I Know Where You are and What You are Sharing: Exploiting P2P Communications to Invade Users’ Privacy

Abstract: In this paper, we show how to exploit real-time communication applications to determine the IP address of a targeted user. We focus our study on Skype, although other real-time communication applications may have similar privacy issues. We first design a scheme that calls an identified- targeted user inconspicuously to find his IP address, which can be done even if he is behind a NAT. By calling the user periodically, we can then observe the mobility of the user. We show how to scale the scheme to observe the mobility patterns of tens of thousands of users. We also consider the linkability threat, in which the identified user is linked to his Internet usage. We illustrate this threat by combining Skype and BitTorrent to show that it is possible to determine the filesharing usage of identified users. We devise a scheme based on the identification field of the IP datagrams to verify with high accuracy whether the identified user is participating in specific torrents. We conclude that any Internet user can leverage Skype, and potentially other real-time communication systems, to observe the mobility and filesharing usage of tens of millions of identified users.

None of the core concepts in this paper seem particularly surprising: If you establish a connection with someone over the internet, you know their IP address. If you know an IP address, you can check whether that address is participating in a specific BitTorrent download.

The interesting part of this paper is that the authors are able to use Skype to inconspicuously gain a targeted users’ IP address. By basically dropping all TCP SYN packets during call initiation, UDP packets get through but TCP connections fail -the attacker gets the remote IP address, but the user is never notified of the “call”. The authors combine this method of tracking Skype users’ IP addresses with crawling of common BitTorrent trackers to link Skype users with what they are sharing over BitTorrent. Finally, they filter out false positives from users behind NAT devices by initiating a Skype call and a BitTorrent handshake simultaneously and analyzing the IP ID fields of the response packets.

This paper serves as yet another reminder that without special precautions such as using Tor (and even then..), your actions are not anonymous online. But not only does your ISP and your mobile carrier now have all this information about you, this attack can be carried out by anyone.

Next: NetMon!