Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

While 50 percent accuracy may not sound like much, “these are encrypted conversations, so your expectation is not to be able to do this at all,” says Fabian Monrose, an associate professor of computer science at Johns Hopkins, who was also involved in the research.

Matt Bishop, a professor of computer science at the University of California, Davis, agrees. “Fifty percent is quite scary,” he says, “because what it means is that, in essence, you could potentially understand a fair portion of the conversation. The whole purpose of encryption is to prevent understanding.” He adds that the attack is made more realistic by its ability to simulate phrases from standard sample sounds, which would be easier for an attacker to obtain than speech samples from the person he or she wants to spy on.

Sipera Systems’ Ostrom says that he found the research particularly interesting “because it shows that you shouldn’t feel safe just because you’re using a security control. You still have to validate it to ensure that it meets your requirements.” He adds, “In VoIP, there’s always a fight between quality of service and security.” The researchers’ attack is a good example, he says, because it explores how an effort to improve quality of service by reducing bandwidth usage can affect efforts to protect calls. However, Ostrom notes that most corporations aren’t currently using variable-bit-rate encoding and wouldn’t now be at risk.

Wright and Monrose say that they see their work as more of a cautionary tale. Monrose says that recently he has been seeing drafts of technical specifications that call for variable-bit-rate encoders. “Our gut reaction was, this has privacy implications that people have not well studied,” he says. The researchers say that they hope their work will prevent people from making design decisions in isolation and encourage them to think about solutions that will increase both efficiency and security. “If we start combining tools the way a lot of the specifications are calling for,” Monrose says, “then we need to make sure that we do it in the right way.”

9 comments. Share your thoughts »

Credit: Charles Wright/Johns Hopkins University

Tagged: Communications, security, bandwidth, VOIP, bandwidth savings, exploits

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me