Infosecurity, Surveillance

New threat found in VoIP

By Alice Kok | 6 August 2008

VoIP streams are encrypted to prevent eavesdropping. However, a team from Johns Hopkins University in Baltimore, Maryland, US, has shown that simply measuring the size of packets without decoding them can identify whole words and phrases with a high rate of accuracy.

View photos

Related Categories

• INFOSECURITY
• SURVEILLANCE

From this Section

• RESEARCH

VoIP systems accessed via a computer like Skype have become popular in recent years with internet phone systems increasingly appearing in homes and offices in place of conventional telephones. Although most networks are currently safe, many service providers are due to implement the flawed technology in future VoIP upgrades. Charles Wright, a member of the Johns Hopkins team says, “We hope we have caught this threat before it becomes too serious.”

Eavesdroppers might be able to gain clues about the content of encrypted conversations even without breaking the cryptography. The eavesdropping software the team has developed is unable to decode entire conversations, but it can search of chosen keywords within the encrypted data. In tests on example conversations, the software correctly identified phrases with an average accuracy of about 50%. But that jumped to 90% for longer, more complicated words. And this just might be the problem with VoIP.

An eavesdropping attempt is more of a threat to a professional’s conversation that includes complicated work jargon than to a random personal call. A criminal will be able to find important encrypted calls through correct input of key phrases Philip Zimmermann, the founder of the Zfone VoIP security project, says the compression schemes may not be a good idea for internet phone applications. Alternatives suggested includes padding out the VoIP data packets to an equal length, he adds, although this would reduce the extent of the compression.