Why Does Skype Read the BIOS?

pfp writes "Myria at pagetable.com, among others, noticed that Skype reads the machine's BIOS code on startup. This probably would've gone unnoticed if the operation didn't fail on 64-bit windows. From the post: 'It's dumping your system BIOS, which usually includes your motherboard's serial number, and pipes it to the Skype application. I have no idea what they're using it for, or whether they send anything to their servers, but I bet whatever they're doing is no good given their track record... If they hadn't been ignorant of Win64's lack of NTVDM, nobody would've noticed this happening.'"

Re:bad history?

[Anonymous Coward]

I think he was talking about the company who owns it. They also made kazaa, which was full of spyware and other harmful malware.

Re:bad history?

[Ledsock]

While it is true that the developers were responsible for Kazaa, currently Skype is owned by eBay. They bought them on Oct. 14, 2005 for around $2.6 billion.

Re:bad history?

[anethema]

Actually, the original Kazaa (which WAS dev'd by the same people as skype) was -not- full of spyware and adware. Kazaa was made an atrocity by Sharman, who still owns it.

Re:Processor info?

[Anonymous Coward]

That's an interesting guess but probably wrong. The x86 instruction set has an instruction (which can be run directly from user-mode) that gives the make and model of the processor. Skype almost certainly uses that.

Reading the BIOS only gives information about the motherboard. With great difficulty, it might be possible to determine what processor familes the motherboard supports, but I'm not sure how.
                --Justin

Re:Processor info?

[Anonymous Coward]

No need for reading the BIOS. Just call the CPUID [wikipedia.org] instruction.

Here's a question for you....

[Khyber]

I once read somewhere that the only identifying information that you could legally acquire, being installed on someone's computer, was MAC, IP, and Nickname. Anything else (Pentium 3 fiasco, anyone?) constituted a breach of privacy. Dunno if it's true, or not, but personally, I don't want you trying to identify what the hell makes up my system. Perhaps I'm building it SECRETLY for a fucking reason. You don't need to know what CPU or HDD I have installed - the only reason you would want to would be to directly target advertisements at their own users, concerning their own fucking hardwaer. If Skype did that, they'd lose not every bit of faith from me, but I'd go tell my company that I work for, which uses SKYPE on a regular basis. I can guarantee you that IT is so stupid they'd drop Skype and install Asterisk on a whim if I told them too, since I usually end up having to fix their intranet when it goes down.

Re:bad history?

[Cocoshimmy]

They could be referring to the time where Skype would only allow 10-way conference calling on dual-core Intel processors [slashdot.org]. Those running AMD processors could only have 5-way conference calls. At the time they cited the "technical superiority" of Intel processors over AMD ones.

Of course thie gave bad publicity to both Intel and Skype after AMD issued a subpoena [slashdot.org] against Skype and the fact that it was discovered that the software simply checked the processor ID and enabled the feature based on that. A patched version [slashdot.org] was also released which bypassed this artificial limitation.

Re:Processor info?

[lachlan76]

The CPU is identified with the CPUID [wikipedia.org] instruction, not with any sort of BIOS access. Such a scheme would be wasteful and more complex.

Re:To prevent abuse? Usage statistics?

[evilviper]

Of course they could just be collecting system info such as the system manufacturer, processor type, number of processors, sound card, etc.

That's complete nonsense. Windows has a perfectly standard way of finding out about system devices. Reading the BIOS would tell you almost none of the things you listed to begin with.

Re:What about Macs ?

[descil]

Skype won't run if you have softice installed on windows. Pretty funny - I guess they don't want you to look.

Ollydbg still works though.

Re:Processor info?

[Anonymous Coward]

If I remember correctly Windows has no syscall for that. But CPUID and RDTSC are user mode instructions (*) and do all one needs for cpu identification and more.

(*) = I don't know if CPUID is user mode under any OS or is dependent on some setting. RDTSC is user mode under Windows but not under Linux (there is some bit in some CRx register or whatever that determines whether RDTSC is privileged or not).

Re:Processor info?

[slashdot.org]

Reading your BIOS to determine CPU ain't gonna be useful. I doubt any BIOSes store info on which CPU is on the board.

As a former BIOS coder, I'll second that. Even if the BIOS did store some system specific info in Flash (on Embedded BIOSs sometimes this is done because CMOS is not reliable), there is NO way that Skype would know the format/place/meaning of this. It would be specific to a certain build of a specific BIOS for a specific board by a specific vendor.

In any case, the method described to dump the BIOS is not very likely to get anything close to the complete, original BIOS image to begin with. By dumping memory at F000:0000 through F000:FFFF, a 16 bit DOS program, under Windows, will get the memory resident part of the BIOS. Most BIOSs are far bigger than 64KB and the memory resident part is the decompressed runtime part, which is nothing like what the actual BIOS image looks like at boot time.

