Researchers have discovered a trick that allows encrypted VoIP calls like Skype to be deciphered without the need to crack encryption.
The method, dubbed "Phonotactic Reconstruction", exploited the Linear Predictive Filter, a system used by Voice over Internet Protocol platforms to transmit conversations by creating data sets from spoken English.
Data sets were used to rebuild Skype conversations because they resemble the fragments of spoken words, or phonemes, on which they were modelled.
Linguists were helped further because the scripts and file sizes of the data sets, even after encryption, matched phonemes. Rules of spoken language mean that phonemes have a strict placement within words, which helped linguists reconstruct conversations.
While the exploit meant the University of North Carolina linguists did not need to crack encryption –an expensive process of complex mathematics and onerous compute resources – it could produce high-quality reconstructed conversations.
“Our results show that the quality of the recovered transcripts is far better in many cases than one would expect,” the researchers wrote in a paper (pdf).
“While the generalised performance is not as strong as we would have liked … one would hope that such recovery would not be at all possible since VoIP audio is encrypted precisely to prevent such breaches of privacy.”
“It is our belief that with advances in computational linguistics, reconstructions of the type presented will only improve.”
While Linear Predictive Filtering weakens cryptography because encrypted data bears a statistical relationship to the source data, it is used by VoIP systems because it provides the best type of compression.
But while reconstruction is possible, the researchers said Skype cannot be considered safe. “No reconstruction, even a partial one, should be possible; indeed, any cryptographic system that leaked as much information as shown here would immediately be deemed insecure.
Copyright © SC Magazine, Australia
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.