Skype instant messaging in China is censored, spied upon

The Chinese version of Skype contains spyware that searches for blacklisted words and phrases, blocks instant messages that contain them, copies them to servers and captures the rest of IM chats that have been flagged in this way, according to researchers.

This is all done without being disclosed to customers by the Chinese wireless Internet provider TOM Online that distributes the TOM-Skype software client.

[ RELATED: Groups raise questions about privacy on Skype

MORE: Cybercriminals show Skype more love as Microsoft warms to it ]

The behavior of this software is being refined over time to better track messages about ever-changing politically sensitive topics as well as other categories, according to Jeffrey Knockel, a Ph.D. candidate at the University of New Mexico, the lead author of a research paper about the client and its behavior.

The spying and censorship is carried out with the knowledge of Microsoft, which owns Skype and its peer-to-peer communications software and describes TOM-Skype as "a modified version that follows Chinese regulations."

Knockel and researchers from the University of Toronto are preparing a second paper that analyzes shifts in how TOM-Skype responds when it comes across keywords and phrases and also how changes to the blacklist over time correlate to news events, he says. This analysis may reveal the motivation behind the monitoring, although a breakdown of key words gives a hint.

Analysis so far shows 42.2% of the blocked words are associated with politics or political dissidents (Tiananmen Square, Gao Zhisheng), 5.2% are related to government officials (Zeng Qinghong, Jia Qinglin), and 5.8% have to do with information about spying (contact phone tapping software, undercover software download). Keywords related to news and information sources account for 10.1% (AOL News, Canadian Broadcasting Corporation). 15.2% are associated with prurient interests, and 7% name specific locations (Chun Xi Road McDonald's, Hangzhou Department Store), according to Knockel.

[ INTEGRATION: Microsoft promises stronger ties between Lync, Skype ]

Over time, the software has changed its behavior. Earlier, it blocked messages that contained trigger words and sent copies of those messages to a server. Now more frequently it imposes surveillance on chats that contain the words and sends both ends of the conversations to the servers, he says.

This new approach is less likely to tip off users that they are being observed and to yield more information, Knockel says. "Surveillance-only is much sneakier and harder to detect, and may give them more information about what is going down," he says.

Knockel and his colleagues found that TOM-Skype maintains separate lists of words that trigger blocking and those that trigger surveillance.

The software is also gathering and reporting more information about who is participating in monitored chats. Before it was just the sender's identity, but now it also includes the recipient's, which can help track which users of regular Skype are communicating with TOM-Skype users, he says.

Knockel routinely posts a "censorship of the day" keyword list culled from TOM-Skype and decrypted. The list could be exploited by TOM-Skype users to craft messages that avoid the trigger words and so avoid censorship or surveillance, he says.

How they did it

One of Knockel's professors suggested that he investigate TOM-Skype as a class project. Specifically, he wanted to decrypt the complete lists of keywords triggering censorship or surveillance or both and to decrypt the surveillance messages that TOM-Skype sends.

He installed TOM-Skype on virtual machines in an Oracle VM VirtualBox environment on his laptop and was able to see that the client contained a built-in keyword list. The client downloads a new list -- called a keyfile -- that replaces the initial keyword list. The new list is encrypted.

To decrypt it the researchers redirected DNS queries from the client to the keyfile server to a server of their own where the TOM-Skype client downloaded keyfiles crafted by the researchers.

They knew from previous research that a certain swear word was a trigger word in the actual keyfile, so they split the file in half, forced it into the TOM-Skype client and sent a message containing the word. If the message wasn't blocked, that meant that half of the keyfile did not contain the swear word encrypted. So they forced the other half of the keyfile into the TOM-Skype client and sent the message again to verify that it would be blocked, which demonstrated that it contained the word.

They continued doing this, cutting the list in half each time and testing against it until they isolated the cyphertext for the swear word.

After a plaintext analysis of the cyphertext, the researchers added single-character cyphertext words to the list and sending single character messages to see what would be blocked. In this painstaking way they figured out what cyphertext characters corresponded to plaintext characters.

Knockel used IOActive's IDA Pro software to help reverse engineer TOM-Skype, and he used WireShark, the open source packet analyzer.

More recently he wrote his own code to carry out DLL injection as a way to force the client to accept the keyfiles he crafted by making API calls to his servers.

Microsoft is aware of this spying and responded to an emailed query about what they think about it in relation to privacy and censorship. This is the reply: "In China, the Skype software is made available through a joint venture with TOM Online. As the majority partner in the joint venture, TOM Online has established procedures to meet its obligations under local laws. Even as a minority partner we understand we also have responsibilities. Microsoft is working to adopt appropriate changes that can be made to address the issues raised. We understand the passion our users have for Skype and are committed to taking concrete steps to further increase transparency and accountability."

According to a Skype support Web page, TOM-Skype is a custom version of Skype used in China. "As our majority joint venture partner, TOM Online provides access to Skype for Chinese customers, using a modified version that follows Chinese regulations, called TOM-Skype."

Tim Greene covers Microsoft for Network World and writes the Mostly Microsoft blog. Reach him at and follow him on Twitter @Tim_Greene.

Read more about software in Network World's Software section.

Join the CSO newsletter!

Error: Please check your email address.

Tags skypeMicrosoftsecurityTOM-Skype surveillanceMicrosoft censorship TOM-SkypesoftwareKnoMicrosoft Skype China censorshipTOM-Skype censorshipSkype China

More about AOLIDAMcDonald'sMicrosoftOracleSkype

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts