While 50 percent accuracy may not sound like much, “these are encrypted conversations, so your expectation is not to be able to do this at all,” says Fabian Monrose, an associate professor of computer science at Johns Hopkins, who was also involved in the research.
Matt Bishop, a professor of computer science at the University of California, Davis, agrees. “Fifty percent is quite scary,” he says, “because what it means is that, in essence, you could potentially understand a fair portion of the conversation. The whole purpose of encryption is to prevent understanding.” He adds that the attack is made more realistic by its ability to simulate phrases from standard sample sounds, which would be easier for an attacker to obtain than speech samples from the person he or she wants to spy on.
Sipera Systems’ Ostrom says that he found the research particularly interesting “because it shows that you shouldn’t feel safe just because you’re using a security control. You still have to validate it to ensure that it meets your requirements.” He adds, “In VoIP, there’s always a fight between quality of service and security.” The researchers’ attack is a good example, he says, because it explores how an effort to improve quality of service by reducing bandwidth usage can affect efforts to protect calls. However, Ostrom notes that most corporations aren’t currently using variable-bit-rate encoding and wouldn’t now be at risk.
Wright and Monrose say that they see their work as more of a cautionary tale. Monrose says that recently he has been seeing drafts of technical specifications that call for variable-bit-rate encoders. “Our gut reaction was, this has privacy implications that people have not well studied,” he says. The researchers say that they hope their work will prevent people from making design decisions in isolation and encourage them to think about solutions that will increase both efficiency and security. “If we start combining tools the way a lot of the specifications are calling for,” Monrose says, “then we need to make sure that we do it in the right way.”
Gain the insight you need on security at EmTech Digital.