Detecting MITM attacks on VoIP systems

| Comments (1) |
In yesterday's post on VoIP wiretapping, I observed that you could sometimes detect MITM attacks via checking for changes in your peer's public key. In the comments, Hal Finney suggests another alternative:
Another way Skype could enable its users to detect MITM attacks would be for the client to display a hash of the shared AES key. In a MITM attack, each side has a different key, so if the users read their hashes to each other, they will detect the difference.

Well, sometimes. In the classic MITM attack on Diffie-Hellman, the attacker ends up with a different pairwise key with each communicating party (though sometimes you can use a subgroup confinement attack to get around this.) Even with RSA-based systems, where the attacker can force the shared secret is the same you typically get different traffic keys because each side contributes a nonce which gets mixed in with the shared secret.

The way that you exploit this fact to detect attacks is simple: each side reads a hash of the shared secret over the voice channel. If the hashes don't match, then you know there's a problem. In theory, of course, the attacker could remove the hash you're reading and substitute himself reading it. If he could imitate your voice well enough, that might actually work, especially if the hashes are rendered as hex digits, since you only need to capture 16 digits in order to imitate any string, and you can capture those digits just by calling the victims and authenticating them. Nobody knows how hard this is for sure because there haven't been any real studies on how hard it is to attack systems this way.

Of course, this particular technique relies on the shared keys being different under a MITM attack. While I believe which is true for Skype, it's not true for every VoIP encryption system. For instance, two of the key management schemes which can be used for SRTP (MIKEY-RSA and SDescriptions) can be used in modes where one side generates the key and gives it to the other side. In these modes the traffic keys would be the same on each side and so an MITM attack wouldn't be detectable this way. In some cases, though (MIKEY-RSA at least) you can detect MITM attacks by exchanging hashes of the public keys rather than of the session keys. Otherwise, the technique is basically the same.


In order to foil MITM attacks against modes where one side generates the key and gives it to the other side the parties should compare hashes of the entire transcript of the messages they exchanged during the key exchange. This way, any active attack results in the parties generating different hash values.

Leave a comment