Welcome to another foray into VoIP-related technology and the hype that surrounds it. This time, we’re reviewing end-to-end encryption of phone calls, messages, video and audio VoIP content—what encryption is, how it works and who needs it.
Different Levels of VoIP Security
VoIP communications (phone calls, video and messaging) are being widely adopted to provide a higher level of protection needed for mobile communications.
Proprietary VoIP implementations found in mobile applications make voice calls less easy to read (hack) as data passes over the internet. Encryption is added to the VoIP data to make it indecipherable to anyone snooping a network’s traffic.
More and more enterprises are looking for secure messaging and chat apps to increase productivity and improve communications with employees and customers. The increasing demand for secure communication apps have led to a surge in security app and platform development.
Basic VoIP Encryption
If you configure your own email settings, you probably remember finding an alphabet soup of encryption protocols.
TSL and SSL are currently the most frequently used protocols. They use different standards, but neither of them encrypts everything in an internet message. (That’s why you probably see the setting labeled as SSL/TSL.)
Each protocol encrypts part of the message traveling between the client and the server. But, security coverage of the message is not complete. It's still possible for the owner of the message server to decrypt, read, and store the message content.
Keys Are the Key
In standard VoIP encryption, the keys used by both parties in peer-to-peer communications are never transmitted. However, both the sender and receiver know the keys, so they can decrypt incoming voice data.
There’s a serious problem with this design. It’s possible to reverse engineer voice call data to understand the protocols being used by encrypted VoIP apps.
Many popular packet analyzer hacking tools support custom plugins. These tools make decoding and exporting signals to standard audio file formats a relatively easy task.
Basic VoIP encryption is a good start, but it can’t keep up with the ingenuity of the bad guys. That’s why the latest communications tools use a feature known as end-to-end encryption (E2EE).
E2EE is different. It’s a system of communication, in which only the people sending and reading encrypted content can read or hear it. Eavesdroppers cannot access the cryptographic keys needed to decrypt the conversation—not even a company that runs the messaging service.
These advanced cyber encryption tools make it much harder (but not quite impossible) to hack coded content in VoIP channels.
E2EE tools protect content on the sending device and then forward it to the message owner’s server. The owner of the communication channel doesn't possess the key to decrypt messages. The owner can save and store the information but not decode it. Without the key, the content would read as total gibberish.
More than One Path to E2EE Protection
There’s more than one way to protect VoIP content with E2EE tools. Here are several examples:
Write E2EE Tools with Open Source Code
Open Whisper Systems, developer of the Signal protocol and application, developed an open source instant messaging, voice calling and video calling application for iOS and Android. The tool is designed to help companies build their own encrypted chat and calling features. And, users can employ open source code to look for back doors and security holes without relying on third parties.
Use E2EE Tools and Protect VoIP Endpoints
There’s a heavy controversy about whether individuals and smaller businesses “really need” E2EE protection. Most security experts agree that it’s useful to encourage all VoIP users to install E2EE tools and to secure another important weak spot—endpoint devices such as smartphones, tablets and computers.
Why attack a heavily protected spot, when weak spots are easy pickings? Compromising endpoints is getting easier all the time. Security experts have warned for years that the weakest link for data is where it’s stored or displayed at either end of VoIP communications.
We hate inconvenience and the extra effort of protecting screens, disks, memory or storage devices in the cloud. Our impatience makes these locations ripe for a clever hacker to intrude.
Endpoint security best practices. The ideal development approach is a balance. Creating effective ways to protect digital endpoints without making tools inconvenient to use. This includes making sure that:
- No one has tampered with applications before or after installation.
- The app doesn’t have any back doors or security holes that could be exploited after the app is installed.
Other new technologies and approaches are just over the horizon. They are ideas ready for future development but are not available today as products or services.
Next-Generation Encryption Technology
By now, secure data users—individuals, organizations and government workers—know the value of protecting their intellectual property, personal information and client data.
Several potential threats and challenges loom large over E2EE users worldwide. These examples show how threats and new ideas might stimulate the development of advanced encryption tools and methods in the future:
- Response to quantum cryptography.
Yes, there’s a strong sci-fi flavor of this scenario, and yes, it pegs the Hype Meter to Maximum. Don’t expect this problem or its solution to occur next week, but experts are already talking about quantum and post-quantum cryptography.
The latter refers to cryptographic algorithms (usually public-key algorithms) that are thought to be secure against an attack by a quantum computer. Stay posted, this one’s interesting.
- Vendor-neutral, real-time communications
Launched in December 2014, Matrix is an open, decentralized communication standard that uses E2EE. Matrix enables users with different communications service providers to communicate in real time via online chat, VoIP, and online audio-video content. The only question now is whether there’s enough interest in Matrix as a commercial product.
- Use of blockchain technology.
Who do you trust? That’s the essential idea behind giving users control of their own application security. The thinking goes, who is the better owner of application security, users or an app store—aren’t they just another vulnerable corporation?
There’s excitement in the computer security community that blockchain technology could help users secure their own endpoints, without the cloud of third-party surveillance hanging over communications.
Blockchain is the technology that supports Bitcoin and other cryptocurrencies. Computer scientists might be able to build blockchain-based tools that create verifiable, unchangeable public records of information. The goal: confirm that our data hasn’t been tampered with.
