Slashdot Mirror

← Back to Stories (view on slashdot.org)

Eavesdropping On Google Voice and Skype

Posted by Soulskill on from the can-i-hear-you-now dept.

Simmons writes with news of research that demonstrated vulnerabilities in Skype and Google Voice that would have allowed attackers to eavesdrop on calls or place unauthorized calls of their own. "The attacks on Google Voice and Skype use different techniques, but essentially they both work because neither service requires a password to access its voicemail system. For the Skype attack to work, the victim would have to be tricked into visiting a malicious Web site within 30 minutes of being logged into Skype. In the Google Voice attack (PDF), the hacker would first need to know the victim's phone number, but Secure Science has devised a way to figure this out using Google Voice's Short Message Service (SMS). Google patched the bugs that enabled Secure Science's attack last week and has now added a password requirement to its voicemail system, the company said in a statement. ... The Skype flaws have not yet been patched, according to James." Reader EricTheGreen contributes related news that eBay may sell Skype back to its original founders.

19 of 62 comments (clear)

  1. Not nearly as interesting as you'd expect by BadAnalogyGuy · · Score: 4, Interesting

    Unlike security vulnerabilities that gain access to your files and keyboard, this only gets access to your phone calls. This means that the hackers would need a very powerful machine to both monitor and save important calls and a means of automating the scanning of calls.

    It's simply not cost effective to listen in on every call. It's much better to gain file or keyboard access and let Perl scan the logs for interesting data.

    1. Re:Not nearly as interesting as you'd expect by Anonymous Coward · · Score: 5, Funny

      Surely it would be trivial to pipe the calls through some voice recognition software? Then do a text search for 'credit card', 'creedal car', and maybe 'cricket Karl'.

    2. Re:Not nearly as interesting as you'd expect by Jurily · · Score: 2, Insightful

      It's simply not cost effective to listen in on every call.

      It's most likely not every call. Just by those on the List.

    3. Re:Not nearly as interesting as you'd expect by RulerOf · · Score: 3, Interesting

      It's most likely not every call. Just by those on the List.

      Now that you mention it, I actually pay $5 a month for an identical service from a company called Callwave, and their voicemail transcription services aren't 100% unlimited unless you pay for a pretty high tier of service. Ironically, the voicemails that I choose to have the service transcribe for me are actually the ones a thief would want most.

      This kind of attack into a voice portal is nothing new. I sat down with a fellow who owns a business VoIP telephony service and he showed me how he could alter his outgoing caller ID info to get into my voicemail directly from his telephone keypad... which makes it very easy to get into password-less voice portals/mail systems. Their voice portal requires a password, now that I think of it.

      --
      Boot Windows, Linux, and ESX over the network for free.
  2. Believe it or not by Landak · · Score: 5, Insightful

    Believe it or not, Skype carries the second largest number of international calls in the world, second only to AT&T. With a volume like that, you'd imagine that any potential vulnerability may well find someone interested in applying it, very quickly. Like, for instance, the NSA...

    --
    My UID is prime. Is yours?
    1. Re:Believe it or not by CRCulver · · Score: 5, Interesting

      Skype has already been accused of having a half-assed approach to security in order to appease government agencies. It's a pity that there's no widely available encrypted voice applications. A decade ago when the nerd community was toying with PGPfone, it seemed like widespread encrypted telephony was right around the corner. Ekiga announced encryption for the 3.0 release, but then quietly buried those plans, and as nice as it is to have easy encryption in Pidgin, the app remains limited to text chat.

    2. Re:Believe it or not by Wowsers · · Score: 4, Insightful

      Luckily* for Linux and Skype users, Skype hasn't been updated in about 2 years, and definitely no 64 bit version. So the vulnerability will be there for who knows how long until Skype (or is it eBay) gets their finger out of their backside and gives Linux/Skype users a better deal.

      * Being sarcastic

      --
      Take Nobody's Word For It.
  3. Unsurprising by Alcoholist · · Score: 4, Insightful

    Anyone expecting privacy on these systems is a fool. It's not like either of these companies is regulated in any way, to say nothing of the fact they provide their services over the Internet which you only have read /. for a day to know is not secure.

    --
    Bibo Ergo Sum.
    1. Re:Unsurprising by Anonymous Coward · · Score: 2, Insightful

      Anyone expecting privacy on these systems is a fool.

      Maybe, but not for the reasons you give. You just have to look at AT&T to realize that regulation doesn't give you privacy. And providing a service over the Internet doesn't automatically makes it not secure. Security is a layer that you add if you want it, see SSL for an example.

    2. Re:Unsurprising by Samschnooks · · Score: 5, Funny

      Anyone expecting privacy on these systems is a fool. It's not like either of these companies is regulated in any way, to say nothing of the fact they provide their services over the Internet which you only have read /. for a day to know is not secure.

      Exactly. The same goes for traditional cell service. Why just the other day, I was in the grocery store and someone was yacking away about some big business deal in the bread isle. I sat there "shopping" while this guy was talking about financing, etc, etc, etc...

