Got something else to discuss that is not covered by the previous forums? Post it here!
#78094 by tomcat
Sun Mar 27, 2011 2:26 pm
I came across two articles (published several years ago) that reference a study by Johns Hopkins University which states that "...VBR compression with length-preserving encryption leaks information about VoIP conversations". The vulnerability allows attackers to "tap" the VoIP conversation. Although the tapping isn't perfect, it would seem a lot of information could still be obtained at the time. If this is being used I'm sure the accuracy has only gotten better since then.

While I'm sure the likeliness/unlikeliness of this happening will be up in the air, has the VoIP industry (more importantly Ooma) taking steps to help mitigate this vulnerability? Any of the Ooma moderators care to weigh in, please?

http://news.techworld.com/security/1019 ... oip-calls/
http://www.pctools.com/industry-news/ar ... -18641973/
#78097 by tomcat
Sun Mar 27, 2011 3:37 pm
Thanks for the information, lbmofo.

It looks as though the PDF document you referenced may have been published in 2007 prior to the study being release.

Here's the link to the JHU paper itself for those interested: http://www.cs.jhu.edu/~fabian/papers/oakland08.pdf

Also, the Techworld article states: "For mitigating such attacks, padding could be used to make the bit patterns less recognisable, the researchers argued. However, none of the default encryption transforms of the Secure Real-time Transport Protocol, a standard for secure VoIP calls, specify the use of padding, the researchers pointed out.

The JHU paper states (page 3): " ... Unfortunately, this approach can also cause substantial leakage of information in encrypted VoIP calls because, in the standard specification for Secure RTP (SRTP) [2], the cryptographic layer does not pad or otherwise alter the size of the original RTP payload.


It has my curiosity. :?

Who is online

Users browsing this forum: No registered users and 6 guests