The growing use of free internet telephony software from Skype Technologies could soon create the same security challenges posed by other peer-to-peer technologies, say security experts.
The warnings come after the disclosure of two critical flaws in Skype’s software, one of which could allow malicious hackers to take control of compromised systems. Fixes for both problems have been released, the company says.
Skype, which eBay acquired in september in a US$2.6 billion (NZ$3.7 billion) deal, offers downloadable software that lets PC users make free internet telephone calls to one another and low-cost calls to telephone users.
Luxembourg-based Skype claims more than 61 million registered users. About 30% of that total use the software for business purposes, it says.
Andreas Wuchner-Bruhl, head of global IT security at Novartis Pharma in Switzerland, cited two problems created by the spread of Skype in corporate settings.
“The major one is around availability,” he says. “Skype can use a lot of network bandwidth, which may interfere with business applications and services.” Wuchner-Bruhl says another problem with Skype is that it’s a security threat. He notes that “every nonstandard application can add unnecessary risks to your environment.”
Gartner suggested in an advisory that eBay’s purchase of Skype could trigger development investments to make Skype more suited for corporate use.
In the meantime, Gartner advises business users to refrain from using “voice services based on proprietary protocols like Skype while on corporate networks, because of network security issues.”
There are several reasons for such concerns, according to industry experts. “Skype is VoIP on steroids”, capable of punching holes through many typical corporate network defences, says Tom Newton, product manager at SmoothWall, a vendor of firewall and other security products in Leeds, England.
Like other peer-to-peer technologies, Skype allows its users to establish direct connections with one another.
Skype is also “port agile”, meaning that if a firewall port is blocked, Skype will seek other open ports to establish a connection, Newton says.
As a result, Skype could provide a back door into otherwise secure networks for Trojans, worms and viruses, Newton says.
It could also provide a channel for corporate data to be freely shared among users without any security considerations, he says.
Skype uses a proprietary protocol instead of standard protocols, such as the Session Initiation Protocol, used by vendors of commercial voice-over-IP products. Thus there may be “unknown vulnerabilities” in Skype, says John Pescatore, an analyst at Gartner.
So far, there have been no major attacks directed against Skype. But its growing installed base will inevitably make it a hacker target, according to analysts.
As a result, companies need to keep a close eye on both the sanctioned and the nonsanctioned use of Skype on their networks, Pescatore says.