A team from Johns Hopkins University has discovered a way to eavesdrop on encrypted voice streams. Voice data like the kind used by Skype for its VoIP service sends encrypted packets of varying sizes for different sounds. The team learned that by simply measureing the size of the packets, they could determine what was being said with a high rate of accuracy. VoIP providers often use a variable bit rate to use bandwidth more efficiently, but it is this compression that makes audio streams vulnerable to eavesdropping.

The team’s software is still in its early stages of development, yet incapable of parsing entire conversations. It is capable, though, of finding pre-determined keywords and inferring common phrases bases on the words it detects. It also has a higher rate of accuracy in identifying long complicated words than short ones. The team’s goal was not to eavesdrop, but to expose the vulnerability; team member [Charles Wright] notes, “we hope we have caught this threat before it becomes too serious.”

[via Schneier on Security]
[photo: altemark]

UPDATE: Skype has withdrawn their appeal and accepted the original judgment.

Tomorrow the High District Court of Munich will hear Skype argue against the validity of the GPL. Last June, the court issued an injunction against Skype for selling the SMC WSKP 100, a Linux-based WiFi VoIP phone. After the initial GPL violation, a flier with the URL for the source was added to the package. The GPL wasn’t provided and the court found this insufficient for fulfilling the requirements of the GPL. Skype is appealing and claims that the GPL as a whole violates anti-trust regulation. The case against Skype was brought by OpenMoko’s original system architect, Harald Welte, as part of his work for gpl-violations.org.

[sprite_tm] made my morning by sending in his latest work. After opening up his new SMC WSKP100 (Skype wifi phone) to identify the hardware differences, he managed to shrink a flash image from the SMCWSP100 to fit on his new toy. Then he spent some time hacking the kernel from the former to work on his phone. The result? A SIP operational phone that’ll connect to his asterix server at half the price of SMC’s official SIP phone.