VoIP eavesdropping proves complex

VoIP calls are more difficult to tap than those traveling over the PSTN. But deep packet inspection techniques and the UK government's proposed Intercept Modernisation Programme may provide new ways of tackling the problem, E&T investigates.

To catch a Cold War spy, first get a team of M16 and CIA operatives to tunnel under the Russian sector in Berlin and find the central communications cable of Soviet Military Command. Next, send a Post Office engineer down the tunnel to attach phone-tapping circuits, and then wait for the intelligence to flood in. For maintenance problems, contact Post Office Special Investigations, a lab full of M15 scientists designing new bugs and fixing old ones in the basement of the Post Office research headquarters at Dollis Hill, North London.

That's how it was done in the 1950s, according to former MI5 officer Peter Wright's book 'Spycatcher'. Twenty years after the fall of the Berlin Wall, the intelligence agencies of the USA, UK and its allies have a new threat to contend with, in the shape of radical Islamic terrorism. Tunneling doesn't feature in their eavesdropping efforts these days as this global terrorist movement tends to use the Internet for its communications. Internet telephony (VoIP, or Voice over IP) is a particular spanner in the works, representing "the biggest change in telecoms technology since the invention of the telephone", to quote last year's submission to Parliament on the effectiveness of the British security services by Sir David Pepper, director of GCHQ.

A packet of trouble

Internet phone-calls are difficult to tap because they can be made anywhere the caller can find an Internet connection, and so it's hard to tie them to a consistent location. Calls don't follow a dedicated path but travel across the network in packets that each go their separate ways, only coming together at their destination to be reconstituted into an audio stream. In contrast, a traditional fixed-line public switched telephone network (PSTN) phone is linked to a location by a pair of wires that connect it to a telephone exchange, often through a street cabinet. When one person calls another via the PSTN, circuit switching establishes a temporary, dedicated path. Wire-tapping a PSTN line means copying the signal onto another line for listening or recording, usually at the local exchange or somewhere else in the network such as a street cabinet. The phone company can also set up the tap remotely through a computer.

With VoIP, a call might originate in a coffee shop in London and terminate in a hotel lobby in New York. A little later, the same two parties might have another chat, this time from an office in Manchester to a bench in Central Park. To physically intercept those calls would take a tap on all routers in each location, which would also mean eavesdropping on anyone else logged on. Identifying the two callers from the others connected by these access points would be tricky, because a computer's IP address can change with each connection. And the callers could have many accounts with different identities.

"You can buy a VoIP account from Gradwell and then use that account on a BT or Virgin or Cable & Wireless network. You could potentially use the same account on different networks within minutes of each other, if you have access to multiple networks wherever you are," says James Blessing of the UK Internet Service Providers Association (ISPA).

Apart from Skype, most VoIP services are based on the Session Initiation Protocol (SIP), a TCP/IP-based application-layer signaling protocol that lets computers find each other on the Internet, and with suitable intermediary equipment, dial out to the PSTN using traditional telephone numbers.

Signaling and media travel on different paths in SIP-based services, with all non-signaling services such as session control, media transport and network traversal handled by other protocols, such as RTP (the real-time protocol). Because the media and signaling are decoupled, tapping a call established with SIP means the whole 'path' has to be intercepted before the relevant media can be extracted, unless there is a media proxy (a service that acts as a bridge between two networks for media streams in VoIP calls) that can be accessed to intercept the calls.

To complicate matters further, the device (computer, phone, mobile phone) that does the SIP set-up could be different to the device transferring the media during the connection. While this is not the way things usually work, there's nothing to stop someone developing applications to exploit the feature.

Tapping only becomes easy if the SIP VoIP call is made from a fixed location with a fixed Internet address connecting directly to a big Internet provider's access router. Interception and extraction would then require hardware in the ISP's network capable of identifying the media packets and converting them back to audio - if the hardware can reverse any encryption used on the media.

Public enemy number one

As far as the phone tappers are concerned, free phone and video-call company Skype is public enemy number one. Why? - because its calls are encrypted and connected using a peer-to-peer (P2P), closed-source application. Calls travel between other Skype users' computers (or 'nodes') so there is no core infrastructure, apart from several server clusters that support registered Skype users by storing usernames and validating that there is only one user with a given username logged in. Skype is encrypted by default because the last thing callers want is for any of the P2P nodes carrying their calls to be able to snoop on their conversation. Not surprisingly, Skype is under pressure from law enforcement agencies and security services to provide access to its P2P encryption.

Coming up on the inside is Zfone, a secure VoIP phone software product that uses a new encryption protocol called ZRTP. Zfone uses SIP signaling for the set-up and then supports opportunistic encryption of the voice packets by automatically sensing if the other VoIP client has ZRTP, initiating a cryptographic key agreement between the two parties if it has. The code has been written by US software author, Phil Zimmermann, who was up before a US grand jury some years ago for 'arms trafficking' after an encryption program he wrote - PGP - was posted on the Internet for anyone to use.

