Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Communications

Compressed VoIP Calls Vulnerable To Bugging 140

holy_calamity writes "Security researchers at Johns Hopkins report that a variable bit-rate compression scheme being rolled out on VoIP systems leaves encrypted calls vulnerable to bugging. Simpler syllables are squeezed into smaller data packets, with more complex ones taking up more space; the researchers built software that uses this to spot phrases of interest in encrypted calls simply by measuring packet size."
This discussion has been archived. No new comments can be posted.

Compressed VoIP Calls Vulnerable To Bugging

Comments Filter:
  • Easy Solution: (Score:5, Insightful)

    by dintech ( 998802 ) on Friday June 13, 2008 @11:23AM (#23780065)
    Easy Solution. Music in the background.
    • Re:Easy Solution: (Score:5, Insightful)

      by Anonymous Coward on Friday June 13, 2008 @11:26AM (#23780127)

      Better solution: Fix the stupid, broken protocol.

      For instance, the concept of RSA blinding had to be invented because people discovered that certain bits of the SSL private key can be determined simply by measuring the time it takes to encode messages. This was due to some implementation details inside SSLeay where it switched from one multiplication algorithm to a different one depending on the size of certain numbers in the algorithm.

      OAEP had to be invented for similar reasons

      "Music in the background" is not a security solution. In fact, that's a freaking joke.

      • by Daimanta ( 1140543 ) on Friday June 13, 2008 @11:44AM (#23780489) Journal
        ""Music in the background" is not a security solution. In fact, that's a freaking joke."

        Yes, but a joke you can dance on.
      • by billstewart ( 78916 ) on Friday June 13, 2008 @12:59PM (#23782057) Journal
        This isn't a simple case of a broken protocol - it's an effect of mixing different protocols in ways that don't work together.

        Voice codecs are designed to support a given level of audio quality subject to bit rate and computational complexity limitations. Most codecs are fixed-rate, or fixed-rate with silence suppression. Encryption isn't part of their design; it's somebody else's problem, and many VOIP systems aren't encrypted anyway (for instance, connections between an office phone and a PBX usually aren't.) Variable bit rate codecs are sometimes a good choice, depending on the kind of sounds you're trying to compress and the networks you're transmitting them on, and they're at least an alternative to the usual fixed-rate codecs.

        Encryption systems usually aren't designed to deal with real-time message streams or timing attacks. Typically VOIP encryption protocols are designed for constant bit rate codec output, which is what most codecs provide, and the codecs usually package up 10, 20, or 30ms audio samples into a data packet for transmission over IP.

        The problem occurs when you're choosing your codec and encryption separately, and you take a crypto system designed for fixed-rate codecs and use a variable-bit-rate codec instead. It's difficult to keep people from doing that sort of thing, especially if they're using huge-overhead approaches like VOIP inside IPSEC as opposed to VOIP systems with the crypto built in. It's also difficult to prevent people from making bad choices like that when they're using open-source software applications, as opposed to proprietary phones that only have the small set of codecs the manufacturer built in (typically uncompressed G.711, or G.729 or a GSM codec, all of which are fixed-rate except for silence suppression.)

      • Re: (Score:3, Informative)

        OAEP had to be invented for similar reasons

        Not true: OAEP fixes problems with the math, which by its declarative nature is timing-independent.

        The problem fixed by OAEP is this: suppose you want to a message from a small set (say, a single bit, or "attack" versus "retreat"); assume for convenience the set of messages is contained in [0, n-1], where n = pq is part of the RSA public key.

        If you just do plain RSA encryption (c = m^e % n), then the eavesdropper can encrypt all the values from the small set in almost no time, and see which of the encrypti

      • by lpq ( 583377 )
        The music in the background isn't so ridiculous...though maybe it would be 'random' noise generated by the sending phone that is based on a key-negotiation sent at call start & maybe changed periodically throughout the call. But it may not be possible to remove the "scarcity" of information in the data-stream (all the small words have been compressed, so few bits are used) from the real-time nature of VoIP -- and the fact that people might not be saying much, using "little words", or whatever. It seem
      • Hey AC: don't be an asshuile. We are all on the same team here no? You are right, but the irony is that because you are right, you are frustrated that people don't get it, and you react in a way that reduces the fraction of readers that will get it.

