Huge data files can be hidden inside seemingly innocent voice over Internet Protocol (VoIP) messages, threatening corporate and national security, say Polish researchers.
Writing in the IEEE Spectrum, scientists say it is possible to use steganographic techniques to hide large data files almost undetectably inside VoIP calls.
Steganography - the art of hiding one message inside another - has been around for thousands of years. But weaknesses in transmission protocols, designed to improve the quality of time-sensitive dataflows such as video and voice calls in packet switched networks, allow other data files to be embedded in the transmissions without being detected, they say.
While this is useful for spies and governments, it is also useful for whistleblowers and corporate and private citizens anxious to preserve the confidentiality of their online communications.
"Think of steganography as meta-encryption," the researchers say. "While encryption protects messages from being read by unauthorised parties, steganography lets the sender conceal the fact that he has even sent a message."
They refer to stories that in the 1980s, British prime minister Margaret Thatcher used steganography to trace press leaks of cabinet documents. She apparently had government word processors changed to encode a specific user identity in the spaces between words. When leaked material was recovered, the identity of the leaker could be established by analysing the pattern of those spaces, they said.
"Steganography has entered a new era, with stupendously greater potential for mischief," the researchers say. With the latest techniques, earlier limitations on the length of the message are removed.
Conventional steganographic software typically uses 10% of a carrier file such as an MP3-encoded song or .jpg photo. It is now possible to insert hidden data in a VoIP message such as a Skype call using the communication protocols that govern the carrier's path through the internet. The longer they talk, the longer the secret message (or more detailed the secret image) they can send.
Theoretically, traces of the hidden file in a carrier file will persist as the files travels across the internet, thus letting investigators trace it. The new steganographic programs leave almost no trail. "Because they do not hide information inside digital files, using instead the protocol itself, detecting their existence is nearly impossible," say the researchers.
All the new methods manipulate VoIP. VoIP applications can send data packets to other computers on a connection without previously setting up any special transmission channels or data paths. That means it is completely private.
IP is unreliable compared to old-fashioned telephony, say the researchers. That unreliability may lead to errors, including data corruption and lost data packets. Steganography exploits those errors.
Because these secret data packets, or "steganograms", are interspersed among many IP packets and do not linger anywhere except in the recipient's computer, there is no easy way for an investigator to detect them, copy them and analyse them at leisure.
The researchers describe three applications which they say are so simple that they are probably already in use. They exploit lost packets, corrupted packets, and hidden or unused data fields in the VoIP transmission protocol.
The researchers estimate a smuggler could transmit hidden files at about 160 bits per second, enough to transmit a medium-size, 13Kbyte image or a 2,000-word text file during a nine- to 13-minute VoIP conversation.
"Not only can VoIP steganography be implemented in telephony tools that require a laptop or PC [such as Skype], it can also be used in hard phones, such as the Android VoIP-enabled mobile phones that are starting to proliferate," say the researchers.
"Steganography on a phone is more difficult, because it requires access to the device's operating system, but no one should doubt that committed individuals will have no trouble rising to the challenge."
The research was conducted by Józef Lubacz, Wojciech Mazurczyk and Krzysztof Szczypiorski of the Warsaw University of Technology in Poland.