The Chinese version of Skype contains spyware that searches for blacklisted words and phrases, blocks instant messages that contain them, copies them to servers and captures the rest of IM chats that have been flagged in this way, according to researchers.
This is all done without being disclosed to customers by the Chinese wireless Internet provider TOM Online that distributes the TOM-Skype software client.
The behavior of this software is being refined over time to better track messages about ever-changing politically sensitive topics as well as other categories, according to Jeffrey Knockel, a Ph.D. candidate at the University of New Mexico, the lead author of a research paper about the client and its behavior.
The spying and censorship is carried out with the knowledge of Microsoft, which owns Skype and its peer-to-peer communications software and describes TOM-Skype as "a modified version that follows Chinese regulations."
Knockel and researchers from the University of Toronto are preparing a second paper that analyzes shifts in how TOM-Skype responds when it comes across keywords and phrases and also how changes to the blacklist over time correlate to news events, he says. This analysis may reveal the motivation behind the monitoring, although a breakdown of key words gives a hint.
Analysis so far shows 42.2% of the blocked words are associated with politics or political dissidents (Tiananmen Square, Gao Zhisheng), 5.2% are related to government officials (Zeng Qinghong, Jia Qinglin), and 5.8% have to do with information about spying (contact phone tapping software, undercover software download). Keywords related to news and information sources account for 10.1% (AOL News, Canadian Broadcasting Corporation). 15.2% are associated with prurient interests, and 7% name specific locations (Chun Xi Road McDonald's, Hangzhou Department Store), according to Knockel.
[ INTEGRATION: Microsoft promises stronger ties between Lync, Skype ]
Over time, the software has changed its behavior. Earlier, it blocked messages that contained trigger words and sent copies of those messages to a server. Now more frequently it imposes surveillance on chats that contain the words and sends both ends of the conversations to the servers, he says.
This new approach is less likely to tip off users that they are being observed and to yield more information, Knockel says. "Surveillance-only is much sneakier and harder to detect, and may give them more information about what is going down," he says.
Knockel and his colleagues found that TOM-Skype maintains separate lists of words that trigger blocking and those that trigger surveillance.
The software is also gathering and reporting more information about who is participating in monitored chats. Before it was just the sender's identity, but now it also includes the recipient's, which can help track which users of regular Skype are communicating with TOM-Skype users, he says.
Knockel routinely posts a "censorship of the day" keyword list culled from TOM-Skype and decrypted. The list could be exploited by TOM-Skype users to craft messages that avoid the trigger words and so avoid censorship or surveillance, he says.
How they did it
One of Knockel's professors suggested that he investigate TOM-Skype as a class project. Specifically, he wanted to decrypt the complete lists of keywords triggering censorship or surveillance or both and to decrypt the surveillance messages that TOM-Skype sends.
He installed TOM-Skype on virtual machines in an Oracle VM VirtualBox environment on his laptop and was able to see that the client contained a built-in keyword list. The client downloads a new list -- called a keyfile -- that replaces the initial keyword list. The new list is encrypted.
To decrypt it the researchers redirected DNS queries from the client to the keyfile server to a server of their own where the TOM-Skype client downloaded keyfiles crafted by the researchers.
They knew from previous research that a certain swear word was a trigger word in the actual keyfile, so they split the file in half, forced it into the TOM-Skype client and sent a message containing the word. If the message wasn't blocked, that meant that half of the keyfile did not contain the swear word encrypted. So they forced the other half of the keyfile into the TOM-Skype client and sent the message again to verify that it would be blocked, which demonstrated that it contained the word.
They continued doing this, cutting the list in half each time and testing against it until they isolated the cyphertext for the swear word.
After a plaintext analysis of the cyphertext, the researchers added single-character cyphertext words to the list and sending single character messages to see what would be blocked. In this painstaking way they figured out what cyphertext characters corresponded to plaintext characters.
Knockel used IOActive's IDA Pro software to help reverse engineer TOM-Skype, and he used WireShark, the open source packet analyzer.
More recently he wrote his own code to carry out DLL injection as a way to force the client to accept the keyfiles he crafted by making API calls to his servers.
Microsoft is aware of this spying and responded to an emailed query about what they think about it in relation to privacy and censorship. This is the reply: "In China, the Skype software is made available through a joint venture with TOM Online. As the majority partner in the joint venture, TOM Online has established procedures to meet its obligations under local laws. Even as a minority partner we understand we also have responsibilities. Microsoft is working to adopt appropriate changes that can be made to address the issues raised. We understand the passion our users have for Skype and are committed to taking concrete steps to further increase transparency and accountability."
According to a Skype support Web page, TOM-Skype is a custom version of Skype used in China. "As our majority joint venture partner, TOM Online provides access to Skype for Chinese customers, using a modified version that follows Chinese regulations, called TOM-Skype."