Interception modernisation

In the UK, the future of VoIP phone-tapping rests on the proposed Intercept Modernisation Programme (IMP), which involves capturing and storing all the header data (source and destination address and application-specific headers) but not the content sent over every UK citizen's broadband connection. All this information would be instantly accessible from the ISPs' databases by law-enforcement and security agencies, who would be able to query them remotely to analyse patterns of communications and networks of associations, that is, who's talking to whom and with what applications.

If IMP goes ahead, the programme will require the installation of deep packet inspection (DPI) equipment to analyse every broadband connection in the UK. Common packet inspection analyses the source address, destination address, source port, destination port and the protocol type, whereas DPI also analyses the application and the content so it can detect applications using hidden or spoofed port numbers, whether hidden by design or to avoid inspection and monitoring. It does this based on a signature database that includes information extracted from the data part of a packet, which might include a special port, string or bit sequence.

When the data flow cannot be identified by protocol, DPI can also analyse the behaviour of subscribers and forward particular data streams to other equipment for processing and storage.

"Even if the VoIP SIP server is hosted outside the UK, the DPI box will be able to pick out the server's IP address, which can be used to go to the VoIP provider and find out who was online," says Blessing.

IMP is a big step forward in Internet monitoring but the details of how it would work are sketchy.

"The idea is to have some kind of unified communications protocol such that a centralised system could send queries to each service provider's database and get information about the activities associated with certain IP addresses automatically," says Blessing. No such standard for querying, searching and transferring this kind of data currently exists, and developing it would involve ISPs creating a data exchange standard similar to the ebXML protocol used for business transactions. Moreover, the key to identifying what someone is doing online is the signature of the activity, and it's not clear who would create and update these signatures.

Is IMP feasible? Each broadband subscriber typically transfers around 5Gbyte of data in a month, which for a medium-sized ISP with fewer than 100,000 subscribers would add up to 500Tbyte. Assuming that 10 per cent of the data is header information, that would demand 1.6Tbyte of storage a day, or a couple of hard disk drives at about £65 each. The bottleneck is the DPI equipment.

"By recording the headers at a rate of 10 or 15Mbit/s on each DPI box, this volume would be quite possible to capture simply by using an awful lot of boxes. But at the moment, those available commercially can't handle the load needed for most ISPs' networks without slowing down the connections," says Blessing.

An alternative is to put the boxes in the ISPs' networks but instead of watching everyone, target individuals and only forward their header data through the box, in much the same way as phone-tapping is done on the PSTN.

"We can do that now because you are simply moving the traffic from one 20Mbit/s DSL connection. Even if you have 100 customers being investigated, that's 2Gbit/s of capacity you have to move onto DPI, but we have boxes that can do that today," continues Blessing.

The US Federal Bureau of Investigations already has a system called DCSnet, for collecting and analysing wire-tapped material from ISPs, cellular companies and land-line operators, which appears to operate on this basis.

Software backdoors

Another option is to use a software backdoor to tap someone's VoIP communi-cations at source, the modern equivalent of digging a tunnel under your target. As David Bradshaw, group leader of software technologies at Cambridge Consultants points out, there is nothing inherently difficult about planting software to snoop on someone's computer: "Key-logging software has been widely used to read passwords and bank card details. Software to do this can be unwittingly installed by users as part of a Trojan attack, or covertly via a Web page that installs and runs malicious software when you visit it."

The usual approach is for the malware to exploit a backdoor in a software program or application to send information back to gain control of a computer and send information to the snooper. "Even if a VoIP call is encrypted, the weak point is when the computer decrypts it to play the audio. It would be relatively easy to plant some software to transmit that data to a third party," explains Bradshaw.

Cambridge Consultants is not involved in this kind of work, but the situation that Bradshaw describes is far from theoretical. Earlier in the year, a 'performance' patch that the United Emirates mobile operator Etisalat sent to its Blackberry subscribers was later found to give operators the ability to read its customers' emails and text messages. Users who down--loaded the software complained of dramatically reduced battery life and slower than usual performance of their devices. Further analysis revealed that the patch had been developed by SS8.com, a US-based surveillance firm that makes intercept and online activity analysis equipment, including DPI boxes and software such as FoxReplay Analyst, which can reconstruct online Internet sessions.

But back to the Cold War, and a salutary tale about the tunnel taps described in 'Spycatcher'. They delivered such vast quantities of information that MI6 opened a special transcription centre in Earl's Court to deal with it. Many years later it transpired that George Blake, a double agent, had betrayed the tunnel to the Russians from the outset, making the intelligence gathered highly suspect.

It's a timely reminder that successful eavesdropping rests not just on clever technology but on understanding the unpredictable and resourceful nature of human beings. 

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them

Close