Side Channel Attack Beats Skype Encryption

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
What is a side channel attack you ask? Good quesiton. A side channel attack uses observations of characteristics such as the power consumption of the system carrying out encryption computations, or the length of time that these computations take, as sources of information that can be used to defeat an encryption system. It turns out that the security of encrypted Skype conversations is vulnerable to a particularly slap-your-head obvious side channel attack that exploits the fact that the service uses variable bit rate compression.

A key point about variable bit rate compression is the compression rate varies according to the data being compressed, and when you're dealing with Skype packets that means the compression rate varies according to the actual words being spoken. So, by measuring the amount that each packet has been compressed, you should in theory be able to work out the words that it contains.

And indeed you can -- to a quite surprising extent. In a paper titled Uncovering Spoken Phrases in Encrypted Voice over IP Conversations , five U.S.-based researchers describe how they searched encrypted VoIP packets for particular phrases, based on the correlation between a given phrase and the extent to which a packet has been compressed. They were able to identify their phrases with an average accuracy of 50%, rising to over 90% for certain phrases.

Many governments and agencies responsible for fighting terrorism have expressed concern that Skype's encryption provides a way to communicate by voice that they can't listen in to. Maybe this side-channel attack will ease their worries; assuming that they didn't know about it all along.

Other Security News ...

Black-hats learn from governments -

Talking of governments, there's a strong suspicion that the government of Iran was behind the intrusion earlier this month into an affiliate registration authority of Comodo, a company that issues SLL root certificates. The attack resulted in the fraudulent issue of nine SSL certificates for sites including login.yahoo.com, login.live.com, mail.google.com and login.skype.com. It's even possible (though there's no evidence as yet that this is the case) that some government was behind the sophisticated attack that led to the security of RSA's SecureID authentication system being compromised.

The problem with government sponsored hacking is that it's often only a matter of time before malicious hackers adopt the methods pioneered by these governments. That certainly seems to be the case with Stuxnet, a sophisticated worm which is widely believed to have been designed by U.S. and Israeli government agencies to attack Iran's nuclear weapons facilities. It has prompted a whole range of malware designed to attack process control systems, according to Eric Byres, author of the Security Incidents Organization's catchy titled Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems Resulting from Malware Infections.

"We are starting to see very quiet, subtle attacks like Stuxnet, Ghostnet, and Night Dragon" he said. The difference between Stuxnet, which was designed to slow Iran's nuclear weapons program, and these attacks is the motive is money, said Byres. "Now they are stealing stuff and selling it."

And there is certainly no shortage of vulnerabilities in industrial control systems (known as SCADA systems) for hackers to exploit. Last week Italian researcher Luigi Auriemma revealed over 30 new ones that enable code execution, access to sensitive data in configuration files, or the ability to disrupt equipment in four different manufacturer's SCADA software.

Hack your ride -

If you can't trust industrial control systems, what can you trust?

Earlier this month it became apparent that even your car may not be safe from hackers, according to Mobile Magazine. A group of researchers from UCSD and the University of Washington have successfully hacked a car -- the make and model they haven't yet revealed -- to gain control over the engine, brakes and locks.

They did so by writing a virus which they packaged into a specially crafted MP3 file, which was simply written to a CD and inserted in the vehicle's music player. The virus apparently alters the stereo system's firmware, and from there it makes its way across to the car's main engine control unit (ECU) due to a lack of isolation between the two.

If it's possible with one car (which it clearly is) then the chances are that many other car makes and models will be found to be vulnerable. Manufacturers may soon recommend doing an anti-virus scan before starting your engine.

Google's security tool backfires -

Imagine the company responsible for your system -- whether we're talking a SCADA system, a server, or even your car -- could just reach in and remove any malware that infected it. The desirability is debatable, but it's something that Google has been trying out anyway on its Android mobile phone platform. It's done this by installing its Android Market Security Tool March 2011 on end users' handsets without asking for authorization. The tool then runs, obtains root privileges, and removes any apps that contain the Droiddream Android Trojan .

Somewhat predictably, this Google initiative has been subverted by malware writers. It seems that Chinese hackers or perhaps the Chinese government has infected Google's security tool with a trojan. Given that users have been told that the tool might appear on their phone, there's a good chance that many won't be suspicious of it and will grant it any privileges it asks for. The good news is that for now the infected tool is only in circulation on a third party app marketplace in China, but who knows if it will make its way to the West.

Maybe Android users would be more secure if they abandoned their cellphones and made their calls using Skype … just a thought.

Paul Rubens has written about business IT as a staff and freelance journalist for over twenty years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.