19 juni 2008
Een techniek gebruikt om bandbreedte te besparen bij internettelefonie (VoIP) kan de beveiliging ervan ondermijnen, zo stelt onderzoek dat onlangs werd gepresenteerd op het IEEE Symposium on Security and Privacy. Onderzoekers van de John Hopkins University toonden aan bij 'encrypted phone calls using a certain combination of technologies, preselected phrases can be spotted up to 50 percent of the time on average, and up to 90 percent of the time under optimal conditions'. Internettelefonie wordt steeds populairder als communicatiemiddel. 'Although most VoIP systems don't yet use encryption', zegt Jason Ostrom, directeur van het VoIP-onderzoekslaboratorium van Sipera Systems, 'it's absolutely necessary, particularly for business users. In many cases, security measures aren't in place because companies haven't realized how vulnerable VoIP can be. An assessment for a hotel that uses VoIP phones showed that an attacker could access and record guests' calls using a laptop plugged into a standard wall connection'. De onderzoekers van John Hopkins hopen dat door het wijzen op lekken in de beveiliging van stem-encryptiesystemen de systemen verbeterd zullen zijn op het moment dat het een normale toepassing wordt. 'The Johns Hopkins attack takes advantage of a compression technique called variable-bit-rate encoding, which is sometimes used to save bandwidth in VoIP calls', zo legt Charles Wright uit, de leidende auteur van de paper. Wright heeft recent zijn PhD aan John Hopkins behaald en gaat met ingang van augustus aan de slag bij het MIT Lincoln Laboratory. Hij vervolgt: 'Variable-bit-rate encoding adjusts the size of data packets being sent over the Internet based on how much information they actually contain. For example, when the person on one end of a VoIP call is listening rather than speaking, the packets sent from that person's computer shrink significantly. Also, packets containing certain sounds, such as 's' or 'f', can take up less space than those containing more-complex sounds, such as vowels'.
'Encrypting the packets after they've been compressed scrambles their contents, making them look like gibberish. But it doesn't change their size, which is what would give away information to potential eavesdroppers', zo stelt Wright. In hun onderzoek 'we simulated the packets that a combination of compression and encryption would produce for particular phrases. While an example of the way that a targeted speaker pronounced a particular phrase would give eavesdroppers a big advantage, we could still simulate the phrase using a pronunciation dictionary and a database of sample sounds from multiple speakers'. De onderzoekers kunnen vele geluiden en versies daarvan produceren, waardoor ze verschillende accenten kunnen simuleren en andere variaties in uitspraak. 'The method can identify the phrase, on average, about half the time that it occurs, and that about half of the phrases it flags turn out to be exact matches of the desired phrase. In some circumstances, as when the phrases are longer, or when the speakers are particularly well matched to the simulated versions of the phrase, the accuracy became as high as 90 percent', zo zegt Wright. 'Because eavesdroppers have to know what phrase they're listening for the threat would be more to technical, professional jargon than to an informal call between friends or family members'. 'While 50 percent accuracy may not sound like much, these are encrypted conversations, so your expectation is not to be able to do this at all', zo zegt Fabian Monrose, associate professor computerkunde aan John Hopkins, die bij het onderzoek was betrokken. Matt Bishop, hoogleraar computerwetenschap aan de University of California, Davis, is het hiermee eens. 'Fifty percent is quite scary', zo zegt hij, 'because what it means is that, in essence, you could potentially understand a fair portion of the conversation. The whole purpose of encryption is to prevent understanding'. Ostrom zegt dat het onderzoek zeer belangwekkend is 'because it shows that you shouldn't feel safe just because you're using a security control. You still have to validate it to ensure that it meets your requirements. In VoIP, there's always a fight between quality of service and security'.