Speculation over back door in Skype
According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations.
This has been confirmed to heise online by a number of the parties present at the meeting. Skype declined to give a detailed response to specific enquiries from heise online as to whether Skype contains a back door and whether specific clients allowing access to a system or a specific key for decrypting data streams exist. The response from the eBay subsidiary's press spokesman was brief, "Skype does not comment on media speculation. Skype has no further comment at this time." There have been rumours of the existence of a special listening device which Skype is reported to offer for sale to interested states.
There has long been speculation that Skype may contain a back door. Because the vendor has not revealed details of its proprietary Skype protocol or of how the client works, questions as to what else Skype is capable of and what risks are involved in deploying it in an enterprise environment remain open.
Last week, Austrian broadcaster ORF, citing minutes from the meeting, reported that the Austrian police are able to listen in on Skype connections. Interior ministry spokesman Rudolf Gollia declined to provide heise online with a comment on the matter. He did, however, offer general comments on the meeting, which were, however, contradicted by other attendees.
In contrast to statements from the interior ministry, the meeting was not attended solely by technical staff; those present included lawyers, regulatory experts and staff at the regulator. Neither were the ministry representatives mere technicians, rather they were high-ranking officials in management positions. They demanded from the ISP representatives present an "Austrian industry solution" for accessing data traffic. They called for ISPs to allow the interior ministry to install network bridges and Linux computers in their network centres. These would be used to copy and filter data traffic and forward it to the interior ministry via an encrypted connection. To facilitate filtering, ISPs should assign fixed IP addresses to customers being monitored.
it was made clear that should ISPs oppose these demands, monitoring legislation would be revised at some future time-point to prescribe the use of the ETSI ES 201 671 Version 3.1.1. monitoring standard. This would be legally binding and would require significantly more time and effort and be more expensive to implement. The reason given for not updating the legislation right away was that, in view of the present absence of terrorist activity, it would not currently be possible to mobilise political support for such a move. The officials are reported to have made clear that they were well aware that their monitoring plans would only catch the more gauche end of the criminal spectrum. Professionally organised criminals would utilise encryption algorithms that would not allow easy decryption.
It was also put about that two major ISPs had already succumbed to this pressure. The network bridges requested by the interior ministry have reportedly already been installed on their systems. This was confirmed by both companies, off the record. UPC/Inode was willing to "definitively deny" that a network bridge had been installed on its network and stated that there were also no plans to do so. Monitoring was carried out in individual cases only and only when instructed by a court order.
According to Mobilkom Austria, "the authorities have no access and will not be granted access." Likewise its fixed line affiliate Telekom Austria. Mobilkom has informed heise online, that, in response to a court order, on a single occasion it stored the total data traffic for one customer over a number of days and forwarded it to the police. In such cases, the interior ministry now wants to replace the use of physical media, with the inevitable delays this entails, with an encrypted connection. ISPs will, however, remain responsible for separating the monitored data stream from overall traffic.
For reasons of redundancy, Mobilkom's network does not have a central point from which all traffic can be accessed. Because the plan has now been made public, the money-saving idea of assigning fixed IP addresses to customers who are to be monitored is unlikely to be able to be implemented. More expensive solutions are likely to be required, though it remains unclear who will bear the ensuing costs.
(Daniel AJ Sokolov)