, but if you wish to talk with other 'skypers', you’re going to have to agree to eBay's terms. How its policies will stack up outside the US remains to be seen. Many businesses would rather pay for a client and gain the support of a commercial product.

By agreeing to the licence, you also 'grant permission for the Skype Software to utilize the processor and bandwidth of your computer for the limited purpose of facilitating the communication between Skype software users' - a 'limited purpose' with quite a broad remit!

Defend the network

With potential security problems like these, it would be wise to run Skype with caution, if at all. A NAT firewall would mitigate direct attacks against your client or server, for example. Unfortunately some Skype nodes are more vulnerable than others, offering more by way of connectivity to untrusted parties.These are the 'Supernodes', used for routing calls and allowing two NAT restricted 'skypers' to converse.

Any attacker would see a 'Supernode' as an obvious target; after all this is access to a network service, and traditional network services like HTTP, FTP and DNS have always seen huge potential for worms such as code red. HTTP servers are easy to find, but what of Skype 'Supernodes'? The Skype server will, with a little coaxing, happily provide a list of IPs currently known to be running as 'Supernodes'.

This is to allow the NAT-ed Skype client, whose built-in 'Supernode' list is outdated, to easily find a 'Supernode' via which to route calls.This list of easy targets is unavoidable and clearly poses considerable risk.

As Skype gains popularity it will come under greater scrutiny by both the security industry and those with less benign intentions. Threats could range from lawsuits, through misuse akin to the productivity losses incurred by spurious web browsing prior to the introduction of effective content filters and logging, right through to serious security breakdowns.

What can we do about this? Locking down client PCs, limited rollout where necessary and intelligent security polices are among the best defences when implemented with the right perimeter firewall and proxy suite. This technology is inevitable, and it looks like Skype may 'VHS' the world with a possibly inferior, but ubiquitous, cheap and effective product. Don’t say you weren't warned.