Slashdot Mirror


Eavesdropping On Google Voice and Skype

Simmons writes with news of research that demonstrated vulnerabilities in Skype and Google Voice that would have allowed attackers to eavesdrop on calls or place unauthorized calls of their own. "The attacks on Google Voice and Skype use different techniques, but essentially they both work because neither service requires a password to access its voicemail system. For the Skype attack to work, the victim would have to be tricked into visiting a malicious Web site within 30 minutes of being logged into Skype. In the Google Voice attack (PDF), the hacker would first need to know the victim's phone number, but Secure Science has devised a way to figure this out using Google Voice's Short Message Service (SMS). Google patched the bugs that enabled Secure Science's attack last week and has now added a password requirement to its voicemail system, the company said in a statement. ... The Skype flaws have not yet been patched, according to James." Reader EricTheGreen contributes related news that eBay may sell Skype back to its original founders.

5 of 62 comments (clear)

  1. Not nearly as interesting as you'd expect by BadAnalogyGuy · · Score: 4, Interesting

    Unlike security vulnerabilities that gain access to your files and keyboard, this only gets access to your phone calls. This means that the hackers would need a very powerful machine to both monitor and save important calls and a means of automating the scanning of calls.

    It's simply not cost effective to listen in on every call. It's much better to gain file or keyboard access and let Perl scan the logs for interesting data.

    1. Re:Not nearly as interesting as you'd expect by RulerOf · · Score: 3, Interesting

      It's most likely not every call. Just by those on the List.

      Now that you mention it, I actually pay $5 a month for an identical service from a company called Callwave, and their voicemail transcription services aren't 100% unlimited unless you pay for a pretty high tier of service. Ironically, the voicemails that I choose to have the service transcribe for me are actually the ones a thief would want most.

      This kind of attack into a voice portal is nothing new. I sat down with a fellow who owns a business VoIP telephony service and he showed me how he could alter his outgoing caller ID info to get into my voicemail directly from his telephone keypad... which makes it very easy to get into password-less voice portals/mail systems. Their voice portal requires a password, now that I think of it.

      --
      Boot Windows, Linux, and ESX over the network for free.
  2. Re:Believe it or not by CRCulver · · Score: 5, Interesting

    Skype has already been accused of having a half-assed approach to security in order to appease government agencies. It's a pity that there's no widely available encrypted voice applications. A decade ago when the nerd community was toying with PGPfone, it seemed like widespread encrypted telephony was right around the corner. Ekiga announced encryption for the 3.0 release, but then quietly buried those plans, and as nice as it is to have easy encryption in Pidgin, the app remains limited to text chat.

  3. Re:Skype back to the founders? by Bert64 · · Score: 2, Interesting

    Skype would be worse than the phone companies, because it is controlled centrally by a single organization... At least there are multiple phone companies, they follow standards and you can interoperate between them.

    A phone company's monopoly in a particular area is often unavoidable due to the cost of laying physical cables, a monopoly of skype is just completely ridiculous and inexcusable.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  4. Re:Skype back to the founders? by RobertM1968 · · Score: 3, Interesting

    In the US, I was not aware there were multiple phone companies. Wow, you learn something new every day. Last I heard, there was "The Bell Companies" (under a plethora of names - yet still really one massive interrelated entity).

    ATT/Bell/Verizon

    Then... there are a bunch of phone service resellers; who sell either access onto Bell's phone network (they dont own their own after all) via their POC routers, or Bell's; followed by VOIP providers who still largely have to have their calls transferred onto the Bell phone network for delivery to the non VOIP caller (ie: VOIP->landline call or landline->VOIP call).

    And even long distance calls via a carrier that has their own lines, still gets transferred to the local lines, computers and telco switches for delivery to the home(s).

    So, as far as I can see, it's VOIP->VOIP that's the only other option to not going through the one telco monopoly in this country.