iSkoot Transmits Your Data In The Clear
Various people are thinking that Skype Mobile is basically an unbranded iSkoot, which does the same thing in much the same way. Generally speaking, they seem to do the same thing, but they do it very differently. Packet traces don’t lie.
I loaded up iSkoot on my Nokia N95 and accessed the iSkoot service via WiFi. I did this so I could capture what the iSkoot client was sending out so I could see the difference. And oh, boy was it different–different enough that I would think twice about using iSkoot.
First of all, Skype appeared to use a TCP connection on a non-standard port. Fine with me. I looked at the raw packets generated by Skype Mobile and saw an opaque blob–exactly what I expected to see.
iSkoot uses TCP port 80–the same port used by HTTP, the lingua franca of downloading web pages. It sends various things as a series of HTTP GET calls. The scary part of this that your text chat messages–and lots of other interesting information, including your Skype credentials–is being transmitted in the clear. That’s right, iSkoot takes all that perfectly good encryption that Skype employs and throws it out the window. For no good reason.
Until iSkoot fixes this problem–and it would be very easy for them to do so (ever hear of SSL?)–I cannot in good conscious recommend using iSkoot.
Update: Issue is resolved in their latest Symbian/S60 client.
Bookmark with: del.icio.us Digg it Furl iFeedReaders ma.gnolia Maple.nu RawSugar reddit Simpy StumbleUpon
Related Posts:
- Proof of iSkoot Passing Credentials In The Clear
- iSkoot for S60 Upgraded: Obscured by SSL
- iSkoot Will Fix The Encryption Issue On Nokia S60 Client
- iSkoot Pulls S60 Build, Plans To Push Fix 30 April 2008
- PhoneBoy’s Week That Was 11 May 2008
Pingback by Voice of VOIPSA » Blog Archive » Are your Skype username and password completely exposed if you use iSkoot?
[...] a.k.a. “PhoneBoy”, it certainly looks that way. In his post late last night, “iSkoot Transmits Your Data In The Clear“, he discusses his tests of capturing network traffic from both the new Skype for Mobile [...]
Pingback by VoIP Watch: No, Skype Mobile Is Not iSkoot
Comment by matti
Well, unless iSkoot adds their own encryption, of course it uses just raw data from/to the Skype API. It is not part of Skype and have no access to encryption/decryption mechanisms. This is the global problem for third party Skype ad-on/plug-in applications in general, which is why I shy away from them all. If Skype were to provide encrypted contents to third party providers, they would also have to provide them with the mechanism for decrypting some of it to operate at all and that is not going to happen in a hurry. Then of course, the original reason why Skype does not run on devices typically using iSkoot fall into one of two categories: either the devices use weird operating systems and/or they don’t have enough hardware resources to run native Skype on them. The latter would also mean that adding any encryption stuff to the device would probably mean that the third party Skype look-alike interface wouldn’t fit on the same devices anymore.
I do fail to see how Skype should be held responsible for it, tho. Seems to me that it is up to the 3rd party provider to provide security for their plugins, don’t you think?
Comment by PhoneBoy
@matti Whether they use Skype’s encryption or not is irrelevant–clearly they gateway the stuff into Skype somehow. However, there’s ZERO reason they couldn’t have used SSL to encrypt this communication. It may not be as good as what Skype does, but 128bit SSL is good enough and well within the bounds of what even the lowest end phone can do these days.
I don’t view Skype as complicit in this at all, it’s iSkoot. However, if Skype operated with open protocols in the first place, third-party workarounds like iSkoot wouldn’t be necessary.
Comment by Mark Jacobstein
Hi Dameon -
I’d like to reassure you and our users that our clients absolutely utilize SSL encryption. iSkoot treats our users’ security with utmost sensitivity, and as indicated on our website, the user’s password is stored on the handset only. Anytime this information is sent to the server, it is 100% SSL encrypted. We never store passwords to the server.
