Why Does Skype Read the BIOS?

pfp writes "Myria at pagetable.com, among others, noticed that Skype reads the machine's BIOS code on startup. This probably would've gone unnoticed if the operation didn't fail on 64-bit windows. From the post: 'It's dumping your system BIOS, which usually includes your motherboard's serial number, and pipes it to the Skype application. I have no idea what they're using it for, or whether they send anything to their servers, but I bet whatever they're doing is no good given their track record... If they hadn't been ignorant of Win64's lack of NTVDM, nobody would've noticed this happening.'"

Processor info?

[Ledsock]

This is a random guess, but it could be part of skype determining the make and model of your CPU. They had made a deal with Intel a while back to only allow large conferences on their processors, and the BIOS reading could be part of that or anticipation of other deals to come.

bad history?

[chimpo13]

What is Skypes bad history?

To prevent abuse? Usage statistics?

[Cocoshimmy]

What better unique identifier than the system bios? Ip addresses are becoming less reliable since many people use wireless internet and mobile phones for skype.

Skype is probably just looking for abusive users who sign up for their low margin unlimited calling plan only to share it with their relatives and friends accross the world. If they say detect say 5 different machines calling 5 different people all within a span of 10 minutes, then something is likely wrong.

Of course they could just be collecting system info such as the system manufacturer, processor type, number of processors, sound card, etc. This could be combined with the survey results regarding phone quality they ask you to take after every few calls. In the end it could result in a better product and better service. Of course many other software products already do this (such as firefox, ms windows, ms office) but they are more open about it and at least give you the option of participating.

Random generator?

[Anonymous Coward]

could it be that skype uses bios data to generate random numbers for the crypted communication layer?

Anybody else getting real tired of this stuff?

[Anonymous Coward]

It seems as if we exist solely to be data-mined. The whole "consumers, not citizens" viewpoint of business and politics is getting old. Is it time for the next revolution yet?

What about Macs ?

[warrior_s]

Can someone tell me how can I check if its doing the same on my Macbook?
Thanks

Sorry whats the big deal?

[Timberwolf0122]

Read my bios settings, I have no problem with this. There is no information on my BIOS that I would consider sensitive, maybe a touch of chargin if if turns out I have my RAM config set wrong(?) but thats it.

Writing to my BIOS.... now thats a different matter and one I would take exception to.

Re:What about Macs ?

[apt_user]

That's a good point. Intel Macs don't have a BIOS, they use Intel EFI (The old PPC Macs used OpenFirmware). How does Skype react to running in XP under parallels?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Copyright on the BIOS ???

[Alain Williams]

It took a minute for the penny to drop, but is it not downloading the BIOS code rather than the system setup info held in CMOS ?

If that is the case then transmission of that BIOS back to Skype HQ must be a breach of Phoenix/... copyright.

Look what they try to do if you or I copy someone's code ...

Re:About figures

[Tom]

Too much to ask I guess.

SELinux allows you to fine-tune permissions to extreme detail, including everything you used as example (or at least the Linux-equivalent, as far as registry, etc. is concerned).

Problem: The complexity isn't for the faint of heart. So no distribution for the general public will actually use it as fine-grained as it allows you to be.

Re:To prevent abuse? Usage statistics?

[Cocoshimmy]

First let me point out that this is just a theory. Second, if you read my entire comment then you would see that I agree that there are potentially other explanations for why they collect this information.

The chances of BIOS data matching up exactly, while not as low as two random numbers of length equal to the BIOS data, are still very low. Imprinted in the BIOS is the image itself, the manufacturer, the model, and other system information. What random persistent data that you speak of can be consistently harvested on all machines after every reboot? The only other information available perhaps is the MAC address.

As for why they would read the BIOS for this. Your BIOS and/or motherboard are not things that you change every day, let alone every 5 minutes. If for example, your account logs 2 or 3 motherboards being used over one month or even one week, not a big deal. But, if your account logs 10-15 different motherboards within the HOUR, then something is likely wrong and they would investigate. Skype would likely check this against other information which it collects from the system.

