Feeds

Compressed VoIP leaves eavesdropping clues

The Norman Collier effect

HP ProLiant Gen8: Integrated lifecycle automation

Eavesdroppers might be able to gain clues about the content of encrypted conversations even without breaking the cryptography.

VoIP services such as Skype encrypt conversations but law enforcement agencies, most notably in Germany, have complained this can hinder law enforcement investigations.

The emerging use of variable bitrate compression for VoIP transmission carries serious potential drawbacks that may play into the hands of those seeking to spy on the content of conversations, for whatever purpose. Variable bitrate compression to VoIP streams minimises the use of bandwidth without reducing audio quality.

But the technique, when applied to encrypted VoIP streams, means that larger packets of scrambled data are associated with complex sounds such as "ow" than simple consonants, such as "c". As a result traffic analysis techniques can be applied to encrypted traffic streams.

Boffins from John Hopkins University in Baltimore, USA have found that the relative size of packets in a VoIP conversation might be used to detect whether words or phrases of interest appear in encrypted conversations. The result might yield a transcript even more unintelligible than from comedian Norman Collier's faulty microphone routine - which might still be a useful result.

Even though the approach is not sophisticated enough to come anywhere near gaining the actual gist of conversations it is be good enough to pick out chosen phrases within encrypted data. By using machine learning techniques the researchers were able to develop systems that "inferred 'hidden' information from encrypted VoIP traffic streams based on observable patterns in packet size and timing of various protocols".

Software developed by the researchers picked out words or short phrases with an average accuracy of 50 per cent, a result that climbed to 90 per cent in the case of longer phrases.

"I think the attack is much more of a threat to calls with some sort of professional jargon where you have lots of big words that string together to make long, relatively predictable phrases," Charles Wright, one of the John Hopkins team, told New Scientist. "Informal conversational speech would be tougher because it's so much more random."

Variable bit rate compression is not widely used in the VoIP world but is likely to be included in future upgrades of a number of services, according to Wright. He added that: "We hope we have caught this threat before it becomes too serious."

The John Hopkins team presented their research at the 2008 IEEE Symposium on Security and Privacy conference in Oakland, California last month. Their paper, Spot Me if You Can: Uncovering Spoken Phrases in Encrypted VoIP Conversations can be found here (pdf). ®

Maximizing your infrastructure through virtualization

More from The Register

next story
Google Nest, ARM, Samsung pull out Thread to strangle ZigBee
But there's a flaw in Google's IP-based IoT system
Want to beat Verizon's slow Netflix? Get a VPN
Exec finds stream speed climbs when smuggled out
US freemium mobile network eyes up Europe
FreedomPop touts 'free' calls, texts and data
'Two-speed internet' storm turns FCC.gov into zero-speed website
Deadline for comments on net neutrality shake-up extended to Friday
GoTenna: How does this 'magic' work?
An ideal product if you believe the Earth is flat
NBN Co execs: No FTTN product until 2015
Faster? Not yet. Cheaper? No data
Oh girl, you jus' didn't: Level 3 slaps Verizon in Netflix throttle blowup
Just hook us up to more 10Gbps ports, backbone biz yells in tit-for-tat spat
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.