Compression lets attackers tap VoIP calls
June 17, 2008 – 7:56 AMA common compression technique can make internet telephone calls significantly more susceptible to bugging, according to recent research from Johns Hopkins University.
Internet telephony has become widely used through consumer-centric applications such as Skype, and is becoming more common in enterprises.
The new research suggests, however, that standard encryption and compression methods, when used together, are not sufficiently secure.
VoIP calls are commonly encrypted using a technique that preserves the lengths of voice patterns in the original, unencrypted conversation, the researchers said.
Such calls are relatively difficult to listen in on, they said. But when length-preserving encryption is used with the variable bitrate (VBR) compression technique, the combination leaks a significant amount of information about the conversation, they found.
“Previous work has shown that combining VBR compression with length-preserving encryption leaks information about VoIP conversations,” the researchers said in the report. “We show that this information leakage is far worse than originally thought.”
In such conversations, particular phrases could be identified within encrypted VoIP calls with more than 90 percent accuracy. Even in decoding entire conversations, accuracy was significant, the research found.
“On average, our method achieves recall of 50 percent and precision of 51 percent for a wide variety of phonetically rich phrases spoken by a diverse collection of speakers,” the researchers said.
The problem arises because VBR compression alters the compression rate based on the type of sound being compressed, using higher compression for simpler sounds and lower compression for more complex sounds.