Together with computer experts, linguistics researchers at the University of North Carolina have demonstrated that even when encrypted, VoIP phone conversations are not as secure as popularly thought.
The team recently released their findings at the IEEE Symposium on Security and Privacy in Oakland California. They showed that by splitting voice messages broadcast over the Internet, and then parsing the bits into phonemes or human speech components, they could somehow recreate conversations using linguistic rules at least to some degree. The results are not conclusive, but were good enough to drive the essence of what was being said.
The results also showed that popular VoIP services such as Skype, in spite of various layers of encryption and data transformation using complex algorithms to prevent easy capture of voice conversations over the Internet, are at a risk to eavesdropping by hackers driven to listen in on what are supposed to be private conversations.
The research team was able to reconstruct voice conversations, not by cracking the encryption placed, but by measuring the data packet size of messages sent electronically across an IP network and then by applying known linguistic rules of human speech to those data packets to decode individual components of speech, which when assembled, resulted in conversations that were somehow comprehensible by those listening.
In the study that accompanied their presentation, the research team explains the process as similar to that used by babies when learning to talk. Infants learn by associating certain words they hear repetitedly with known results. When an adult speaks to them, they filter out the stuff they don’t comprehend and instead focus on the words that stand out that they do understand; linguistics experts use the term “well formed” to define terms that are understandable amongst those that are not. Babies use well formed phrases to help them figure out the meaning of other words that surround the words they do know to try to understand what is being said. This is the process the team duplicated when attempting to recreate phone conversations.
Since the results varied widely, and because potential eavesdroppers would need vast amounts of time, talent and money to reconstruct the results the research team discovered, current users of VoIP communications should not worry that someone will listening in. However now that a weakness has been found, it’s probable that Skype and other VoIP providers will take measures to plug the newly discovered vulnerability.