Eavesdropping On Google Voice and Skype

Simmons writes with news of research that demonstrated vulnerabilities in Skype and Google Voice that would have allowed attackers to eavesdrop on calls or place unauthorized calls of their own. "The attacks on Google Voice and Skype use different techniques, but essentially they both work because neither service requires a password to access its voicemail system. For the Skype attack to work, the victim would have to be tricked into visiting a malicious Web site within 30 minutes of being logged into Skype. In the Google Voice attack (PDF), the hacker would first need to know the victim's phone number, but Secure Science has devised a way to figure this out using Google Voice's Short Message Service (SMS). Google patched the bugs that enabled Secure Science's attack last week and has now added a password requirement to its voicemail system, the company said in a statement. ... The Skype flaws have not yet been patched, according to James." Reader EricTheGreen contributes related news that eBay may sell Skype back to its original founders.

Not nearly as interesting as you'd expect

[BadAnalogyGuy]

Unlike security vulnerabilities that gain access to your files and keyboard, this only gets access to your phone calls. This means that the hackers would need a very powerful machine to both monitor and save important calls and a means of automating the scanning of calls.

It's simply not cost effective to listen in on every call. It's much better to gain file or keyboard access and let Perl scan the logs for interesting data.

Re:Not nearly as interesting as you'd expect

[RulerOf]

It's most likely not every call. Just by those on the List.

Now that you mention it, I actually pay $5 a month for an identical service from a company called Callwave, and their voicemail transcription services aren't 100% unlimited unless you pay for a pretty high tier of service. Ironically, the voicemails that I choose to have the service transcribe for me are actually the ones a thief would want most.

This kind of attack into a voice portal is nothing new. I sat down with a fellow who owns a business VoIP telephony service and he showed me how he could alter his outgoing caller ID info to get into my voicemail directly from his telephone keypad... which makes it very easy to get into password-less voice portals/mail systems. Their voice portal requires a password, now that I think of it.

Re:Not nearly as interesting as you'd expect

Seriously, though even if your voice recognition software just looked for digits and then passed off segments of conversation that included a long string of digits to a human for further analysis. You'd get a lot of false positives (phone numbers, etc) but you'd at least exclude most casual conversations. If you want to data mine more accurately, just look for exactly 16 digits given over N seconds and make sure they form a valid CC with check digit, etc.

Skype back to the founders?

[linhares]

Well, if Skype is going back to the founders, I guess that's good. eBay never did anything really interesting with it anyways. I don't understand why skype let other social networking sites (yes, that's what skype is, and it fosters an even closer-knit community than facebook or others ever will, as people actually _talk_ to others, as opposed to poking them.

What I would like to see would be a tight integration of skype, facebook, and google contacts. In android phones or in the iPhone our contacts info is all here and there, scattered all around. I'd love to see a contact, then immediately know through facebook what they're up to, then either call, email, or skype, if human contact is desirable or unavoidable. In any case, skype has been held back for years and years, and I hope that it will eventually bring down the phone companies to being what they truly are: dumb pipes providing internet access.

Re:Skype back to the founders?

[Bert64]

Skype would be worse than the phone companies, because it is controlled centrally by a single organization... At least there are multiple phone companies, they follow standards and you can interoperate between them.

A phone company's monopoly in a particular area is often unavoidable due to the cost of laying physical cables, a monopoly of skype is just completely ridiculous and inexcusable.

Re:Skype back to the founders?

[RobertM1968]

In the US, I was not aware there were multiple phone companies. Wow, you learn something new every day. Last I heard, there was "The Bell Companies" (under a plethora of names - yet still really one massive interrelated entity).

ATT/Bell/Verizon

Then... there are a bunch of phone service resellers; who sell either access onto Bell's phone network (they dont own their own after all) via their POC routers, or Bell's; followed by VOIP providers who still largely have to have their calls transferred onto the Bell phone network for delivery to the non VOIP caller (ie: VOIP->landline call or landline->VOIP call).

And even long distance calls via a carrier that has their own lines, still gets transferred to the local lines, computers and telco switches for delivery to the home(s).

So, as far as I can see, it's VOIP->VOIP that's the only other option to not going through the one telco monopoly in this country.

Re:Believe it or not

[CRCulver]

Skype has already been accused of having a half-assed approach to security in order to appease government agencies. It's a pity that there's no widely available encrypted voice applications. A decade ago when the nerd community was toying with PGPfone, it seemed like widespread encrypted telephony was right around the corner. Ekiga announced encryption for the 3.0 release, but then quietly buried those plans, and as nice as it is to have easy encryption in Pidgin, the app remains limited to text chat.

Re:Believe it or not

It is possible, though, that the NSA, fearing that Ekiga will become popular for security-conscious VOIP users, is forcing the Ekiga team to not include it at all, but simply keep delaying it, under threats of death or imprisonment.