Feeds

Compressed VoIP leaves eavesdropping clues

The Norman Collier effect

Boost IT visibility and business value

Eavesdroppers might be able to gain clues about the content of encrypted conversations even without breaking the cryptography.

VoIP services such as Skype encrypt conversations but law enforcement agencies, most notably in Germany, have complained this can hinder law enforcement investigations.

The emerging use of variable bitrate compression for VoIP transmission carries serious potential drawbacks that may play into the hands of those seeking to spy on the content of conversations, for whatever purpose. Variable bitrate compression to VoIP streams minimises the use of bandwidth without reducing audio quality.

But the technique, when applied to encrypted VoIP streams, means that larger packets of scrambled data are associated with complex sounds such as "ow" than simple consonants, such as "c". As a result traffic analysis techniques can be applied to encrypted traffic streams.

Boffins from John Hopkins University in Baltimore, USA have found that the relative size of packets in a VoIP conversation might be used to detect whether words or phrases of interest appear in encrypted conversations. The result might yield a transcript even more unintelligible than from comedian Norman Collier's faulty microphone routine - which might still be a useful result.

Even though the approach is not sophisticated enough to come anywhere near gaining the actual gist of conversations it is be good enough to pick out chosen phrases within encrypted data. By using machine learning techniques the researchers were able to develop systems that "inferred 'hidden' information from encrypted VoIP traffic streams based on observable patterns in packet size and timing of various protocols".

Software developed by the researchers picked out words or short phrases with an average accuracy of 50 per cent, a result that climbed to 90 per cent in the case of longer phrases.

"I think the attack is much more of a threat to calls with some sort of professional jargon where you have lots of big words that string together to make long, relatively predictable phrases," Charles Wright, one of the John Hopkins team, told New Scientist. "Informal conversational speech would be tougher because it's so much more random."

Variable bit rate compression is not widely used in the VoIP world but is likely to be included in future upgrades of a number of services, according to Wright. He added that: "We hope we have caught this threat before it becomes too serious."

The John Hopkins team presented their research at the 2008 IEEE Symposium on Security and Privacy conference in Oakland, California last month. Their paper, Spot Me if You Can: Uncovering Spoken Phrases in Encrypted VoIP Conversations can be found here (pdf). ®

Using blade systems to cut costs and sharpen efficiencies

More from The Register

next story
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Apple orders huge MOUNTAIN of 80 MILLION 'Air' iPhone 6s
Bigger, harder trouser bulges foretold for fanbois
GoTenna: How does this 'magic' work?
An ideal product if you believe the Earth is flat
Telstra to KILL 2G network by end of 2016
GSM now stands for Grave-Seeking-Mobile network
Seeking LTE expert to insert small cells into BT customers' places
Is this the first step to a FON-a-like 4G network?
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
BlackBerry: Toss the server, mate... BES is in the CLOUD now
BlackBerry Enterprise Services takes aim at SMEs - but there's a catch
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.