Compression lets attackers tap VoIP calls

New research suggests current encryption and compression methods are inadequate

A common compression technique can make internet telephone calls significantly more susceptible to bugging, according to recent research from Johns Hopkins University.

Internet telephony has become widely used through consumer-centric applications such as Skype, and is becoming more common in enterprises.

The new research suggests, however, that standard encryption and compression methods, when used together, are not sufficiently secure.

VoIP calls are commonly encrypted using a technique that preserves the lengths of voice patterns in the original, unencrypted conversation, the researchers said.

Such calls are relatively difficult to listen in on, they said. But when length-preserving encryption is used with the variable bitrate (VBR) compression technique, the combination leaks a significant amount of information about the conversation, they found.

"Previous work has shown that combining VBR compression with length-preserving encryption leaks information about VoIP conversations," the researchers said in the report. "We show that this information leakage is far worse than originally thought."

In such conversations, particular phrases could be identified within encrypted VoIP calls with more than 90 percent accuracy. Even in decoding entire conversations, accuracy was significant, the research found.

"On average, our method achieves recall of 50 percent and precision of 51 percent for a wide variety of phonetically rich phrases spoken by a diverse collection of speakers," the researchers said.

The problem arises because VBR compression alters the compression rate based on the type of sound being compressed, using higher compression for simpler sounds and lower compression for more complex sounds.

The resulting audio stream makes spoken sounds easy to identify based on bit patterns, and these patterns are preserved in length-preserving encryption.

The researchers used a dictionary of spoken sounds to reconstruct the original conversation without the need to crack its encryption. The reconstructed conversation could then be analyzed as a full conversation or automatically scanned for particular keywords.

The technique could, for instance, be particularly effective in identifying certain predictable phrases used in professional business conversations, the researchers said.

The research analyzed the impact of noise, dictionary size and word variation on the performance of the technique.

"The results of our study show that an attacker can spot a variety of phrases in a number of realistic settings," the researchers said in the paper.

For mitigating such attacks, padding could be used to make the bit patterns less recognizable, the researchers argued.

However, none of the default encryption transforms of the Secure Real-time Transport Protocol, a standard for secure VoIP calls, specify the use of padding, the researchers pointed out.

"Although padding could introduce inefficiencies into real-time protocols, our analysis indicates that it offers significant confidentiality benefits for VoIP calls," added the researchers.

The paper (PDF), called "Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations", was presented by five Johns Hopkins researchers last month at the 2008 IEEE Symposium on Security and Privacy in Oakland, California.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Broersma

Techworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Bitdefender 2019

This Holiday Season, protect yourself and your loved ones with the best. Buy now for Holiday Savings!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?