When Skype launched on 29 August 2003, it is fair to say that it was one of the most important moments in the history of communication. As hyperbolic as it may seem to equate the launch of Skype with the invention of the printing press by Johann Gutenberg in 1450; the first long distance phone call made in 1884 or the first mobile phone call made in 1973, there is no question that Skype revolutionised the way the world was connected and heralded an era where geographical distance no longer meant being unable to see and talk to your friends and family.
Considering its popularity among all strata of society from grandmothers trying to contact their grandchildren travelling the world to activists seeking to contact journalists on the other side of the globe, security is obviously a hugely important factor for a lot of its users.
Is Skype Safe?
The simple answer is not really, but there are a lot of things to consider before you decide if Skype is a safe enough platform for you. Here will we walk you through how Skype works, what the service claims about its security and what we know about vulnerabilities to that system. We will also look at five alternative services which offer better security and could replace Skype as your primary Voip tool.
How Does Skype Work?
Skype is a service which allows smartphone, tablet and PC users around the world to communicate with fellow Skype users via video or voice. The service also allows Skype users to connect via voice with landlines and mobile phones for a fee. The service also has a built-in instant messaging and file transfer features.
The system requires users to download a piece of software to use the service and is available on Mac and Windows PCs, as well as apps for iOS and Android devices.
What Happens When I Register?
When you set up a Skype account your username and password are stored both on the device you create the account on and on Skype’s servers. This is done to allow for call recipients to be authenticated and to assure that callers seeking authentication are accessing a Skype server rather than an impostor.
Skype Uses Encryption
According to Skype’s own website: “All Skype-to-Skype voice, video, file transfers and instant messages are encrypted. This protects you from potential eavesdropping by malicious users.” For each call you make, your Skype client creates a unique 256-bit AES encryption key for that session. This session key exists as long as communication continues and for a fixed time afterward, according to the company. When you place a call, Skype transmits the session key to the person you are calling and that session key is then used to encrypt messages in both directions.
But Not Everything Is Encrypted
While Skype-to-Skype calls are encrypted, if you use Skype to call mobile phones or landlines (which many people do in order to take advantage of much lower rates, especially to overseas numbers) the part of your call that takes place over the ordinary phone network (PSTN) is not encrypted. For example, in the case of group calls involving two users on Skype-to-Skype and one user on PSTN, then the PSTN part is not encrypted, but the Skype-to-Skype portion is.
Skype Records Your History
By default Skype will record details about all calls (though not the calls themselves) and store them in a “History” file which resides on the user’s device. While this in and of itself is not a problem, if the security of your computer, smartphone or tablet is compromised then the attackers will be able to access its contents.
However, all these issues are rendered somewhat pointless in light of several recent revelations.
Microsoft pinging URLs
In 2013 an Ars Technica investigation found that Skype “regularly scans message contents for signs of fraud, and company managers may log the results indefinitely. And this can only happen if Microsoft can convert the messages into human-readable form at will.”
Part of the investigation which saw a security researcher create specially crafted URLs which were sent over Skype’s IM system, counters Skype’s claims made in 2007 that it couldn’t conduct wiretaps because of strong encryption and complex peer-to-peer network connections.
Just a couple of months later, Skype claims that all encrypted communications couldn’t be spied upon were further eroded by revelations made by Edwards Snowden which showed that the National Security Agency had widespread access to voice and video calls on the service which were presumed to be encrypted. Skype began working with the NSA in 2011 before it was acquired by Microsoft but in recent years the amount of information being collected has tripled and now includes video.
It’s Not Just The US
Prior to Snowden’s revelations, in March 2013, Jeffrey Knockel, a computer-science graduate student at the University of New Mexico, revealed that the special version of Skype which Chinese users are forced to use — known as TOM Skype — was allowing the Chinese government to gather information on its users including information about their political beliefs, as well as censoring what they can say to one another.
In May of the same year, well-regarded Russian publication “Vedomosti” reported that both the national security agency and the police are able to tap Skype conversations without even filing a court order.
But the issues don’t stop at governmental spying. Skype has also been shown to be vulnerable to malware designed to monitor your calls and videos.