Please also note that iSkoot does not have a WiFi client available on the market. Our clients utilize the mobile voice and data channels only, and users cannot utilize iSkoot over WiFi. If you are running a mobile Skype client via WiFi, you are not using publicly available iSkoot product. I can also assure if we did release a WiFi client to market, our security measures would be equally stringent - we always employ SSL encryption.
Best regards,
Mark Jacobstein, CEO
iSkoot Inc
Pingback by Darla Mack - Nokia S60 News and Reviews: iSkoot Users Beware
Comment by PhoneBoy
@Mark: Please check your facts:
1. The Nokia client is transport agnostic. It runs over WiFi or GPRS/EDGE/HSDPA. As I recall, you have to go to lengths to prevent WiFi from being used.
2. When I did a tcpdump from my WiFi router, I checked all the traffic coming from my Nokia N95. I saw my entire session running over port 80 IN THE CLEAR between my Nokia N95 and an IP address that belongs to iSkoot.
You may have been led to believe that SSL is being used by your client. At least on the Nokia, this is 100% false. If you would like, I am more than happy to provide a packet trace verifying my findings.
Comment by spg
@matti. i do not agree that the reason for using iskoot instead of skype has to do with device capabilities. more often it would be because of network conditions that make IP calling of lesser voice quality if even possible at all; therefore iskoot(or skypes own new client) is used to send the calls over circuit switched network. may so called 3G networks are still not up to the task and in many places if available at all. iskoot works well even on a basic GPRS network.
Pingback by iSkoot and passwords in the clear — Alec Saunders SquawkBox
[...] awoke yesterday morning to mail from PhoneBoy telling me that iSkoot is passing passwords in the clear, unencrypted. He put a packet-trace on his WiFi router, and used the Nokia N95 to access iSkoot via [...]
Pingback by Security flaw on iSkoot: discovered and solved over the weekend | LucaFiligheddu.com
[...] discovered and solved over the weekend If you’re new here, you may want to subscribe to my RSS feed. Thanks for visiting!The blogsphere jumps in again when it comes to help companies to do a better [...]
Pingback by Warning: iSkoot Security Bug Resolved!
Pingback by Skype Journal
Pingback by Voice of VOIPSA » Blog Archive » Chronology of the blogosphere and iSkoot weekend response to the iSkoot security issue
[...] April 26, 2008 - 4:22am (1:22 Pacific) - PhoneBoy (Dameon Welch-Abernathy) posts his initial report of the [...]
Pingback by Disruptive Telephony
Pingback by iSkoot Pulls S60 Build, Plans To Push Fix 30 April 2008
[...] it was, admittedly, not very nice of me to hand iSkoot a zero-day exploit publicly, on a weekend no less, there was a note on the iSkoot [...]
Pingback by iSkoot Security Flaw Reveals Your Account Credentials
Pingback by How the blogoshpere can help companies improve: iSkoot | Jonathan MacDonald.com
[...] PhoneBoy posted an issue he found under the title ‘iSkoot transmits your data in the clear’ [...]
Pingback by Skype Journal
Pingback by Skype Journal
Pingback by The Mobile Technology Weblog - Main page - Location Based Services and all about Mobile Marketing - mobile technology, trends, technology trends, wireless, mobile marketing, mobile web, mobile internet, mobile 2.0
Pingback by The Wireless Weblog - Main page - Wireless Technology at its best - wifi, wimax, bluetooth, municipial
Pingback by iSkoot Updates Symbian Software, Handles Security Incident Well
[...] Well Posted on May 1st, 2008 by The VoIP Weblog Last week, I discovered-quite by accident-that the version of iSkoot for the Nokia N95 was sending the entire session in the clear. In short, your Skype credentials, and everything you were using iSkoot for on Skype, was being [...]
Pingback by VoIP para novatos - Sólo de Voz sobre IP vive el hombre
Pingback by The VoIP Weblog - Main page - Your idea of Voice over IP - voip, phone, vonage
Pingback by Mobiles