A common compression technique can make internet telephone calls significantly more susceptible to bugging, according to recent research from Johns Hopkins University.
Internet telephony has become widely used through consumer-centric applications such as Skype, and is becoming more common in enterprises.
The new research suggests, however, that standard encryption and compression methods, when used together, are not sufficiently secure.
VoIP calls are commonly encrypted using a technique that preserves the lengths of voice patterns in the original, unencrypted conversation, the researchers said.
Such calls are relatively difficult to listen in on, they said. But when length-preserving encryption is used with the variable bitrate (VBR) compression technique, the combination leaks a significant amount of information about the conversation, they found.
"Previous work has shown that combining VBR compression with length-preserving encryption leaks information about VoIP conversations," the researchers said in the report. "We show that this information leakage is far worse than originally thought."
In such conversations, particular phrases could be identified within encrypted VoIP calls with more than 90 percent accuracy. Even in decoding entire conversations, accuracy was significant, the research found.
"On average, our method achieves recall of 50 percent and precision of 51 percent for a wide variety of phonetically rich phrases spoken by a diverse collection of speakers," the researchers said.
The problem arises because VBR compression alters the compression rate based on the type of sound being compressed, using higher compression for simpler sounds and lower compression for more complex sounds.
The resulting audio stream makes spoken sounds easy to identify based on bit patterns, and these patterns are preserved in length-preserving encryption.
The researchers used a dictionary of spoken sounds to reconstruct the original conversation without the need to crack its encryption. The reconstructed conversation could then be analyzed as a full conversation or automatically scanned for particular keywords.
The technique could, for instance, be particularly effective in identifying certain predictable phrases used in professional business conversations, the researchers said.
The research analyzed the impact of noise, dictionary size and word variation on the performance of the technique.
"The results of our study show that an attacker can spot a variety of phrases in a number of realistic settings," the researchers said in the paper.
For mitigating such attacks, padding could be used to make the bit patterns less recognizable, the researchers argued.
However, none of the default encryption transforms of the Secure Real-time Transport Protocol, a standard for secure VoIP calls, specify the use of padding, the researchers pointed out.
"Although padding could introduce inefficiencies into real-time protocols, our analysis indicates that it offers significant confidentiality benefits for VoIP calls," added the researchers.
The paper (PDF), called "Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations", was presented by five Johns Hopkins researchers last month at the 2008 IEEE Symposium on Security and Privacy in Oakland, California.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
FrontRange Solutions launches HEAT Plus Mobile to reduce help desk costs and improve service management productivity 2008-12-02 15:15:00+11
AARNet Helps to Advance Indigenous Health 2008-12-02 12:44:00+11
Orbis selects Telstra International as its data centre partner for the UK, Europe and Middle East Region 2008-12-02 11:23:00+11
ComOps Deploys Corporate Performance Reporting Solution For Healthcare Test Manufacturer 2008-12-02 10:09:00+11
Mornington Peninsula Shire implements Objective to manage knowledge and deliver service excellence 2008-12-02 09:56:00+11
Solve Exchange Mailbox Storage Issues Once and for All
Join industry expert Bob Spurzem and Chuck Arconi of Fox Hollow to discover how to reduce Exchange total storage and keep it at a manageable level. Learn how Exchange storage growth can be contained without sacrificing security and accessibility.
Buying Guides
