Cisco Funds University Research into VoIP Security

0 Flares 0 Flares ×

shutterstock_168377615 VoIP in a universally established technology carrying voice, video and text based communication over the Internet, using the Voice over Internet Protocol. In Australia, VoIP services are supplied by a number of telecommunication providers including the major telcos. Unlike the traditional PSTN phone networks, the open Internet architecture is more vulnerable to cyber attacks including eavesdropping and electronic surveillance. For this reason, the major concern with VoIP communication relates to security.

VoIP is, by itself, no more secure than an ordinary Internet broadband connection. To improve on this level of security, providers supply what are called Crypto Phones. Popular instances of these phones include PGPfone and Zfone. These are mobile devices that provide security against eavesdropping and electronic surveillance.

With Crypto Phones, users exchange security information orally. The mechanism used is called Short Authenticated Strings (SAS). Users exchange a shared cryptographic key over a voice channel claimed by Crypto Phone suppliers to provide source authentication, which supposedly makes it secure. As we shall see, research recently conducted at Alabama University shows this not to be entirely true. Cisco Systems funded the research carried out at the University of Alabama, with the aim of identifying VoIP vulnerabilities and ways to address these flaws.

In a series of tests that the researchers performed, they were able to bypass the cryptographic protocol. Using readily available speech recognition and synthesis tools, they were able to eavesdrop on calls, record a caller’s voice pattern and use these patterns to successfully attack the network and establish connections using false SAS strings.

The researchers were able to compromise the voice channel security using two separate methods. Firstly, they built arbitrary SAS strings by reordering previously recorded strings spoken in the voice of a caller. Secondly, they built and used arbitrary SAS strings spoken in a victim’s voice, based on previously recorded sentences of less than 3 minutes duration.

In summary, these attacks were successful because they exploited inherent weaknesses in the crypto phone VoIP services which supposedly provide encrypted voice-to-voice communication.

To overcome these weaknesses, the researchers recommend the addition of security layers in the VoIP protocol and automated voice recognition and voice biometrics systems.

Image Courtesy of Katherine Welles /

0 Flares Twitter 0 Facebook 0 Google+ 0 LinkedIn 0 0 Flares ×
0 Flares Twitter 0 Facebook 0 Google+ 0 LinkedIn 0 0 Flares ×