As for your last point, yes, skype does not lock accounts to a specific PC. In fact, you can be logged into Skype from multiple computers simultaneously. This would allow you to be logged in on your desktop, your laptop, and your windows mobile phone all at the same time and send/answer calls from whichever system is most convenient. However, as I mentioned earlier, if you gave your skype account password to several friends and had 10-15 unique computers connected within the hour, then it could indicate abusive behaviour.

Chances are that this data could be used for other things, which I pointed out in my original post. However, your arguments against this particular theory, do little to refute it.

Done

[adpsimpson]

Dear Sir/Madam,

As a Skype customer (adpsimpson) and software developer who has used skype-out from across the world to stay in touch with folk at home, I read with some interest on http://slashdot.org/ [slashdot.org] this morning that Skype appears to read the system bios on start up.

While I am aware that there are legitimate reasons that some software may do this, I cannot immediately think what a VOIP application would require the data for.

Using closed source software is always a second-best from my point of view, especially in terms of privacy and transparency of the software's function - this in fact is what led me to Skype, since it runs on Linux. As such I am slightly concerned about unexpected application behaviour.

What does Skype do with this information? Is it transmitted across the network in any form? Is it identifiable?

I look forward to your response,

Yours,
Andrew Simpson

Re:About figures

[giorgiofr]

The problem is not with disk space, but with unnecessary duplication of functions, which leads to having different versions of the same libs on your system, some of which might have security holes. Besides, it's totally unelegant and contrary to all concepts of modularization. Might as well ship a VM for every app.

They could have used Win32 calls

[AndrewStephens]

I don't know why Skype is reading the BIOS, others have speculated that they are trying to generate a unique key from the SMBIOS tables or perhaps lock certain features to certain processors. Sounds plausible I guess.
What I do know is the Skype programmers are überl4m3rz; the BIOS can be mapped into a process's address space using perfectly good Win32 calls. Resorting to calling a COM program to read the memory is an incredibly cheap hack, and obviously a badly tested one.

Tracing

[ignorent]

Perhaps the federal government requires them to make all phone calls traceable?

Re:They could have used Win32 calls

[blackest_k]

you make the assumption there that win32 calls are available, I'm running Linux.

It makes sense to try and keep the code as cross platform as possible.
However the question we all have is why?

Possibilitys include user statistics, i would guess internet cafe's would have large numbers of accounts on a small number of PC's, but most accounts will be used at home or possibly on holiday. So maybe it is the marketing department that is interested.

A less sinister reason may be to combat fraud, recently I noticed that Skype have introduced monthly caps on the skype out credit you can buy. Perhaps there is an issue or potential issue of fraudulent use of credit cards to buy credit.

would be some protection for them if some user claims that his credit card details were stolen, and used to buy skype credit. With the bios code you could probably identify fraud on the part of that user when there is a dispute and the credit card company is refusing to pay. For skype to be able to say well we believe that user did incur these charges since we have it on record that the PC used was used both before and after the disputed dates for making calls on this account.

and finally lets face it skype isn't that secure all it takes is for you to know my username and password and you can make free calls on my account.

actually when you think about it attacking the username password system on skype should be fairly trivial at least it should be noticable when someone starts bruteforcing username password combinations.

when you think about it, take your wireless laptop or pda war driving.

connect to unsecured network
brute force a username password
make free calls world wide.

with the ability to blacklist the particular pc used for the attack it becomes a lot more difficult and expensive
to compromise user accounts.

Re:About figures

[Anonymous Coward]

Bought a Mac in 2003. Later bought another Mac with Tiger installed. Earlier this year I sold my Mac and switched back to Linux (Ubuntu for now, maybe Gentoo or Fedora when I find out how it will play (DRM-free) AAC files, and in the Fedora case play movies; yes, I installed all kinds of gstreamer-plugins already; in Ubuntu that's enough).

