Skype has not been cracked. But it is still vulnerable
As well-intentioned hacks go the claimed 'hacking' of Skype by one Sean O' Neill looks more like a great advert for a programmer's next Black Hat presentation than anything to worry about.Has Skype cracked? Far from it. This was the day...
Has Skype cracked? Far from it. This was the day proprietary VoIP did not die.
His explanation of what he did, and how he did it, rightly points to the secrecy around Skype's encryption design although at ten years it exaggerates the length of time it has taken for anyone to make headway. Skype was founded in 2003 and I'd argue that it only got seriously really clever in its obfuscation with version 3.0 in 2006. At that point not only was its design a mystery but even sniffing a Skype client on a network became incredibly hard work.
You can read the short explanation from the Skype Reverse Engineering Team for the rather sparse technical details.
What has not been hacked here is Skype encryption per se, so nobody can somehow magically decrypt Skype calls, although you would have thought that was possible from some of the press coverage. What is at issue is the design of its encryption scheme and which bits of the program use which form of encryption and in what way. That is what is meant by the ominous use of the term 'Skype protocol'.
But here's the bad news. Even without any of this theoretically clever but practically useless cleverness, Skype is vulnerable to other incredibly simple hacks which do reveal the entire contents of any conversation carried out using it. Some of this is years old.
Travelling back to 2006, readers with longer memories will recall the Skype login stealer, a piece of malware that set out to pilfer a user's Skype credentials. This could be used to access a user's Skype account although not easily to listen in on conversations. I'd still count it as a pretty neat Skype hack that goes nowhere near tangling with 256-bit AES or RC4.
Better still, not long after came the Skype cop Trojan, a program commissioned by one or more European police forces to monitor conversations made from the PCs of individuals under surveillance. The method of that attack was simple: get the Trojan on to the PC and record conversations, sending the data as audio files to remote servers.
Fearful that the technique could be used by criminals as well as police (it certainly could), the program's creator subsequently released the source code under a GPLv3 license in the hope that this would allow counter-measures ot be taken against his work. None of that would stop someone from writing a different and new Skype-listening Trojan, of course.
Skype is probably too secretive about what it does, but let's remember why it is this way. It is used by some of its users to evade, or attempt to evade, surveillance in countries not noted for allowing free speech, including some which buy a load of technology from large US companies. None of what we have heard in recent days compromises that.
It is also the case that skype does not want to reveal too much about itself in case that aids attempts by large telcos to block its traffic for commercial reasons.
What is cracking here is not Skype as a secure program but the forcefield of secrecy, nay mystique, that has surrounded it. Skype should probably nudge that process along, as it has promised to do in the past. That is the lesson if there is any. Do the right thing before someone does it for you.