Chemical Safety Incidents
Hiding Messages in VoIP
Wednesday, November 16, 2011 @ 08:11 AM gHale
There is a new way to hide secret data within VoIP packets, making it possible to carry on legitimate voice conversations while stolen data piggybacks on the call undetected, making its way to thieves on the outside.
Called transcoding steganography or TranSteg, the method calls for setting a larger-than-necessary payload space in VoIP packets and using the extra room to carry covert messages. In their experiment researchers at the Warsaw Institute of Technology ‘s Institute of Telecommunications could send 2.2MB of covert data in each direction during an average seven-minute phone call.
As with all steganography, the objective is to deliver covert data without raising suspicions that a secret message even exists.
The researchers said depending on how they set up TranSteg, detection can be impossible. But other scenarios make it possible to detect given the right type of monitoring.
One big hurdle to the practical use of TranSteg is that it requires modifying the machines that send and receive the steganographic messages, said Wojciech Mazurczy, who has developed other VoIP steganography techniques.
That’s because the machines receiving the secret messages must undergo configuration to know that packets marked as carrying one type of payload are actually carrying another type.
In their proof-of-concept demonstration, the researchers marked real-time transport protocol (RTP) packets as carrying voice encoded using a G.711 codec. Actually they carried G.726-encoded voice, which takes up less space per packet. The difference in packet payload between what was in the payload-type field and what the packets actually contain is the space available for the steganographic message.
The receiving machines must know to decode using one codec despite the fact packets indicate they had a different codec. The receiving machines must not only transcode the voice traffic, but also extract and reassemble the covert message. So access to machines is necessary ahead of time in order for TranSteg to work.
TranSteg can use either end devices such as VoIP phones or intermediary network devices as the steganography-sending and -receiving nodes. So two VoIP phones could be involved; two intermediary devices could be involved; the sending phone and an intermediary device could be involved; or an intermediary device and the receiving phone could be involved.
If two VoIP phones are the sending and receiving nodes and they use secure RTP (SRTP), it is impossible for network monitoring to detect TranSteg, the researchers said. But if they use any of the other scenarios, monitoring at more than one place along the connection could detect TranSteg, they said.
In the test setup, TranSteg introduces .4ms of delay on average using the worst-case configuration, the researchers said. Mean opinion score (MOS) for voice quality drops from 4.46 to an average of 3.834 — still acceptable. Using the testbed codecs, the researchers were able to send 2.2MB of covert message in both directions during a nine-minute call.