Actually the Mac is no solution. Yes, applications install with drag+drop, but libraries DON'T. Both packages and general-purpose installers ask for installation privileges, and all they tell you in "Details" is "installer.app" or something like that. So the Apple security amounts to: do you want to let the installer run as root?

Ok, on Linux I have to do this, too, for Java (no thanks, gcj and gij suck!) or for VMWare. But with many apps I can also install just fine as non-root, and tell them *where* to.

Yes, the hugeness of every single simple app on Mac OS isn't a big problem, but it makes for dog-slow application startup, and for some reason slow general performance.

Back in the day my 700MHz P3 was much faster to start up Firefox & friends (and OOo, and Java, and audio playback resulted in about a third the CPU consumption, and...) than the 800MHz iBook (oh SURE, the G4 is much more advanced than a P3, and MUCH faster per clock... yeah right). Now a two-year-old P4 is MUCH faster than my two-year old Mac mini was. Ok, eats more power, but who cares? Maybe I'll just buy a used Centrino later this year, which would cost a whopping 500 bucks for a high-quality Thinkpad.

For 150 bucks LESS I got a much faster machine with a much better file manager, but better window manager, many more apps, Java is about 3-4 TIMES faster ...

Screw you Apple. And at some point even my ripped AACs will be re-ripped as MP3 or Vorbis. Just need to find a good portable player (sold my brandnew iPod Shuffle; that proprietary crap doesn't work with Linux, either, even with gtkpod).

Re:bad history?

[BrokenHalo]

I've wondered about Skype for a while since I discovered that the Skype Linux client doesn't really close when you exit the program. It leaves a process there which you have to kill before the program will restart properly again. If they were doing anything underhand with that orphaned process, I guess it was pretty dumb to make its presence that obvious, but given the general calibre of their programming (at least wrt the Linux client), it would hardly be surprising.

Damn, I've worn out yet another tinfoil hat...

Re:Serves You Right

[vadim_t]

Which is this mythical "support" people talk about?

I've NEVER heard of anybody calling MS support for say, routine Windows issues. At best, people would call the ISP when the connection went down. This is because most of those normal users don't have a clue of what a computer is, how it works, and whose fault it is when something doesn't work. They understand that their ISP provides their internet connection, so they call them, but they have no clue who to call when their computer breaks.

So they assume that something broke, or that they broke it, and just haul the box to the local PC shop, where they check it for spyware, etc. In fact, when I still did that sort of thing routinely, 90% of things people needed help with was due to various crap that got into the system (which doesn't even exist in Linux).

For the rest of issues, which would be the "Why does this page not work?" when the page insists on IE6 and only IE5 is installed and they don't know how to update it, they call their local friendly geek. These people, btw, are getting increasinly sick of Windows and switching to Linux. My life became a lot more relaxing since I started answering that I haven't even used XP, so I don't know how to fix it.

NSA conspiracy

[sideswipe76]

I am gonna repeat my grand conspiracy theory: It is my belief that eBay's purchase of Skype was somehow coaxed by the NSA/CIA and here is why: Ebay's purchase of Skype never made sense. Ebay could have included skypeout:// links in their auctions without spending a penny. That would be like saying slashdot can't use IM unless they buy AOL. Skype spent way above considered market value for Skype and their share holders have applied no real pressure to have it turn a profit. This makes the transaction suspicious. The reason of course if because prior to the eBay's purchase Skype was owned in Luxembourg and definitely not an ideal partner for eavesdropping on "terra'rists" (given those crazy European privacy laws). Given that the calls are encrypted, and that Skype does maintain the keys to decrypt those session, getting Skype under US subpeona power is a powerful tool for eavesdropping. Infact, because it is VoIP for most if not all of the calls, it can easily route traffic into the US were it can be picked up, decoded and monitored. Or, since it is known that open IP's become super nodes, Skype can naturally be coaxed into steering packets toward a super-node that can easily be monitored. I use to work for the company that wrote Carnivore. People got worked up over that? It was only the prototype.