        It's worth noting that the wrongest part of the dintech post you're criticizing has nothing to do with music. It's "Easy Solution"... as if. So is it going to be "give a man a fish" or "teach a man to fish?"

    • Re: (Score:3, Funny)

      by gstoddart ( 321705 )

      Easy Solution. Music in the background.

      Oh, sure, give the RIAA reason to get involved in encrypted phone calls.

      They'll try to make sure you're not using unlicensed music to mask your conversations. We'll be seeing John Doe subpoenas to get access to what music you were playing. :-P

      I'm only half joking.

      Cheers
    • Not really... (Score:4, Informative)

      by msauve ( 701917 ) on Friday June 13, 2008 @12:42PM (#23781761)
      First, the paper was testing the Speex codec [speex.org], and in based in principle on looking at codecs which use variable bit-rate CELP, a compression scheme which is tailored to speech, not music (music sounds terrible through one of these codecs, because their dictionaries are filled with speech sounds). Having music in the background is only likely to confuse the codec, making the speech sound terrible too, possibly to the point of unintelligibility.

      The conclusions do not apply to more standardized codecs like G.711 and G.729a, which use fixed size packets.

      The paper itself can be downloaded from here [jhu.edu]. Get it quick, before the IEEE figures this out and make the author remove it so they can extort their fee.
    • Easier solution: don't use voice.

      I've always found VoIP rather humorous, since you're taking a digital channel, and shoving voice through it - you know, like the reverse of a dial-up modem.

      If you're dealing with sensitive stuff that you don't want eavesdropped, do it in a secure IM session or encrypted email. Talk is overrated!
  • by phorm ( 591458 ) on Friday June 13, 2008 @11:23AM (#23780075) Journal
    Anyone wanting to avoid detection could just follow what my German-speaking grandparents do when they don't want us kids listening into the conversation: randomly switch languages on different topics (though I think that this is sometimes also because some concepts are also easier to portray in a given language).

    Random switches between languages would probably confuse the heck out of filters guessing compressed data. That or you could just learn Russian... I don't think they *have* any simple-syllable words in Russian :-)
    • by smitty97 ( 995791 ) on Friday June 13, 2008 @11:26AM (#23780115)

      That or you could just learn Russian... I don't think they *have* any simple-syllable words in Russian :-)
      In Soviet Russia, VoIP bugs you!
    • by markana ( 152984 ) on Friday June 13, 2008 @11:47AM (#23780565)
      >That or you could just learn Russian... I don't think they *have* any simple-syllable words in Russian :-)

      Da!
    • by mlwmohawk ( 801821 ) on Friday June 13, 2008 @11:48AM (#23780577)
      Just speak arabic!! We already know the FBI and CIA don't have enough translators.
      • by MindStalker ( 22827 ) <mindstalker AT gmail DOT com> on Friday June 13, 2008 @12:35PM (#23781623) Journal
        Depends upon how you define "translators." One of my best friends just got out of the Army, he is a really good linguist and knows several langauges, but he flunked out of the Arabic program because its not just hard to learn, you have to learn hundreds of dialects even for Iraq. He could understand it well enough but to be able to go out on the street and translate you have to be certain you won't accidentally offend with a mistranslation. Apparently virtual no non native arabic speakers ever make it through this program. Anyways he go reassigned to listen to and interpret radio broadcast and other incoming information. Not officially a translator. The point to this story?? I don't know..
        • Re: (Score:2, Informative)

          by wyohman ( 737898 )
          Apparently virtual no non native arabic speakers ever make it through this program.

          Not likely spanky. Were this true, the language school at Monterey would have to answer a lot of very tough questions. Like my wise grandfather used to say, "Believe half of what you see and none of what you hear."

          Cheers.
      • Re: (Score:2, Funny)

        by Samizdata ( 1093963 )
        I worked for a set of commodity trader brothers back in the 80's. One of them, who worked as their corporate attorney, was in a Club Fed for tax issues.

        I saw more than one threat from the Bureau of Prisions warning them to stop using Latvian (their native tongue) during phone calls to the incarcerated.
    • Re: (Score:3, Insightful)

      by JeffAMcGee ( 950264 )
      Going from one language to two would only make the process of breaking the message a bit more complex, and by that I mean precisely one bit more complex, because there would be about twice as many phrases to look for. This is not a solution. The solution is to not use variable bit rate compression if security is important.
    • Re: (Score:3, Funny)

      by hummassa ( 157160 )

      That or you could just learn Russian...
      Which would give you an advantage, if you ever have to pilot a bleeding-edge mind-controlled Russian jet fighter.

