Chinese Skype Client Hands Confidential Communications to Eavesdroppers
This Wednesday, Information Warfare Monitor published damning evidence showing that TOM-Skype, the version of the voice and chat program distributed in China not only blocks keywords from chat conversations, but also spies on and remotely reports the contents of Skype users' private text conversations. This directly contradicts Skype's previous assurances that "full end-to-end security is preserved and there is no compromise of people’s privacy", even on the customized Chinese client.
This special breached version of Skype, distributed by the Chinese portal company TOM Online, has long been known to block certain contentious phrases from instant message conversations. IWM's Nart Villeneuve's research shows that when these keywords are mentioned in conversations, the client software also sends an encrypted message to one of eight remote servers hosted in China.
Due to poor security on these servers, Villeneuve was able to uncover what was being sent: extensive logs on user activity, including archives of more than 166,000 censored messages from 44,000 users.
The TOM-Skype client was introduced as part of a business deal between Skype's parent company, eBay, and the Chinese Internet company. Skype has denied involvement in TOM's additions to their core client software, but it was well aware that TOM had introduced censorship features into the Chinese Skype client. At that time it asserted that its users' privacy was nonetheless secure. We now know that Skype is in no position to make that assurance.
This breach is not an isolated Chinese problem. All Skype users are affected; conversations will be monitored even if only one side of a coversation is using the Chinese client. As of June 2007, there were 42 million registered users of TOM's compromised client, increasing at a rate of 70,000 new users per day. Anyone communicating with those millions will find their communications monitored and potentially reported to an unknown third-party - even if they are not using the TOM client themselves.
What can Skype do? While it might disclaim responsibility, arguing that this political spyware was not directly written by its own coders, the company is directly implicated by its close relationship with TOM. When Chinese visitors go to the Skype homepage, they are redirected to a page offering a download of TOM's compromised client version. TOM's Skype page in turn indicates that TOM's version is an authorized Skype product for Chinese users. Skype does not warn its visitors of the differences between the non-Chinese client and TOM's client, and has made no effort to pro-actively monitor what differences there are, or convey the implications of those differences to users.
Villeneuve spent many hours decoding the extra packets to understand what was going on: Skype's own engineers could surely have spotted this behavior in seconds. Instead, an eBay spokesman said that the software's behaviour was "changed without [its] knowledge or consent and [it is] extremely concerned."
At a minimum, eBay can show its commitment to "the security and privacy of [its ] users" by terminating its relationship with TOM and withdrawing TOM's permission to use eBay trademarks. It should no longer redirect to TOM, instead presenting an eBay-developed Chinese-localized version of Skype. It should also prominently warn its own users of the dangers of talking to those using the compromised client. It should attempt to obtain binding assurances from TOM that all copies of the logged data have been destroyed, and should advise all affected users whether this has taken place.
In the meantime, if you want to chat securely, consider using Off the Record Messaging (OTR) on another instant messaging network. OTR is a publicly audited security protocol that does not depend on a third-party. It can run on a number of different instant messaging networks, and is implemented by a range of software products on MacOS, Windows, and Linux. For more peace of mind, use OT in conjunction with open source products like Pidgin, Miranda or Adium. The code of open source software is available for examination by anyone, which minimizes the possibility of a government trojan being inserted into the final downloadable version. OTR will not prevent governments from monitoring the destination of instant messages, but it will protect the contents of your messages.
(Villeneuve also found logs containing information about user's Skype voice calls, including times and destination usernames and numbers. There is no indication that the contents of Skype voice calls themselves were recorded or transmitted. Because Skype's audio encryption protocol remains secret, however, we only have eBay's assurances on its invulnerability to external surveillance. From now on, users may have less reason to trust the company's word on matters of privacy or security without external confirmation.)