London, June 13 : US experts warn that compressed web phone calls may be easy to bug.
Researchers John Hopkins University in Baltimore, Maryland, point out that many service providers are due to implement a flawed technology to compress Internet (VoIP) phone calls so that they use less bandwidth.
The researchers say that the new compression technique, known as variable bitrate compression, produces different size packets of data for different sounds because the sampling rate is kept high for long complex sounds like "ow", but cut down for simple consonants like "c".
According to them, this variable method saves on bandwidth, while maintaining sound quality.
Even though VoIP streams are encrypted to prevent eavesdropping, say the researchers, simply measuring the size of packets without decoding them can identify whole words and phrases with a high rate of accuracy.
Charles Wright, a member of the John Hopkins team, said that only a few services were currently using the vulnerable compression method.
He, however, pointed out that more networks were planning to use this technique in future.
"We hope we have caught this threat before it becomes too serious," New Scientist quoted him as saying.
Another team member, Fabian Monrose, admitted that the eavesdropping software developed by them could not decode an entire conversation.
Monrose, however, insisted that the software was capable of searching for chosen phrases within the encrypted data, and thus might allow a criminal to find important financial information conveyed in the call.
The researchers say that tests with their software have revealed that it can correctly identify phrases used during a conversation with an average accuracy of about 50 per cent.
"I think the attack is much more of a threat to calls with some sort of professional jargon where you have lots of big words that string together to make long, relatively predictable phrases. Informal conversational speech would be tougher because it's so much more random," Wright says.
A paper on the Johns Hopkins team's work was presented at the 2008 IEEE Symposium on Security and Privacy, in Oakland, California, US, last month.