Don't like it one bit.

[Kadin2048]

They are most likely using this in combination with other more or less 'unique' things to identify a specific machine. It wouldn't surprise me if after this some people would do a more in-depth analysis of their code and find out that it also reads the serial number of the harddrive and gets the MAC address of the Ethernet adapter.

This seems pretty logical. Since they got rid of that hackneyed scheme a while back to give each processor a serial number (wait -- did they get rid of that?), some sort of hash of the BIOS memory, plus the Ethernet MAC, plus the HD serial number, all concatenated together, is probably as close to a unique identifier as you're likely to find on a "per machine" basis.

That said, it doesn't make me feel any better. I wasn't a fan of the processor serial number concept, and not just because it was a serial number in the processor; there were serious privacy concerns with any uniquely identifying, per-machine serialization concept, and that's true whether it's a dedicated number that's being used, or some sort of combination of semi-unique factors.

It's just one more piece of information, sitting in a database somewhere, that could be subpoenaed and used to generally cause trouble. Particularly given how close-mouthed the Skype people are about how their network actually operates (e.g. their alleged encryption, peer to peer communications), I'm not ready to run right out and trust them.

I wonder if it would be possible to run Skype in a sandbox, where the information it's fed could be carefully controlled? On further thought, I wonder what happens when you run it in VMWare or Wine? Do they actually pass information about the hardware up to guest applications? It seems like this behavior would be one that the user should be given an option about, at the very least; I can only think of a few programs who have any reason to be getting the drive serial number, or the Ethernet MAC address, and for the most part they are not userland apps.

Re:Processor info?

[Anonymous Coward]

Could be a poorman's attempt at checking if you're running inside some sort of virtualization. Their datastream is still proprietary.

Re:Processor info?

[aonaran]

Maybe reading the BIOS will tell them if you are running Skype in a virtual machine that emulates an Intel processor which keep Skype from being fooled into running 10 connections on AMD.

Re:Don't like it one bit.

[Gr8Apes]

MACs are changeable. BIOS can also be changed, but the flash procedure is a PITA, especially on a regular basis. Disk serials, on the other hand, I have less experience with. However, having roughly 20 disks at hand, even this poses little difficulty for me to change, especially with Partition Magic's cloning capabilities.

It's still more trouble than I would go through - it's easier just to not use Skype.

Their Spyware Past

[ThinkFr33ly]

The creators of Skype got their money from the very popular P2P application, Kazaa.

Kazaa was well known for being a conduit for spyware on to user's machines. Virtually all of the money these guys made from Kazaa was by charging huge per-install fees to makers of spyware and adware. They full well knew what this software did, and they were perfectly happy to take the money.

But paying on a per-install basis means you need to be able to reliably identify a person's machine. This isn't as easy as it sounds. There is really no single piece of information that can uniquely identify a machine.

But doing a dump of the BIOS and gathering a few dozen pieces of information would allow you to fairly accurately identify unique installs.

Now, I'm not saying that Skype is spyware. And I'm not saying that these guys intend for it to become spyware at any point in the future. But I bet that they originally intended Skype to be the next big vehicle for spyware delivery.

Now that Skype is so popular and seems like a legit way to make money, they no longer intend to use it for evil. But old habits die hard, and so does old code.

Re:About figures

[Tom]

I said it isn't for the faint of heart. :-)

I've set up enforcing mode webservers and database servers. I've had my notebook running in enforcing mode back when I was giving talks about SELinux, and put the wireless IP and root password on the board during presentations. But yes, it was tricky to get it running and many of the permissions weren't set as strict as they could've been.

