[VOIPSEC] article on vulnerability of compressed audio

William Rippon dirkbjr at mac.com
Mon Jun 23 15:52:06 CDT 2008 

Hello,

I saw a couple article references to the following. Was curious to see  
what the impression of the
voipsec community was regarding this.

Thanks,
Bill

-------------------------------------------------------------------------------------------------------------------

Subject: Compressed web phone calls are easy to bug  (fwd)


http://technology.newscientist.com/article/dn14124-compressed-web-phone-calls-are-easy-to-bug.html

Compressed web phone calls are easy to bug


Plans to compress internet (VoIP) phone calls so they use less  
bandwidth could
make them vulnerable to eavesdropping. Most networks are currently  
safe, but
many service providers are due to implement the flawed compression  
technology.

The new compression technique, called variable bitrate compression  
produces
different size packets of data for different sounds.

That happens because the sampling rate is kept high for long complex  
sounds
like "ow", but cut down for simple consonants like "c". This variable  
method
saves on bandwidth, while maintaining sound quality.

VoIP streams are encrypted to prevent eavesdropping. However, a team  
from John
Hopkins University in Baltimore, Maryland, US, has shown that simply  
measuring
the size of packets without decoding them can identify whole words and  
phrases
with a high rate of accuracy.

VoIP systems accessed via a computer like Skype have become popular in  
recent
years, and internet-based phone systems are increasingly appearing in  
homes and
offices too to connect conventional telephones. Matching packets

Only a few services currently employ the vulnerable compression  
method, but
more networks had hoped to include it in future VoIP upgrades, says  
Charles
Wright, a member of the John Hopkins team. "We hope we have caught  
this threat
before it becomes too serious."

Eavesdropping software the team has developed cannot yet decode an  
entire
conversation, but it can search for chosen phrases within the  
encrypted data.
This could still allow a criminal to find important financial  
information
conveyed in the call, says Fabian Monrose, another team member.

The software breaks down a typed phrase to be listened for into its  
constituent
sounds using a phonetic dictionary. A version of the phrase is then  
pasted
together from audio clips of phonemes taken from a library of example
conversations, before finally being made into a stream of VoIP-style  
packets.

That gives an idea of what the phrase would look like in a real VoIP  
stream.
When a close match is found in a real call, the software alerts the
eavesdropper. Jargon catcher

In tests on example conversations, the software correctly identified  
phrases
with an average accuracy of about 50%. But that jumped to 90% for  
longer, more
complicated words.

Wright thinks these phrases may be the most important. "I think the  
attack is
much more of a threat to calls with some sort of professional jargon  
where you
have lots of big words that string together to make long, relatively
predictable phrases," he says. "Informal conversational speech would  
be tougher
because it's so much more random."

Philip Zimmermann, the founder of the Zfone VoIP security project,  
says the
compression schemes lesson no longer seem like a good idea.

"I'd suggest looking for other alternatives," he says. Networks could  
solve the
problem by padding out the data packets to an equal length, he adds,  
although
this would reduce the extent of the compression.

A paper on the Johns Hopkins team's work was presented at the 2008 IEEE
Symposium on Security and Privacy, in Oakland, California, US, last  
month

More information about the Voipsec mailing list