Steganography is the art of hiding message when they are sent, in a process akin to camouflage. In cryptography, on the other hand, no attempt is made to hide the message, only to conceal its content.

Today, Wojciech Mazurczyk and Krzysztof Szczypiorski of the Warsaw University of Technology in Poland explain how VoIP services are wide open to steganographic attack and even measure how much information can be sent covertly in this way.

VoIP services such as Skype are vulnerable to steganographic attack because they use such a high bandwidth and that makes it relatively easy to embed a hidden message in the bit stream in a way that it is almost impossible to detect.

For precisely this reason, the US Department of Defence specifies in that any covert channel with a bandwidth higher than 100 bps must be considered insecure for average security requirements. For high security requirements, the DoD says the data rate should not exceed 1 bps, making it next to impossible to embed a hidden code without it being noticed.

So VoIP systems such as Skype, with their much higher data rates, are difficult to secure.

And to prove it, Mazurczyk and Szczypiorski have tested a number of steganographic attacks (including two new ones they’ve developed themselves) on a VoIP system to determine how much data could be sent. They say that during an average call (that’s 13 minutes long according to Skype) they were able to covertly transmit as much as 1.3 Mbits of data.

That should get a number of governments, companies and individuals thinking. How secure is your VoIP system?

Ref: arxiv.org/abs/0805.2938: Steganography of VoIP streams