Skype May Hinder Emergency Response, Security
Feb. 5, 2007 (Vol. 28, No. 3)
Ready to explain to a grieving widow how her husband waited 60 minutes after a heart attack for emergency responders to find him because his 911 call was made over a Skype connection while working late at night?
The inability to locate a worker’s specific IP address is another concern that you might raise to anyone at your organization excited about Skype’s Jan. 25 announcement of an expanded enterprise version. Skype’s new release includes a Web-based call center application, on-demand Web conferencing, a Windows Installer package, enhanced online business control panel and remote configuration.
But the product’s developers concede that they have yet to figure out a solution to the 911 issue. As its Web site warns: “The current version of Skype software does not support calls to any emergency number nor emergency service (e.g. 211, 911, 999 etc). To perform calls of this type please make sure to use a landline telephone or a cellular/mobile phone.”
Someone having Skype as their only calling option in an emergency is improbable, but charges of negligence and failure to provide a safe workplace add another facet to consider before allowing the peer-to-peer VoIP service, warns attorney Andrew Brown, partner at Levine, Blaszak, Block & Boothby, in Washington, D.C. Don’t disconnect landlines and advise employees not to make emergency calls from VoIP phones, he advises.
How Skype Won 911 Exemption
Traditional landline phone service providers are obligated to provide the address of a calling party to emergency responders. The FCC mandated in late 2005 that interconnected VoIP providers also must provide a 911 connection and prompt users upon sign-in with a pop-up on their screens to update their locations. But Skype interprets the 2005 ruling as letting it off the hook, and the FCC has yet to come down on the VoIP provider.
“The FCC’s rules appropriately require VoIP providers that offer a replacement phone service to offer E911,” says Christopher Libertelli, senior director of government affairs for Skype, in a message relayed to Voice Report. “Skype serves a different market and is an enhancement to our users’ Internet experience. Because we do not offer a replacement phone service, we do not offer E911.”
Skype used the threat of further security weaknesses in its argument for 911 exemption. “Adding capability for such [emergency] calls to Skype would reduce user security by creating a false impression that Skype can and should be used to reach emergency services and would burden PSAPs with improperly routed calls and unreliable information,” Skype’s lawyer wrote in a letter to the FCC prior to its ruling. Skype is not an “interconnected VoIP provider,” which the FCC defines as a service that has real-time, two-way communication with the PSTN, the attorney further argued.
Maximum Call Quality Requires Lots of Open Ports
In the previous edition of Voice Report, we warned you about the growing threat of employees setting up Skype in your enterprise without your knowledge [VR 1/22/07]. Though several VoIP security experts dismiss the threat of a Skype-using employee’s computer becoming a supernode, at least one says the oft-cited threat of Skype opening firewall ports to hackers and virus attacks does exist.
Most firewalls only open one port at a time as necessary for Web traffic, explains Jody Patilla, a Gaithersburg, Md.-based information security consultant who regularly advises enterprises on Skype and VoIP. But, in an effort to maximize bandwidth usage and enhance call quality, Skype searches for as many ports as possible. It can open thousands, and the software is so encrypted that network admins can’t be sure how it will handle malicious packets.Note: The program prefers to access port 80 (reserved for Web traffic requiring interaction between your PC and the site’s server) and port 443 (used for encrypted Web sites), plus any of the nearly 65,000 ports above 1024, Patilla says. Skype may be restricted to ports 80 and 443, but using only two ports generally results in poor call quality, Patilla reports. (