Skype failing on security, says Network Box

Businesses using the Skypevoice over IP (VoIP) system are being warned of the security implications.

Businesses using the Skypevoice over IP (VoIP) system are being warned of the security implications.

Managed security firm Network Box has published a white paper on Skype VoIP security, which says firms could be compromised by a hacker or a malicious employee.

Skype has recently increased its marketing efforts to target businesses, instead of relying on the consumer market to drive sales.

The firm's efforts have not been helped, however, by the severe network outage Skype users suffered over two days last week (17 August), when a software problem prevented users from logging into their accounts.

In the white paper Skype: Friend or Foe,Network Box claims that Skype can leave organisations open to backdoor vulnerabilities, eavesdropping and even bugging.

It also says that Skype has many benefits for end users, including excellent sound quality and ease of use. It also notes that conversations are encrypted using AES, a high-level algorithm that affords a high level of privacy.

However, Simon Heron, managing director of Network Box, claims it is not as safe as it could be.

Heron said, "Skype can bypass firewalls, network address translation, and proxies. Because it uses peer-to-peer technology, it is difficult to isolate. Its code is a black box, making it the perfect back door."

Another issue is that Skype has a number of features that prevent any debugging. For instance, it will not launch if the Soft-ice debugger is present.

Also, the protocol used by Skype is proprietary and not obvious, which means it is difficult to distinguish bad behaviour from good. This makes it difficult to control, manage and monitor, which is problematic as many financial regulations require customer conversations to be recorded.

Heron said, "Skype undoubtedly offers significant benefits to end-users, but it is important to mitigate the risks associated with running the system. Skype offers significantly more security than conventional analogue or ISDN voice communications, but less security than VoIP systems running over virtual private networks."

The firm announced its intention to improve the security of its identity authentication process, to make sure users knew for certain they were talking to the person they were told they were.

Read more on Voice networking and VoIP