University Researchers Discover Security Flaws in VoIP ‘Crypto Phones’
Voice over Internet protocol communication has become an integral part of businesses and schools. But researchers at the University of Alabama at Birmingham (UAB) say they have discovered a few chinks in the technology’s armor.
University researchers, aided by the financial support of Cisco Systems, have been testing for weaknesses in current video and VoIP services. In early November , the team announced the findings of their research at the ACM Conference on Computer and Communications Security in Scottsdale, Ariz..
“Given the surge in popularity of computing devices, ensuring the security of VoIP connections is very important for personal users, and especially for business users,” said Nitesh Saxena, associate professor of computer information services at UAB, in a news release.
The study, titled Wiretapping via Mimicry: Short Voice Imitation Man-in-the-Middle Attacks on Crypto Phones, focuses on the weaknesses inherent in so-called crypto phone VoIP services, such as Silent Circle, PGPfone and Zfone, which allow for encrypted peer-to-peer communications.
These services offer a more secure alternative for users seeking a decentralized approach to standard VoIP services, such as Skype and Google Hangouts. However, researchers found a few ways to exploit weaknesses in the method used to validate these crypto phone calls.
To initiate a crypto phone call, each user must trade a shared cryptographic key through a communications channel that is assumed to be secure. But in a series of tests with a group of 30 study participants, researchers were able to attack these channels. Using off-the-shelf speech recognition and synthesis tools, researchers were able to eavesdrop on calls, record callers’ voices and use them in a “short voice morphing attack,” circumventing the cryptographic protocol that secures the communication, according to the report.
To overcome these weaknesses, researchers suggested adding security layers, including automated voice recognition and voice biometrics systems.
“We believe our findings from this project will make strong impacts — not only on networking security, but also on human-computer interaction and real-world usability,” Maliheh Shirvanian, the doctoral student who led the project, said in a news release. “The results bring to light the threats of conceived voice privacy, and should serve as notice to users to pay careful attention to the potential security weaknesses in the future.”
