Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1


Ratings: (0)|Views: 61,675|Likes:
Published by TorrentFreak_

More info:

Published by: TorrentFreak_ on Oct 20, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





I Know Where You are and What You are Sharing:
xploiting P2P Communications to Invade Users’ Privacy
In this paper, we show how to exploit real-time communica-tion applications to determine the IP address of a targeteduser. We focus our study on Skype, although other real-time communication applications may have similar privacyissues. We first design a scheme that calls an identified-targeted user
to find his IP address, whichcan be done even if he is behind a NAT. By calling the userperiodically, we can then observe the mobility of the user.We show how to scale the scheme to observe the mobilitypatterns of tens of thousands of users. We also consider thelinkability threat, in which the identified user is linked to hisInternet usage. We illustrate this threat by combining Skypeand BitTorrent to show that it is possible to determine thefilesharing usage of identified users. We devise a schemebased on the identificationfield of the IP datagrams to verifywith high accuracy whether the identified user is participat-ing in specific torrents. We conclude that any Internet usercan leverage Skype, and potentially other real-time commu-nication systems, to observe the mobility and filesharing us-age of tens of millions of identified users.
The cellular service providers are capable of trackingand logging our whereabouts as long as our cell phonesare powered on. Because the web sites we visit see oursource IP addresses and cookies, the web sites we fre-quently visit – such as Google [5] and Facebook [4] – canalso track our whereabouts to some extent. Althoughtracking our whereabouts can be considered a major in-fringement on our privacy, most people are not terriblyconcerned, largely because they trust that the cellularand major Internet application providers will not dis-close this information. Moreover, these large companieshave privacy policies, in which they assure their usersthat they will not make location history, and other per-sonal information, publicly available.In this paper, we are not concerned about whetherlarge brand-name companies can track our mobility, butinstead about whether smaller less-trustworthy entities
The first author contributed to this work while a Ph.D.student at INRIA.
App # Users Dir P2PSkype 560M
MSN Live 550M
QQ 500M
Google Talk 150M
Table 1: Number of users claimed by Skype [11],MSN Live [9], QQ [10], and Google Talk [8] andfor each of these systems, whether it has a direc-tory service and employs P2P communications.
can leveragethe Internet to
periodically track our where-abouts
. Is it possible, for example, for an ordinary userwith modest financial resources, operating from his orher home, to periodically determine the IP address of a targeted and identified Internet user and to link itto this user’s Internet activities (e.g., file sharing)? Wewill show that the answer to this question is yes!Real-time communication (e.g., VoIP and Video-over-IP) is enormously popular in the Internet today. Asshown in Table 1, the applications Skype, QQ, MSNLive, and Google Talk together have more than 1.6 bil-lion registered users.Real-time communication in the Internet is naturallydone peer-to-peer (P2P), i.e., datagrams flow directlybetween the two conversing users. The P2P nature of such a service, however, exposes the IP addresses of allthe participants in a conversation to each other. Specif-ically, if Alice knows Bob’s VoIP ID, she can establisha call with Bob and obtain his current IP address bysimply sniffing the datagrams arriving to her computer.She can also use geo-localization services to map Bob’sIP address to a location and ISP. If Bob is mobile, shecan call him periodically to observe his mobility over,say, a week or month. Furthermore, once she knowsBob’s IP address, she can crawl P2P file-sharing sys-tems to see if that IP address is uploading/downloadingany files. Thus VoIP can
be used to collecta targeted user’s location. And VoIP can
be combined with P2P file sharing to determine what auser is uploading/downloading. This would clearly bea serious infringement on privacy.1
   i  n  r   i  a  -   0   0   6   3   2   7   8   0 ,  v  e  r  s   i  o  n   1  -   1   5   O  c   t   2   0   1   1
Author manuscript, published in "IMC'11 (2011)"
However, for such a scheme to be effective, there areseveral technical challenges:
For a specific targeted individual – such as BobSmith, 28 years old, living in Kaiserslautern Ger-many can Alice determine with certainty hisVoIP ID?
Can Alice determine which packets come fromBob (and thereby obtain his IP address)? Indeed,during call setup, Alice may receive packets frommany other peers. In addition, can Alice call Bobinconspicuously, so that Alice can periodically callBob and get his IP address without Bob knowingit? Finally, can Alice obtain Bob’s address, evenwhen Bob configures his VoIP client to block callsfrom Alice?
