Topic: Skype & firewalls (Read 3039 times)

sevenlayermuddle · « **on:** February 13, 2013, 11:49:51 PM »

Interested to discuss the security risks of Skype.

I tend to take pride in my zero-tolerance firewall approach to incoming traffic, and would like to believe that anything unsolicited was blocked at the router. But recently a visitor to my home, to whom I granted the WiFi key, was able to receive a video call using Skype. Since my router was entirely 'locked down', firewall active with no exceptions, I was surprised that worked.

If I now understand correctly, the reason it 'worked' is that Skype sends a few packets over UDP which, being connectionless, is very difficult for the router's firewall to selectively block. The router's response then is to enable UDP traffic to the NAT address that initiated the dialogue, thus making a mockery of my supposed firewall rules. Since subsequent UDP traffic can then penetrate the router's firewall, anybody why can find a (for example) buffer overflow vulnerability in the connected equipment can run their wicked software on my network, long after the Skype call has ended.

Or habe I miss understood something? And does anybody else worry? And if not, should they?

burakkucat · « **Reply #1 on:** February 14, 2013, 12:22:12 AM »

I think that Skype's ability to 'breach' a firewall is also connected with that other security risk, UPnP.

A good place to start investigations would be Steve Gibson's site and H D Moore's research paper.

tickmike · « **Reply #2 on:** February 14, 2013, 01:01:18 AM »

Skype defaults to port 80 HTTP and 443 HTTPS which are normally open

Edit
http://www.theregister.co.uk/2003/10/08/how_does_skype_get_through/

sevenlayermuddle · « **Reply #3 on:** February 14, 2013, 08:26:35 AM »

Interesting comments, Messrs Mike & Cat.

HD Moore's paper looks fascinating and I look forwards to reading it in detail. Gut reaction though, is to smugly report that I've so far stuck to my guns with uPNP, and disabled it. That is one reason I was surprised that Skype seemed to work unhindered.

The Reg article is nice too, and I now wonder if I'd initially mis understood. However, even if it works as described, it seems to involve a TCP connection being established with an arbitrary Skype supernode. I understand anybody's home PC can act as a Supernode so, in other words, I am connecting to some random PC, with no knowledge of what AV that PC may have installed, or whether the owner is competent to look after it. That is scary too, is it not

I won't embarass my guests by disallowing network access, but before their next visit I may be reviewing some of the file sharing features between machines on my network, by which anything nasty often tries to spread....

burakkucat · « **Reply #4 on:** February 14, 2013, 08:39:04 PM »

My only other comment, regarding 'The Reg' article, is that it was written some years ago. Granted, Skype has probably not changed its fundamental mode of operation but I have a niggling thought that things may have changed since the article was written . . . $:-\$

As for UPnP, it is one of those 'facilities' that I automatically disable on any modem/router device that is used as the gateway between by LAN and the Internet at large.

News:

Author Topic: Skype & firewalls (Read 3039 times)

sevenlayermuddle

Skype & firewalls

burakkucat

Re: Skype & firewalls

tickmike

Re: Skype & firewalls

sevenlayermuddle

Re: Skype & firewalls

burakkucat

Re: Skype & firewalls