iSkoot for S60 Upgraded: Obscured by SSL

I will admit to not testing the "forced" upgrade aspect of this, but I did download and install the upgraded iSkoot for my Nokia N95 this morning. While there is some information floating around in the clear, at least in my case, none of it was personally identifyable.

The vast majority of the communication between the iSkoot client and server now uses TCP port 443 and is encrypted with SSL. Visual inspection of the packet traces confirm that it's SSL traffic. No personal information in the clear anymore.

Nice job, iSkoot. Considering I zero-dayed you on a weekend, you did a great job of getting it fixed!

iSkoot Pulls S60 Build, Plans To Push Fix 30 April 2008

While it was, admittedly, not very nice of me to hand iSkoot a zero-day exploit publicly, on a weekend no less, there was a note on the iSkoot blog today explaining what happened and giving me credit for finding it. I realized my mistake shortly after I made the story public. And to be honest, I should know better, given that I work for a vendor and actually deal with security issues.

There is an ongoing debate among security researches on the subject of full disclosure versus responsible disclosure. Now having fully experienced both sides of the issue, I was conflicted over the weekend. Did I do the right thing in disclosing this publicly before talking to iSkoot about it?

On one hand, spreading the information publicly without going to the vendor first gives end users a heads up that they are at risk. On the other hand, the bad guys now know that this problem exists and can start looking for ways to exploit. But how do we know they didn't already know about this and weren't already using this information for their own personal gain?

On the other hand, had I held onto the information and talked with the vendor first, people wouldn't have panicked unnecessarily and hackers wouldn't have had access to the information needlessly. Of course, then it's possible the time to resolution could have taken longer than it did, putting people's Skype sessions needlessly at risk.

I don't think there's a "right" answer to this, personally, as even minds smarter than me can't agree on this topic. I think everyone involved understood my intentions were good, even though some could argue I should have done this differently. In the future, if I run into another zero-day exploit, I hope to keep this experience in mind.

iSkoot claims they'll have a new version out and pushed to users by Wednesday. Looking forward to seeing it for myself and verifying that I see SSL in those packet traces. ;)

iSkoot Will Fix The Encryption Issue On Nokia S60 Client

Looks like iSkoot made a mistake with their Nokia S60 client and will make it right. Apparently a non-production version of the S60 client made it to the public web, which sends data in the clear. Other published versions of their client on other platforms are unaffected.

iSkoot CEO Mark Jacobstein says the existing S60 build will be pulled. The bug will be fixed and a forced upgrade to a patched version will be pushed.

Thanks to Andy Abramson and Jim Courtney for their behind-the-scenes help with this. Update: Forgot to thank Dan York as well, who helped despite spending the weekend driving a U-Haul. :)

iSkoot Transmits Your Data In The Clear

Various people are thinking that Skype Mobile is basically an unbranded iSkoot, which does the same thing in much the same way. Generally speaking, they seem to do the same thing, but they do it very differently. Packet traces don't lie.

I loaded up iSkoot on my Nokia N95 and accessed the iSkoot service via WiFi. I did this so I could capture what the iSkoot client was sending out so I could see the difference. And oh, boy was it different--different enough that I would think twice about using iSkoot.

First of all, Skype appeared to use a TCP connection on a non-standard port. Fine with me. I looked at the raw packets generated by Skype Mobile and saw an opaque blob--exactly what I expected to see.

iSkoot uses TCP port 80--the same port used by HTTP, the lingua franca of downloading web pages. It sends various things as a series of HTTP GET calls. The scary part of this that your text chat messages--and lots of other interesting information, including your Skype credentials--is being transmitted in the clear. That's right, iSkoot takes all that perfectly good encryption that Skype employs and throws it out the window. For no good reason.

Until iSkoot fixes this problem--and it would be very easy for them to do so (ever hear of SSL?)--I cannot in good conscious recommend using iSkoot.

UpdateIssue is resolved in their latest Symbian/S60 client.