If you listen to skype officials you will often hear that skype is so, so secure. Of course that only refers to the encrpytion of chats and calls. But what about the security of a network you would want to deploy skype in? There is not much information about what skype does and does not - but still there are many companies out there using skype for their everyday internal calls.

On Blackhat Europe this year in Amsterdam Phillipe Biondi and Fabrice Desclaux have published an analysis of skype they did for EADS: “Silver needle in the Skype“.

The hardest part of the analysis was that the complete code of skype is encrypted and obfuscated, part of it even seem to be polymorphic. This makes it very hard to find out what the code exactly does and there might even be spyware code hidden in there. From the network side skype produces a good amount of traffic even when no chats are going on and it works its way around most firewalls. Being a p2p software it does only connect to a mainserver once and then changes to a random skype client. It seems as if skype then trusts any counterpart that does all parts of the communication right. The document describes how this could be used to build a “black” network of skype stations that can be manipulated and spyed on.

All in all I don’t think that we will continue to run skype in our company networks because I don’t like software that might be doing something that it is not intended to. Don’t understand me wrong: I don’t think that skype is bad or trying to inject spyware into every pc it is installed on, but for a company network I don’t like the remote possibility of this happing - especially as there might be third-parties exploiting the system. For private use everyone has to decide how big the risk of comprimising the system is, personally I will still use skype for my overseas calls - but I won’t keep it running all day.