Skype, a security risk for corporate networks?

UPDATED: Skype, like Britney Spears is everywhere. And just like queen of the teeny-bopper set, Skype has some major problems. Dmitry Goroshevsky, founder-CEO of Popular Telephony, which has come-up with a server-less peer-to-peer VoIP software called Peerio, called me this afternoon, and at the very end of the conversation, he quipped about Skype and how big a security risk it is for corporate networks.

When I pressed him more, he explained that Skype’s best feature, its ability to pass calls through firewalls and Network Address Translation (NAT) systems, is also its Achilles heel. Hackers can use the voice stream (which is nothing but data) to bypass firewalls and create havoc on the corporate networks. “You can break the whole corporate network in a matter of minutes,” he said.

Updated 06/23/2004: Karl over at Broadband Reports sent me this link, which explains some of the things we have been talking about.

Mahy thinks the Skype approach is inviting viruses, Zennstrom says this is not possible. According to Zennstrom there is little danger of a call through Skype resulting in a route for a virus because the recipient is told there is a call for him and is asked to call out to meet it. ‘Once my machine is infected with a virus, that virus can do lots of rude things with the Skype API. The virus could call a PSTN toll or international service from my account and leave it up for days. The virus could spam call my entire buddy list a few times an hour. The virus could turn my computer into a remote-control microphone. These are the kinds of issues that IT administrators are concerned about.

Aswath had written this earlier for VoIP daily:

If Supernodes need to have special capabilities, then it is likely that they will demand some form of compensation. It is not clear whether Skype is setup for this. Additionally, it is not clear how the individual clients are protected from a misbehaving Supernode. It is true that the media is encoded. But the Supernode is involved in the signaling phase. Since the Supernode has network connectivity to the client, it is tempting to use it for extra and unwanted commercial activity. So Skype may deploy their own Supernodes, eliminating one more difference between it and other VoIP providers.

Wow! There go billions of dollars in security dollars, bested by a simple piece of software. No surprise, Skype does not talk about this security risk. Not willing to take Dmitry’s word for it, I scrounged for more information, and stumbled onto the CERN website.

Skype P2P telephony software is not permitted on CERN’s computing or network facilities. The privacy policy of Skype violates CERN’s Computing Rules by bypassing firewall protections and offering services to others.

Here is Skype’s privacy policy: From time-to-time your computer may become a Supernode. A Supernode is a computer running Skype Software that has been automatically elevated to act as a hub. Supernodes may assist in helping other users to communicate or use the Skype software efficiently. This may include the ability for your computer to help anonymously and securely facilitate communications between other users of the Skype Software who, due to network and firewall constraints, cannot establish direct connections.

I am not sure, what you make of it, but to me if it is not good for CERN, then it cannot be good for any one. I think Skype CEO Niklas Zennstrom, is speaking at the SuperNova conference in Palo Alto, California this week. I am going to try and nail him down on this and get more details.