If Bob’s IP address, found with VoIP, is the sameas an IP address found in a P2P file-sharing sys-tem, then we cannot conclude with certainty thatBob is downloading the corresponding file, sinceBob may be behind a NAT (with the matching IPaddress being the public IP address of the NAT).Thus, is it possible to verify that Bob is indeeduploading/downloading the files, given that NATsare widely deployed in the Internet?In this paper, using Skype, we develop a measurementscheme to meet all the above challenges. (This maybe possible with other VoIP systems as well, which weleave for future work.) Our main contributions are thefollowing:
We develop a scheme to find a targeted person’sSkype ID and to inconspicuously call this person to find his IP address, even if he is behind a NAT.
By carefully studying Skype packet patterns for aSkype caller, we are able to distinguish packets re-ceived from the Skype callee from packets receivedfrom many other peers. Having identified thesepackets, we extract the callee’s IP address fromthe headers of the packets. Furthermore, throughexperimentation, we determine how to obtain theIP address of the callee fully inconspicuously, thatis, without ringing or notifying the user. Finally,we show that Skype privacy settings fail to protectagainst our scheme.
We show our scheme can be used periodically to ob-serve the mobility of Skype users.
By scaling ourscheme, we demonstrate that Skype does not im-plement counter measures to hinder such schemes.Although there are several challenges to measurethe mobility of a large number of users, we showthat it can be done efficiently and effectively.
We show that the scheme introduces a linkability threat where the identity of a person can be associ-ated to his Internet usage.
We illustrate this threatby combining Skype and BitTorrent to show thatit is possible to determine the file-sharing usage of identified users. One of the challenges here is thata BitTorrent user is often NATed, so that he mayshare his IP address with many other users. Whena common IP address is discovered in both Skypeand BitTorrent, we immediately launch a verifi-cation procedure in which we simultaneously callthe corresponding user and perform a BitTorrenthandshake to the IP address, port and infohash(which identifies the file being shared). We thenuse the identification field of the IP datagrams toverify with high accuracy whether an identifieduser is participating in specific torrents. To thebest of our knowledge, we are the first ones toshow that such a scheme can be used in the wild.In addition to the technical contributions of this pa-per, another contribution is that we are alerting Inter-net users (and the Skype company as discussed in thenext section) of a major privacy vulnerability, wherebytargeted users can have their mobility and Internet us-age tracked. As of May 2011 (more than six months af-ter having notified the Skype company), all the schemespresented in this paper are still valid. We providesome relatively simple solutions so that future real-timecommunication systems can be made less vulnerable tothese attacks.One solution that would go a long way is to designthe VoIP system so that the callee’s IP address is notrevealed until the user accepts the call. With this prop-erty, Alice would not be able to inconspicuously callBob. Moreover, if Alice is a stranger (that is, not onBob’s contact list), and Bob configures his client to notaccept calls from strangers, then this design would pre-vent any stranger from tracking him, conspicuously orotherwise. However, even with this solution in place,any friend of Bob, say Susan, can still call him conspic-uously and obtain his IP address. Susan could be Bob’sspouse, parent, employer, or employee, for example. Itwould be hard for Susan to periodically track Bob thisway, but Susan could still (i) get Bob’s current loca-tion, and (ii) check to see if Bob is downloading contentfrom a P2P file-sharing system. Preventing these at-tacks would require more fundamental changes in theVoIP system (specifically, using relays by default) ormore fundamental changes in the underlying Internetprotocols.This paper is organized as follows. We discuss the le-gal and ethical considerations of this paper in Section 2.In Section 3, we describe our scheme to determine thecurrent IP address of a person using Skype. We thenshow that this scheme can be used periodically to ob-2
   i  n  r   i  a  -   0   0   6   3   2   7   8   0 ,  v  e  r  s   i  o  n   1  -   1   5   O  c   t   2   0   1   1
serve the mobility and file-sharing usage of identifiedusers in Section 4 and 5. Finally, we discuss some sim-ple defenses in Section 6, the related work in Section 7,and we conclude in Section 8.
