Security researchers have revealed vulnerability that could allow an attacker to identify a person, track their location and monitor their filesharing habits. In a paper titled "I Know Where You are and What You are Sharing: Exploiting P2P Communications to Invade Users' Privacy," the experts draw attention to real-time communication applications such as Skype.
The group discovered how to call Skype users without them realizing, allowing the caller to secretly nab someone's IP address. This is accomplished by blocking certain packets and quickly terminating the call before the recipient is alerted. It can performed even if the victim is connected behind an NAT firewall or if they specifically block calls from non-contacts.
An IP address can be geolocated with relative precision and many users connect from mobile devices, so an attacker could perform that stealth call and track someone's rough whereabouts over any given duration. The researchers tracked one volunteer from a New York university to Chicago, back to the school and Brooklyn lodging, then to his home in France.
Once you have someone's Skype identity, it's generally not hard to find them on other social platforms such as Facebook or LinkedIn. Among other things, this could reveal more details about your location. "If we had followed the mobility of the Facebook friends of this user as well, we likely would have determined who he was visiting and when," the authors said.
One could easily discover a victim's name, age, address, profession, employer and more. The researchers specifically noted that this could be abused by marketers to create an inexpensive profile database on targets. They estimated that it would cost a marketer $500 a week or less to track 10,000 users -- but the flaw has deeper implications than that.
In an experiment, the researchers scanned the top 50,000 BitTorrent files and linked 400 Skype users to downloads. Again, Skype users often share their full contact details, including their name and location. We doubt this information would (could?) be used by copyright regulators in court, but plenty of unsavory individuals would surely take advantage.
"We believe this could be used by various people to stalk, blackmail, or defraud Internet users in general and P2P filesharing users in particular," said Keith Ross of the Polytechnic Institute of NYU. "These findings have real security implications for the hundreds of millions of people around the world who use VoIP or P2P file-sharing services."
"A hacker anywhere in the world could easily track the whereabouts and filesharing habits of a Skype user -- from private citizens to celebrities and politicians." The researchers notified Skype about the issue nearly a year ago but it hasn't been resolved. They plan to present their paper at the Internet Measurement Conference 2011 in Berlin on November 2.