    • by SBacks ( 1286786 )
      If you're going to go through all this trouble, you might as well start from scratch. Make a language only you and people you wish to secretly communicate with know.
      • Nah, Esperanto for the win :)
      • by gnick ( 1211984 )

        If you're going to go through all this trouble, you might as well start from scratch. Make a language only you and people you wish to secretly communicate with know.
        Ix! Gorfat blutell pragmew ig jounty crein moxin fout. Im odin reax trelli poin zor trillo daster zub? Unt jo.
    • by caluml ( 551744 )

      I don't think they *have* any simple-syllable words in Russian :-)
      Da?
  • I would think that a very slight randomization of the packets with filler would add a trivial amount of data to the packet and would tend to interfere with thier analysis. I'm sure after a certain point of added bytes and randomization, you would change their margin of error such that the process wasn't useful or effective anymore.
    • by pclminion ( 145572 ) on Friday June 13, 2008 @11:33AM (#23780289)

      Time/space attacks are well known. Somebody who actually, hmm, UNDERSTOOD cryptographic security would never have designed the protocol this way in the first place.

      The people suggesting that we should just inject noise or background patterns are being ridiculous. Why sacrifice communication quality when there are BETTER ways to fix it? DO IT RIGHT.

      • Re: (Score:3, Interesting)

        ---The people suggesting that we should just inject noise or background patterns are being ridiculous. Why sacrifice communication quality when there are BETTER ways to fix it? DO IT RIGHT.

        Injecting "noise" makes sense for me. Why so?

        We use a salt for our hashes, dont we? The "noise" would be the same thing. Consider this: during negotiation, we have chaotic noise formulas in which we propagate the variables so that each side knows the noise transform. We then add the noise after digitalization but before e
  • by martyb ( 196687 ) on Friday June 13, 2008 @11:30AM (#23780223)

    FTFA

    In tests on example conversations, the software correctly identified phrases with an average accuracy of about 50%. But that jumped to 90% for longer, more complicated words. Wright thinks these phrases may be the most important. "I think the attack is much more of a threat to calls with some sort of professional jargon where you have lots of big words that string together to make long, relatively predictable phrases," he says. "Informal conversational speech would be tougher because it's so much more random."

    So, ummm, what we should do to, umm, well, protect ourselves from, ummm, yaknow, eavesdroppers, heh-heh, is well, make sure there's enough, ummmmmmm, yaknow, like extra noise, like, mixed in, dude.

    • by gstoddart ( 321705 ) on Friday June 13, 2008 @12:18PM (#23781273) Homepage

      So, ummm, what we should do to, umm, well, protect ourselves from, ummm, yaknow, eavesdroppers, heh-heh, is well, make sure there's enough, ummmmmmm, yaknow, like extra noise, like, mixed in, dude.

      Oh my god, thats like, totally, like, a great idea, yaknow. I mean, like, they'll never figure out what we're, like, saying, yaknow?

      Oryoucouldspeakreallyfastwithoutpausesbetweenwords. Thatwaythey'llneverknowwhatyousaid =)

      Or. We. Could. All. Speak. Like. Shatner. Random. Long. Pauses. Genius.

      Cheers
      • Re: (Score:2, Funny)

        by Anonymous Coward

        Or. We. Could. All. Speak.
        Like. Shatner. Random. Long.
        Pauses. Genius.


        You're missing one syllable in the middle line...


        • You're missing one syllable in the middle line...

          He doesn't have a full pause between every syllable. Sometimes, he'll put a couple of words together in one go as well "Spock. How. Areweto. Know. Whattodo?" or "Nurse. Chapel. Let's. Gotomyroom". ;-)

          Cheers
      • Brilliant!
    • Lumbergh? [blogger.com] Is that you?
  • by muellerr1 ( 868578 ) on Friday June 13, 2008 @11:32AM (#23780265) Homepage
    Just st-st-stuh-stutter when you talk. And use a lot of, uh, you know, um, non-word sounds between, uh, like, your phrases. And don't use any complexificated words without Bushifying them first. Better yet, only speak in Klingon.