In this measurement study, all testing involving iden-tified users has been performed on a small sample of volunteers who gave us their informed consent to makemeasurements and publish results. Unfortunately, theinformed consent process for privacy, as for fraud [25],may significantly bias user behavior. For example, in-formed users may stop using Skype or BitTorrent. Forthis reason, we also needed to consider a larger sampleof (anonymized) users in order to accurately assess theamount of personal information that is revealed by anormal usage, e.g., the mobility and file-sharing usageof Skype users. For the sake of privacy, we only storedand processed anonymized mobility and file-sharing in-formation.Based on these arguments, the INRIA IRB approvedthis study. In the following, we describe our motivationto run privacy measurements, the tests that we ran withvolunteers, and the remaining measurements.
 Motivation for Running Privacy Measurements.
Internet users publish a lot of personal informationthat can be exploited in non-trivial ways to invade theirprivacy. Indeed, recent research demonstrates that per-sonal information can be correlated in ways that wouldhave been hard to anticipate [32]. One goal of this studyis to show that any Internet user can leverage popu-lar real-time communication applications to observe themobility patterns and file-sharing usage of tens of mil-lions of Internet users. It is important to give publicvisibility to these privacy issues, as they constitute se-rious invasions into users’ privacy, and can potentiallybe used for blackmail and phishing attacks.
In this study, we have relied on two sets of volunteersfor which we have obtained informed consent. The firstset comprises 14researchfaculty in the CSE departmentat NYU-Poly for which we have attempted to find theSkype IDs.The second set comprises 20 people spread through-out the world (4 in Asia, 2 in Australia, 7 in Europe,and 7 in USA) in cable and DSL ISPs, with 10 usersdirectly connectable and 10 users behind NAT. We de-liberately chose users located in different continents andwith different Internet connectivity to observe a largediversity of user and client behaviors. We have reliedon the second set of volunteers to (
) determine Skypepacket patterns between caller and callee, (
) developand test inconspicuous calling, and (
) evaluate the ac-curacy of mobility measurements. After manual testing,we called each volunteer 100 times and systematicallyobserved one of the three packet patterns described inSection 3 between caller and callee. We also observedthat our inconspicuous calling procedure never notifiedthem about the calls in any way.
 Anonymized users.
We relied on two samples of users for which we didnot store their personal information in this study. Wefirst used a sample of 10,000 random users to quantifytheir mobility. We then used a second sample of 100,000random users that we used to illustrate a linkabilitythreat, where the identity of a person can be associatedto his Internet usage (e.g., file sharing).We always collected the IP addresses of theanonymized users using inconspicuous calls, which wevalidated on the volunteers. Therefore,
no human con-tact was ever made with any of the anonymized users.
Moreover, we processed and stored only anonymized in-formation, e.g., we anonymized all localization informa-tion, downloaded content, and we did not store the IPaddresses. Details of all anonymized information aregiven in Section 4 and 5.
Other considerations.
In order to conform to the responsible disclosure pro-cess, we informed the Skype company of our conclusionsin November 2010. In addition, we did not perform anyreverse engineering on Skype binaries. Finally, our mea-surements generated at most 2
7 calls per second and afew kilobytes of bandwidth per second, so the load thatwe created on the Skype infrastructure was marginal.
In the following, we first describe how to find a tar-geted person’s Skype ID, that is a unique user ID of aperson in Skype. Then, we present our scheme to find,based on a Skype ID, the IP address used by this per-son. We explain how to make this scheme inconspicuousfor the user, and we show that the privacy settings inSkype fail to protect against our scheme.
3.1 Finding a Person’s ID
When creating a Skype account, a user needs to pro-vide an e-mail address and Skype ID. The user is alsoinvited to provide personal information, such as birthname, location, gender, age, and/or website. This infor-mation is recorded in the Skype directory. Therefore, inattempting to define a person’s Skype ID, the obviousfirst step is to input into the directory’s search servicethe person’s e-mail address or birth name.When searching for a birth name, Skype will often3
   i  n  r   i  a  -   0   0   6   3   2   7   8   0 ,  v  e  r  s   i  o  n   1  -   1   5   O  c   t   2   0   1   1

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->