As recently as February 2016 researchers at Palo Alto Networks revealed that a piece of malware called T9000 was specifically targeting Skype users. Once installed the software can record Skype video and audio calls, and upload them along with text chats to a server. There is a caveat however. Even with the malware installed, the user must still give explicit permission for it to access Skype, though it masks the request so the user doesn’t know it’s malicious. “The victim must explicitly allow the malware to access Skype for this particular functionality to work. However, since a legitimate process is requesting access, the user may allow this access without realising what is actually happening. Once enabled, the malware will record video calls, audio calls and chat messages,” the researchers said.
Sophisticated malware like T9000 has been designed to bypass all the most popular antivirus software, and while it is certainly better to have some antivirus on your PC, it is not a complete solution. One important thing to note is that you should have your operating system up to date, so that any known vulnerabilities will be patched. If you are using Windows 10, then you can configure security settings to install updates automatically. If you are using Skype on Mac OS X then you can feel somewhat safer due to the fact there are no known malware which targets Skype on Apple’s computers.
As well as being targeted by malware, Skype has also been used to try and distribute malware. Security firm F-Secure recently revealed that criminals were posing as U.S. officials offering help to Swiss nationals seeking to find information on how to file for visas to visit the United States. Skype has previously been used to distribute adware.
Finding Users IP Numbers
Another issue afflicting Skype, and one which has been there since 2010, is the ability to find out someone’s IP address simply by knowing their Skype username. There are dozens of services called Skype Resolvers online which will give you the IP address simply by plugging in the username of the person you are seeking information about.
While an IP address in-and-of itself may not be hugely valuable, it could be used together with other personal information against someone. One workaround to this is to use a VPN to hide your real IP address.
So, What’s The Alternative?
All-in-all it is safe to say that if you are looking to share market-sensitive information, talk national secrets or even just share personal and valuable information with family and friends, Skype is not the most bulletproof piece of software on the planet. Here are five alternatives which promise a more secure connection.
Built in the post-Snowden reality of mass government surveillance, Tox is a peer-to-peer messaging service which also provides the option for video calling that offers end-to-end encryption. The project states it aims to provide secure yet easily accessible communication for everyone.
Among the features which Tox boasts about on its website is the protection of your metadata (such as your IP address etc) from everyone except your authorised friends and making your identity impossible to spoof without the possession of your personal private key, which never leaves your computer.
There is the added benefit of Tox being completely free and without any annoying ads to distract you. The downside of this open source software of course is that the interface is not as slick as Skype’s and there are not as many features. While there is an Android version available on Google’s Play Store, the iOS version is still in beta and only available through Apple’s TestFlight service.
Ring is a free piece of software allowing users make audio or video calls, in pairs or groups, and to send messages “safely and freely, in confidence.”
Developed as an open source project by a community of worldwide developers, it is available on Windows, Mac OSX, Linux and Android, though not on iOS at the moment. The developers say no personal information is ever stored on a central server making it “impossible to create files on users.”
If video is not a necessity then Signal, the chat and voice calling app from Open Whisper Systems, is probably the most secure service available.
Used by the likes of Snowden, security expert Bruce Schneier and renowned cryptographer Matthew Green, the app is available on both iPhone and Android. It allows users to use their own phone numbers and contact books, while encrypting end-to-end the messages and calls you make, including test, picture and video messages.
Open Whisper Systems is a large community of volunteer open source contributors funded by grants and donations, meaning the app itself is free and without ads.
In development since before Skype was launched, Linphone is an open source service for voice and video calling as well as text messaging promising end-to-end encryption for all.
Just like Skype the smartphone app is available on Android, iOS, Windows Phone as well as clients for Windows, Linux and Mac OS X. There is the ability to handle multiple calls at once; pause, resume and transfer calls; and you can even merge calls if you want to talk in a group.
For desktop users there is no need to download any software, just log onto the website, connect and start talking. For smartphones there are iOS and Android apps, but the process is much the same.
Talky is developed by a small US software and design company called &yet. In relation to privacy and security, the company says: “We’re not here to sell ads based on your conversations, resell information about you, or keep track of what you do online.”
As well as encrypting all the voice and video conversations between the two sides of the call, the service encrypts all the set-up, call control, and tear down information that your computer sends to the company’s servers — meaning no meta data will leak. While the group calls are slightly less secure, Talky does make it very difficult for anyone to decrypt the content of any calls by storing the encryption keys only in memory or the communications bridge it uses which is the same as it does for voice and video calls.