    Or maybe you shouldn't say anything on VoIP that you don't want anyone else to hear.
    • Or maybe you shouldn't say anything on VoIP that you don't want anyone else to hear.

      A couple honest questions...

      1) Why do I see so much about wiretapping/bugging VoIP lately? I guess I've always assumed that VoIP was just as vulnerable to bugging as POTS - maybe even more so. Was I wrong? Was VoIP previously un-buggable and this just recently changed? Or is it just because VoIP is the new, cool thing?

      2) Why would anyone think that compressed VoIP would be any more or less secure than uncompressed? As

      • Re: (Score:3, Informative)

        by mmkkbb ( 816035 )
        From the article summary above: "a variable bit-rate compression scheme being rolled out on VoIP systems leaves encrypted calls vulnerable to bugging" and "spot phrases of interest in encrypted calls simply by measuring packet size."

        Emphasis mine.
      • 1) You're seeing lots about bugging and wiretapping VOIP because VOIP use is increasing, and because the buggers in government are getting really aggressive about wanting to wiretap people. VOIP is potentially less secure than POTS, because there are more ways to tap the Internet than traditional phones (where you either use alligator clips on the wire or go to the phone company office), and it's also potentially much more secure than POTS, because the end users can do their own encryption without needing
        • by FLEB ( 312391 )
          I think another factor adding to the possibility of VOIP tapping is that your conversation is liable to be sent over a range of different midpoints and hardware, owned by a variety of people. Plus, tapping in and copying the information stream has very little chance of creating noticeable interference.
        • Re: (Score:3, Funny)

          by 6Yankee ( 597075 )
          the buggers in government

          Oooh. Well played, Sir, well played.
        • an 8kbps voice codec typically takes 24-28kbps of IP if you don't encrypt it, and maybe double if you do.

          As I understand modern encryption, it adds overhead to creating the connection because encryption keys have to be shared before encrypted data can be sent, but the actual encryption is done with a cipher such that it takes up the same amount of space encrypted as decrypted, so it does not cause a size overhead on the main data transfer. Then again, if it changes keys often or is doing something else special, then maybe it would cause that much overhead.

          • That's not actually the problem here - as you say, the encryption itself doesn't cause a size increase except for an initial key exchange. The problem is that you're taking a raw data packet of two or three 10-byte compressed-voice samples (each 10ms at 8kbps), wrapping them in RTP/UDP headers (20 bytes) and IP headers (another 20 bytes), and then if you're doing a typical VPN with tunnel-mode IPSEC, you're adding another layer of IP headers (which are slightly larger because they've got IPSEC options adde
    • Or maybe you shouldn't say anything on VoIP that you don't want anyone else to hear.

      Well, then what's the point in saying it at all then? ;-)

      Oh, you mean someone other than the person you're talking to. My bad. :-P

      Cheers
  • Bad science (Score:4, Insightful)

    by DrYak ( 748999 ) on Friday June 13, 2008 @11:53AM (#23780695) Homepage
    First, the article mixes things :
    vowels actually are simpler than consonant to compress (because of spectral complexity - consonant use much more different frequencies. They are mostly noises and have a more "random"-like wave form making them harder to compress). They got it completely in reverse.

    Then TFA doens't show a method to magically guess was is being said over a crypted channel only by looking at the bitrates, it only says that it finds some predetermined pattern in a given set of samples to test against. The whole thing would only be able to answer to some very simple questions like "did the words XYZ appear in the conversation ? or did ABC appear in the conversation ?" - with a rather bad success rate if those words are long and complex enough - which hardly makes it enough to obtain personal information or otherwise efficiently spy on someone.