The main project I've always had in mind, but never finished, was VM, just differently from yours: A very locked-down SELinux host machine that runs VMs that are non-SE. Make backups, whack it and replace if the VM gets cracked. Heck, replace it daily just to be sure. As long as your host machine is secure, you have a very controlled damage scenario.

Operating Systems, Applications, and Trust

[Pfhorrest]

Wouldn't it be nice of the Operating System helped you protect it from intrusive applications? No, you don't get to silently spam half baked crap into /etc/rc.d/init.d just because the you actually need sufficient privilege to do some other thing on install. No, my registry is NOT a free-for-all; you get to put just what you need in there and not go on a fishing expedition or 'fix' stuff you're not compatible with. No, the BIOS isn't for you because you're just a VOIP app and have no business whatsoever mucking around with the nonvolatile CMOS I need to boot. No, I don't need a fourth JVM crammed into my PATH, thanks.

Right on!

Coming from the Mac world, where I know there's most often no technical reason why an app couldn't just be drag-and-drop "installed" (i.e. just copy the app bundle to wherever the hell you want it and run it from there), I raise a suspicious eyebrow every time I download some program which should be entirely a userland thing (a game, a document or media editor or player of some sort, etc) which insists that I run an installer program that asks me for an admin password. I feel like asking the devs, "Why exactly do you need write access to anything outside your app bundle? Give me a damn good reason why I should entrust my system to you."

I want my OS to serve me like I want my government to serve me: stay out of my way unless I ask it for something (and have useful services available for the asking), except to keep people from doing bad things to me and my property, in which case I want it to proactively defend me. This means that no programs are running that I don't want running or don't know are running; nothing can *get* running without my telling it to or at least granting it permission to; and no files get written anywhere, perhaps outside of a few sandbox areas like the user's Preferences folder, without my permission.

OSX does most of this right already. The only more-stringent thing I would really ask for is that installers/etc which ask for an admin password not just get blanket permission to do whatever they want; I'd prefer it if the system instead told me, for each item the app wanted to install, that:

"The application FooBar wants permission to create the folder "Beezelbub" in System/Library/YourMom/. The justification it provides for this is:
Beezelbub is a video codec needed to play cutscenes in FooBar: The Quest For Metasyntax.
Do you wish to allow FooBar to create this item? [Yes] [Yes To All] [No] [No To All]."

And if you click one of the "Yes" buttons, THEN it prompts you for an admin password.

Of course, the app would be allowed to write whatever the hell it wants into folders it creates, so you don't have to get this prompt for every one of the thousand little files that some library or codec might include, unless those files are scattered to the winds and not in one nice neat package like they should be. Currently existing apps of course would not have such justification strings built into them, but even still, this would be a more secure way that would allow users who care to selectively allow the installation of crap on their system. And of course, users who don't care can always say "Yes To All" and be no worse off than they are today.

But users like me would feel much less suspicious, no longer wondering "what the heck does this installer want with my admin password? Why does this program need an installer in the first place?"

A related thing I might like would be if the system notified me any time any program tried to open up a network connection of any sort; to which I could say "allow", "always allow" (for trusted things), "disallow", or "always disallow" (for things you think are spyware). Include similar justification strings as the above dialogue does. This would work well to combat any sort of trojan spyware you might have gotten (that is, programs you downloaded and installed yourself, which are sending data to someone that you don't want it to send; since the way O

Re:What about Macs ?

[daran0815]

it's impossible for a would-be stealth system to counter good timing-attacks.

Okay, please tell me what such an attack consists of.

One possible method is using an instruction that is emulated (traps) when in a WM, wheras it is directly executed in normal mode and therefore *much* faster.

Another quite dated approach (seen in delivered apps at the time) is using self modifying code. The trick was to write to some executable place ahead of the executing instruction with no flushes. If the modified function gets executed before the cache gets flushed (making the code modification effective), there most likely was no trap (eg breakpoints) called in between.