Steganography meets VoIP in hacker world

Researchers and hackers are developing tools to execute a new data-leak threat: sneaking proprietary information out of networks by hiding it within VoIP traffic.

(A brief history of steganography)

Techniques that fall under the category of VoIP steganography have been discussed in academic circles for a few years, but now more chatter is coming from the hacker community about creating easy-to-use tools, says Chet Hosmer, co-founder and Chief Scientist at WetStone Technologies, which researches cybercrime technology and trains security professionals investigating cybercrimes.

“There are no mass-market programs yet, but it’s on our radar, and we are concerned about it given the ubiquitous nature of VoIP,” he says. VoIP steganography conceals secret messages within VoIP streams without severely degrading the quality of calls.

Steganography in general is hiding messages so no one even suspects they are there, and when done digitally, it calls for hiding messages within apparently legitimate traffic. For example, secret data can be transferred within .jpg files by using the least significant bits to carry it. Because only the least significant bits are used, the hidden messages have little impact on the appearance of the images the files contain.

There are more than 1,000 steganographic programs available for download online that can place secret data within image, sound and text files, Hosmer says, and then extract it. There are none for VoIP steganography yet, but in the labs, researchers have come up with three basic ways to carry it out.

The first calls for using unused bits within UDP or RTP protocols – both used for VoIP - for carrying the secret message.

The second is hiding data inside each voice payload packet but not so much that it degrades the quality of the sound.

The third method calls for inserting extra and deliberately malformed packets within the VoIP flow. They will be dropped by the receiving phone, but can be picked up by other devices on the network that have access to the entire VoIP stream. A variation calls for dropping in packets that are so out of sequence that the receiving device drops them.

These techniques require compromised devices or conspirators on both ends of calls or a man-in-the-middle to inject extra packets. “It’s much more difficult to do and much more difficult to detect,” than hiding data within other files, Hosmer says.
The medium used to carry secret messages is called the carrier, and just about anything can be a carrier. For example, x86 executables can carry secret messages, according to Christian Collberg, an associate professor of computer science at the University of Arizona and co-author of the book Surreptitious Software.

By manipulating the compiler, it can be made to choose one addition operation over another, and that choice can represent a bit in the secret message, Collberg says. “There are lots of choices a compiler makes, and whenever you have a choice, that could represent a bit of information,” he says.