Researchers Find New Way to Hide Messages in VoIP

Researchers have devised a new scheme for hiding secret data within VoIP packets, making it possible to carry on legitimate voice conversations while stolen data piggybacks on the call undetected, making its way to thieves on the outside.

Called transcoding steganography or TranSteg, the method calls for setting a larger-than-necessary payload space in VoIP packets and using the extra room to carry covert messages. In their experiment the researchers could send 2.2MB of covert data in each direction during an average seven-minute phone call.

As with all steganography, the objective is to deliver covert data without raising suspicions that a secret message even exists.

IN PICTURES: A brief history of steganography

Researchers at the Warsaw Institute of Technology ‘s Institute of Telecommunications say that depending on how TranSteg is set up, detection can be impossible. But other scenarios make it possible to detect given the right type of monitoring.

One big hurdle to the practical use of TranSteg is that it requires modifying the machines that send and receive the steganographic messages, say the researchers led by Wojciech Mazurczy, who has developed other VoIP steganography techniques.

That’s because the machines receiving the secret messages must be configured to know that packets marked as carrying one type of payload are actually carrying another type. In their proof-of-concept demonstration, the researchers marked real-time transport protocol (RTP) packets as carrying voice that was encoded using a G.711 codec. Actually they carried G.726-encoded voice, which takes up less space per packet. The difference in packet payload between what was advertised in the payload-type field and what the packets actually contained is the space available for the steganographic message.

The receiving machines must be configured to know to decode using one codec despite the fact that packets are marked to indicate they were generated with a different codec. The receiving machines must not only transcode the voice traffic, but also extract and reassemble the covert message. So access to machines is necessary ahead of time in order for TranSteg to work.

TranSteg can be set up using either end devices such as VoIP phones or intermediary network devices as the steganography-sending and -receiving nodes. So the possibilities are two VoIP phones could be involved; two intermediary devices could be involved; the sending phone and an intermediary device could be involved; or an intermediary device and the receiving phone could be involved.

If two VoIP phones are the sending and receiving nodes and they use secure RTP (SRTP), it is impossible for network monitoring to detect TranSteg, the researchers say. But if any of the other scenarios is used, monitoring at more than one place along the connection could detect TranSteg, they say.

In the test setup, TranSteg introduces .4ms of delay on average using the worst-case configuration, the researchers say. Mean opinion score (MOS) for voice quality drops from 4.46 to an average of 3.834 — still acceptable. Using the testbed codecs, the researchers were able to send 2.2MB of covert message in both directions during a nine-minute call.

Read more about wide area network in Network World’s Wide Area Network section.