eavesdropping

Secret Messages Hidden in VoIP Traffic

Security researchers are increasingly concerned that hackers are close to developing tools for VoIP-based steganography. With hidden messages being transmitted secretly within the voice data, eavesdropping programs like the NSA wiretapping would be rendered useless.

Steganography hides a message within some other medium in such a way that only the sender and the intended recipient are even aware a message exists. If combined with some form of encryption to protect the message on the remote possibility that someone randomly stumbles across it, steganography can be a very powerful method of transmitting secret messages and data.

There have long been rumors that terrorist groups like Al Qaeda transmit secred coded messages to each other by using steganography to embed data within JPG images such as porn photos, or images associated with eBay auctions.

Steganography isn’t new. Even steganography on VoIP is not really new. What is new, and what concerns security researchers, is if tools become available to average users to enable anyone to use steganography over VoIP.

Government and law enforcement agencies in the United States (and other countries as well) use eavesdropping and wiretapping as a means of intelligence gathering for national security purposes. But, if two terrorist operatives use steganography over VoIP they will be able to transmit plans for the next suicide bombing or airplane hijacking secretly in the background while the NSA just eavesdrops on two people having an innocent conversation about which actor is the best James Bond (I vote for Roger Moore).

Do-It-Yourself DECT Hacking

I have DECT cordless phones in my home. I didn’t really get them for the security factor per se. I bought them because their operation isn’t impacted or interfered with by wireless networks, microwave ovens, or baby monitors. I was tired of having 27 different devices all competing for the same frequency range and having my wireless network lose the battle more often than not.

Regardless though, DECT handsets were also notable for the claimed security of the communications. Apparently though, the security is based more or less on security-by-obscurity. Essentially, the communications aren’t encrypted or authenticated in any way, but the DECT algorithm was kept private so that was meant to prevent attackers or eavesdroppers from breaking into the communications.

Well, it would at least prevent novice or poorly funded attackers. A team of researchers had previously demonstrated that an attack was possible using expensive sniffer tools. However, that same research team has now devised a method for eavesdropping on DECT conversations ‘MacGyver style’ using a modified off-the-shelf VoIP card with a laptop.

I guess my conversations about what to get at the grocery store, or how the weather is at my in-laws house are no longer guaranteed to be private. But, on the bright side, they still don’t interfere with my wireless network.