      Then, I moved over to the soda isle, this young chicky apparently was having boyfriend troubles and I offered to help but she got all indignant and looks at me like I was a perv or something.

      Then, over in the fish isle, this middle aged guy was trying to figure out if he should get the Salmon or the Trout and asking his wife, I think, which should he get. I told him the Trout. Great stuff. Again the funny looks! I don't get it?

      The bread isle, this person was pushing their cart talking away and I answered - god I hate those blue tooths! Same thing - weird looks!

      I won't tell you about the guy on the street talking really loudly but without and Bluetooth or Cell - he asked me for money.

      What was this again about privacy and phone calls? I forgot what we're talking about.

    3. Re:Unsurprising by Anonymous Coward · · Score: 2, Insightful

      In a used book store, perhaps 8 years ago, I held a conversation with the gentleman next to me for 5 minutes. Then he walked away and kept talking on his phone.

      People who talk on cell phones while being checked out are rude. The cashier is a person and deserves the currtacy of your attention over anyone on a phone conversation.

      Using a cell phone in public is rude.

      Texting/emailing while anyone is talking to you is rude unless they are dictating the contents of the message.

      I'm guilty of talking and emailing when I should be carefully listening to another person.

    4. Re:Unsurprising by BrokenHalo · · Score: 2, Informative

      I'm guilty of talking and emailing when I should be carefully listening to another person.

      So am I from time to time, though I usually prefer to let the phone just ring out. The person to whom you're talking is left with a much more favourable impression, and voicemail does the rest.

    5. Re:Unsurprising by mattwarden · · Score: 3, Insightful

      > Anyone expecting privacy on these systems is a fool. It's not like either of
      > these companies is regulated in any way

      Amen. As we know, telephone companies that area regulated would never compromise their users' privacy.

      Oops!

  4. Nerdy solution by Wowsers · · Score: 4, Funny

    For a minute there I thought there was a problem, but nerds have no friends so nobody calls you on Skype anyway.

    --
    Take Nobody's Word For It.
  5. Re:Skype back to the founders? by Bert64 · · Score: 2, Interesting

    Skype would be worse than the phone companies, because it is controlled centrally by a single organization... At least there are multiple phone companies, they follow standards and you can interoperate between them.

    A phone company's monopoly in a particular area is often unavoidable due to the cost of laying physical cables, a monopoly of skype is just completely ridiculous and inexcusable.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  6. Cloud apps improve security by Alascom · · Score: 5, Insightful

    Once again, we see that cloud apps like Google's Grandcentral have a real benefit to security, despite the sensationalist scare mongering.

    When a bug in a cloud based application is identified, it can be patched quickly, in a single location, and the bug disappears. The same cannot be said of locally installed apps (exchange servers, etc) that take years for companies and administrators to eventually get the patches installed.

  7. Re:Skype back to the founders? by RobertM1968 · · Score: 3, Interesting

    In the US, I was not aware there were multiple phone companies. Wow, you learn something new every day. Last I heard, there was "The Bell Companies" (under a plethora of names - yet still really one massive interrelated entity).

    ATT/Bell/Verizon

    Then... there are a bunch of phone service resellers; who sell either access onto Bell's phone network (they dont own their own after all) via their POC routers, or Bell's; followed by VOIP providers who still largely have to have their calls transferred onto the Bell phone network for delivery to the non VOIP caller (ie: VOIP->landline call or landline->VOIP call).

    And even long distance calls via a carrier that has their own lines, still gets transferred to the local lines, computers and telco switches for delivery to the home(s).

    So, as far as I can see, it's VOIP->VOIP that's the only other option to not going through the one telco monopoly in this country.

    --
    StarTrekPhase2 - The Five Year Mission Continues!
  8. Re:Skype back to the founders? by Bert64 · · Score: 3, Insightful

    Google talk interoperates with other services using XMPP - a published standard... I can talk to google users without having to use their service. People can *choose* to use google's servers and accept the inherent risks, or they can choose not to and still communicate with the same people. I choose not to use their service, but i talk to a few google talk users.

    Skype doesn't interoperate with anything, you have to use their service and their client. Once you have sufficient users locked in to the service, using a competitor becomes pointless because everyone you want to talk to is only contactable using skype, at which point they can screw up however they want.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  9. Re:Skype back to the founders? by Bert64 · · Score: 2, Informative

    There is a world outside of the US...

    You are also thinking of fixed line phones, many people use cellphones for general voice calls these days too.

    Here, i have 5 mobile operators to choose from with their own networks (and multiple resellers) and 2 fixed line providers (as well as countless resellers)... Because fixed lines cost more to roll out (ie a monopoly is pretty much unavoidable), the incumbent suppliers are heavily regulated to avoid gouging consumers.

    If you want competitive voip, try finding a provider that supports SIP... You can call between sip providers for free as it's pure ip, calling non sip lines has a cost imposed by whatever telco they hand off to.

    If you want to call from skype to someone using a different voip service, you're likely to pay termination charges as the call gets routed out via a telco network and back, there is no interoperability with skype.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!