A vulnerability in Skype that could be used for eavesdropping has been discovered and described by Reddit user “Ponkers“. He explains it this way: “All you need is Skype on two

[of your own] devices, call someone with one, then disconnect it from the net as it’s ringing. Their phone will now call you back on your other device, camera, mic and all.”

Detailed graphic of Skype Interruptus [Image:Ponkers/Reddit]

 

Ponkers’ description may not be that clear, and the cute graphic may not help, so I’ll try to explain it again. Use Skype on your phone AND on your computer, logged in on both devices, then place a Skype call to a different party with Skype on their Android phone.  Before they answer, drop the Internet connection on the device you originated the call from (such as turning on airplane mode). The recipient device may try to automatically reconnect by calling you back, your second device can now answer the call and the recipient will not realize they are connected to you.

Ponkers explained the first time it happened to him:  “I called my fiance in the states, I’m in the UK currently. My internet connection died on my PC as it was ringing and I immediately got a call back from her on my tablet from her tablet.
It was a confusing couple of minutes before I worked out she not only wasn’t in the room, but had no idea I could see her room through the camera.”

The vulnerability occurs because the recipient (aka “victim”) of the original Skype call has not answered the call yet, but their device takes on the role of the initiator in trying to re-establish connection, unbeknownst to them.

Similar to butt-dialing or pocket-dialing, where a redial has accidentally occurred, this sets up a potential eavesdropping situation. The recipient of the call will not realize the return call was placed, the mic and camera could be turned on just as if they had intentionally made the call.

As an eavesdropping technique, it is not without it’s problems. The victim, if looking at their phone, will be able to see that the Skype app is running and in a call. They will also be able to see who the call is from, and it will be logged as well.

As far as we know, this has only been confirmed to occur with calls to Skype on Android.

There are numerous other VOIP providers with smart phone apps that might show similar vulnerabilities, I’m sure someone will be testing them soon. To protect yourself, be wary of any odd activity or calls appearing in your history log, such as calls from unknown persons, or multiple calls from the same person with times that do not seem right. And, as with all communications devices, pay attention to your device activity, especially VOIP apps. If you don’t need the apps, disable or remove them.

 

[Read more: Reddit article   Gadgets.NDTV.com article  Android Police article]