    Then the whole system has a lot of short comings :
    - As said before it assumes that the spy know exactly that some phrase has to be said - if the spy doesn't guess exactly what words he must search for the attack fails (the users may be speaking in a foreign language to begin with).
    - It assumes that the speech-generator-made needle they are looking for in the hay sack will be close to what they are looking for. The users may have an accent and pronounce words differently (cf alumnium vs. aluminium, etc...)
    - And worse of all, it assume that the granularity of the packed will be small enough so that the phonemes will have an influence on the bit rate. Whereas in reality, short packets have a big overhead of bandwidth, longer packets increases the latency. But lots of VoIP users are happy with a 500ms latency because it really diminishes the overhead. At 500ms you can have a couple of words in a single packet. The whole packet will tend to have a corresponding bandwidth close to the average (there will be small difference between phonemes, but these will all be packed into the same packet and will average).
    - It fails to take into account an interleaved video stream. Video conferencing is really popular, and its own bandwith will completely dwarf the bandwidth used by audio. So unless the VoIP uses 2 separate stream (some VoIP systems do), and only encrypt at the stream level, and the transmission is happening over a non crypted channel (no sane person should do that), this method will fail epically.
    • Then TFA doens't show a method to magically guess was is being said over a crypted channel only by looking at the bitrates, it only says that it finds some predetermined pattern in a given set of samples to test against.

      I don't care. Good cryptosystems should be absolutely impenetrable. Even the smallest flaw is like a crack in a dike. Maybe it will expand and blow the dike, maybe it won't. But it's simply UNACCEPTABLE to have cracks in the dike, and it's UNACCCEPTABLE to have known weaknesses. Whether

      • It's a traffic monitoring problem.

        It doesn't matter how good the cryptosystem you use to call the Pizza Hut nearest the Pentagon is, if you just need to count the trucks leaving the Pizza Hut to tell when there's a burst of late night activity so you can tell the invasion is about to start.
      • I don't care. Good cryptosystems should be absolutely impenetrable. Even the smallest flaw is like a crack in a dike. Maybe it will expand and blow the dike, maybe it won't. But it's simply UNACCEPTABLE to have cracks in the dike, and it's UNACCCEPTABLE to have known weaknesses.

        As I said, the counter measure is bloody simple :
        Use longer packets.
        - It saves your bandwidth because of less overhead (that's why people are *already* doing it).
        - It has only a small impact upon latency.
        - With long enough packets, the difference between sound averages and nothing can be eavesdropped based on phonemes compression ratio.

    • by drew ( 2081 )

      The whole thing would only be able to answer to some very simple questions like "did the words XYZ appear in the conversation ? or did ABC appear in the conversation ?" - with a rather bad success rate if those words are long and complex enough - which hardly makes it enough to obtain personal information or otherwise efficiently spy on someone.

      Yes but presumably if you know that a certain phrase appears in an encrypted conversation, and when it occurs, that could allow an attacker to use a known-plaintext

      • Yes but presumably if you know that a certain phrase appears in an encrypted conversation, and when it occurs, that could allow an attacker to use a known-plaintext attack to discover the rest of your conversation.

        No you can't. Because you don't have the plain text. What you have is a probability that some piece of the crypted transmission sounds somewhat similarly to another piece of audio you have.

        You didn't actually get the clear binary data (the original wave form or the original non-crypted compressed stream).

        By comparing the two pieces you have matched together you can't infer the key that was used to encrypt into another, because they actually AREN'T the crypted version of the other. They AREN'T the same data

  • ode-cay (Score:4, Funny)

    by fahrbot-bot ( 874524 ) on Friday June 13, 2008 @12:37PM (#23781661)
    Ust-jay eak-spay in ode-cay.
  • Send fixed size packets, splitting longer syllables into more packets and packing multiple short syllables into single packets.
    • Re: (Score:3, Informative)

      Then you'd be losing the point of compression, in which case you could bypass the problem entirely since the attack relies on examining the compression. :)

      In fact, you might be making it worse at that point, since now it's not compressed and you're splitting things into more packets than you were before, which could compound any latency-related issues that may be present.
      • by argent ( 18001 )
        I don't think you actually understood my suggestion, because I'm not suggesting anything that would reduce the effectiveness of compression, nor am I suggesting splitting things into more packets, on average.

        It would probably increase latency, but given the existing variation in latency I've seen streaming over the public internet I doubt you'd notice any increment from this.
  • This is very similar to traffic analysis attacks on SSH (like this one [acm.org]) where packet sizes and inter-arrival times can indicate which keys you are typing.
    Effective, practical counter-measures against good traffic analysis techniques are very difficult - especially if the attacked has enough traffic to work with (i.e. many conversations, many sessions, etc.).

Time is the most valuable thing a man can spend. -- Theophrastus

Working...