They are most likely using this in combination with other more or less 'unique' things to identify a specific machine. It wouldn't surprise me if after this some people would do a more in-depth analysis of their code and find out that it also reads the serial number of the harddrive and gets the MAC address of the Ethernet adapter.

Re:What about Macs ?

[mrogers]

Skype contains encrypted code, self-modifying code, timing loops to detect whether it's running inside a debugger, and any number of other tricks to prevent reverse engineering. Which hasn't stopped people trying:

http://www.recon.cx/en/f/vskype-part1.pdf [recon.cx]
http://www.recon.cx/en/f/vskype-part2.pdf [recon.cx]

seeding a random function

[quench]

well getting hardware information of this kind could practically be used as seed for random numbers.
why always feed it with zero or get-ticks-since reboot?
bye

Re:Processor info?

[49152]

Not entirely correct.

GetSystemInfo() in Win32 and GetNativeSystemInfo() in WoW64 will give you some CPU information:
It will tell you if your running on Intel, IA64 or AMD64, it will also identify 386, 486 and Pentium, Processor Level and Stepping and processor Revision. I think this will be sufficient in most cases to identify the CPU.

Re:Finally...

[battjt]

No, the really cool thing about Skype is that it works and works very well.

The audio quality over my MacBook, through a public WiFi network, through a very restrictive firewall, across the net, through another anally restrictive corporate firewall, across a nearly saturated WAN, to my client's desk is much, much better than using my digital mobile phone.

The ease of use is great. We whip together video calls or conference calls all the time and never have to worry about getting a third party involved to set it up for us.

Being able to call out is fabulous also. I've spent a lot of time in ICU's lately where I'm not able to use the mobile phone, but am able to use the WiFi network. It is very neat to be able to phone from an ICU to pretty much anyone (Skype or phone) with the option for video if they are on Skype also.

The Jabber community just hasn't gotten their stuff together quick enough. There was plenty opportunity to beat Skype to market, but no one else, using open protocols, got the job done. I wish they would have.

Joe

Re:Hmmm.....what could you do with this?

[Cheesey]

http://www.blackhat.com/html/bh-europe-06/bh-eu-06 -speakers.html [blackhat.com]

That Blackhat link is very interesting, thanks. Deliberate spying behaviour aside, Skype doesn't seem a very trustworthy app!

Re:Processor info?

[Anonymous Coward]

Fact 1: 0xF0000-0xFFFFF are the SHADOWED copy of BIOS on almost every BIOS. It's write-enable-able.

Fact 2: That's usually where the SMBIOS pointer is found.

Fact 3: It's easy (and the only way really) to scan for SMBIOS and find it.

Fact 4: SMBIOS *does* often contain serial numbers and hardware details.

Another reason not to use Skype

[guruevi]

I refuse to use Skype since it has it's own 'standard' and is not interoperable with SIP or any other standard and open VoIP protocol. It's also closed source so you don't know what it's doing. I hope a lot of these 'privacy' breaches will be uncovered and people will start seeing the benefit of having truly open source code.

Re:Don't like it one bit.

[Anonymous Coward]

Wine emulates only the API, the application still runs on the CPU. And that means that the application can still get any information about the CPU by simply issuing the CPUID instruction. Low level access to other devices is possible (due to multitasking and stability issues) only through OS calls. I don't know how much info does Wine give through it's emulated syscalls. OTOH, VMWare and other complete PC emulators emulate an entire system, so every device in that system seen by the OS and apps is fake. This still does not have to hold with the CPU. If your emulator runs userland directly on your CPU (like with QEMU Accelerator, or default configuration on VMWare), usermode applications will still be able to issue CPUID and get info about your processor. Though this is a disableable option (if you don't mind a huge performance hit of emulating the CPU in software).

Re:Finally...

[Anonymous Coward]

Try The Gizmo Project [gizmoproject.com]. It is comparable to Skype, but it uses SIP, so it's open and compatible. I believe it has all of the same features as Skype, if not more, though I haven't done a detailed comparison myself. But it's definitely worth checking out. From personal experience, I know that their customer service is really helpful and attentive as well.

Re:Their Spyware Past

[tweek]

If you look at the history of Kazaa, the original developers were long gone by the time Sharman started pimping the spyware. These are the same long-gone guys who developed Skype and are long gone now working on YANNP (yet another new project)

Re:About figures

[m50d]

256mb stick, 8mb stick, 1mb stick. Easy enough.

Re:NSA conspiracy

[Beryllium Sphere(tm)]

Traffic analysis can be as valuable as content decryption for some purposes, and Biondi discovered that Skype's nominally encrypted call setup (as opposed to the voice encryption) was reusing an RC4 stream.

The session keys, however, are ephemeral if I'm reading Tom Berson's Skype security analysis [skype.com] correctly. See sections 3.3 and 3.4.1 in particular. The attack vector would be to impersonate one endpoint, which you could do with the Skype network private key.