Because blockchain technology and its capabilities are soaked in hype and misinformation, it will take time to sift through all these ideas and develop secure easy-to-use tools.
So, what should we do until usable solutions enter the market? Experts suggest that all users:
- Continue to use end-to-end encryption applications whenever possible.
- Stay vigilant about password hygiene.
- Test apps periodically for back doors and holes.
- Monitor all applications that we install on our machines.
Pluses and Minuses in E2EE Performance
Why use end-to-end encryption? Because it works. It makes it harder—much harder—for snoops, interlopers and just plain bad guys to mess with your data. But, E2EE operations are far from perfect.
Practical Problems in E2EE Operations
E2EE provides a definite step up in the quality of data security. But, there are practical shortcomings in its day-to-day implementation:
- Not all popular VoIP apps use E2EE. Skype is still the most common enterprise VoIP application, but it has no options for E2EE.
- Balancing security and call quality. Businesses want to protect their valuable secrets with the most secure technology available. Customers want the highest call clarity they can get. E2EE prevents the harvesting of quality of service (QoS) data, which enables IT pros to monitor and adjust the quality of voice calls.
- Keys and certificates are difficult to manage.
As more and more encryption programs enter the market, E2EE technology becomes more complex and difficult to manage. Keeping track of encryption keys and authentication certificates is taking up more time, effort and storage. The result: managing multiple keys for each encrypted function adds very heavy labor overhead.
Although it’s impossible to erase this overhead, you can reduce it in several ways, including knowing the current encryption standards, centralizing encryption functions and creating an encryption planning roadmap.
- Endpoint verification problems. Because it’s easier to manage and monetize closed (proprietary) systems, many developers write encryption programs only for them.
The problem: E2EE calls require that both ends of the conversation use the same system. If you use product A to call someone, who uses Product B, you’re out of luck. There’s no way that the caller can tell whether E2EE is enabled on both ends.
Happily, it’s now possible to verify E2EE at both ends by exchanging QR codes.
- Man-in-the-middle attacks. Although E2EE removes much of the risk of encrypted calls, they are still vulnerable to man-in-the-middle attacks.
To solve this problem, some E2EE programs generate unique one-time strings of characters based on the two users' public keys. The users at each end read out that passphrase to each other before starting their conversation. If the characters match, they can be sure there's no man in the middle.
Choosing E2EE Software
Management overhead, less-than-perfect call quality and the lack of verified encryption have slowed but not but not stopped E2EE product development. A surge of new products and a host of enthusiastic users are making more E2EE options available than ever.
The Long, Bumpy Road to E2EE Software
As voice calls have moved away from copper wires and PSTNs to the internet, covert wiretapping activities have moved into the digital and wireless arena. The road from basic encrypted VoIP communications to the verifiable E2EE apps available today included twists, turns and false starts.
- 1991: Pretty Good Privacy, coded by Phil Zimmermann, was released.
- 2004: Off the Record protocol for instant messaging applications was released.
- 2010: TextSecure, an E2EE application for text messaging, was released.
- 2011: ZRTP protocol was introduced to the Internet Engineering Task Force and implemented in several VoIP clients.
- 2011: Apple introduces end-to-end encryption in its iMessage instant messaging app.
- 2014: WhatsApp integrates TextSecure into its Android software.
- 2016: WhatsApp enables end-to-end encryption across all platforms.
- 2016: WhatsApp was blamed for having a back door, which would defeat end-to-end encryption. However, this claim was later disproved.
- 2017: Google gives up its E2EE research project for Google Chrome.
- 2017: Apple iMessage communications are encrypted, but proprietary iMessage encryption doesn't follow all the best current security practices. Also, a recently discovered exploit allows a sophisticated attacker to decrypt iMessage photos and videos.
- 2017: Signal replaced the ZRTP protocol with WebRTC in the latest versions of its applications. Despite its ambitious design and mission, ZRTP cryptographic identity handling failed in practice.
Shopping for E2EE Apps
What a difference five years make! Since 2012, many new products and processes have become part of the VoIP security landscape. Where there were only Skype and FaceTime in 2012, now there are many E2EE solutions and developers.
Most of these developers offer platform-specific mobile SDKs. With this software, you can integrate a secure VoIP solution into your corporate security infrastructure. But, what should you look for when you shop for E2EE apps? Here are some thoughts.
E2EE App Capabilities to Consider
Now that end-to-end encryption has become a buzzword, you can be sure that it’s part of many messaging and voice call apps. Here is a list of capabilities you’ll find in many but not all E2EE applications:
- Messages and voice call services are fully E2EE.
- Messaging E2EE supports non-text content such as GIFs, calls, or videos.
- E2EE-supported apps:
- Send encrypted messages to individuals and groups.
- Place calls.
- Share media and other attachments to telephone contacts.
- A messaging service provides a security verification code, which you can share with a contact to ensure that your conversation is encrypted.
- A “secure shredder" feature, which enables you to securely erase attached files, messages, and other data, should someone try to recover anything.
“Encrypted Chat Took Over. Let’s Encrypt Calls, Too,” by Lilly Hay Newman on April 21, 2017 at https://www.wired.com/2017/04/encrypted-chat-took-now-encrypted-callings-turn/
“VoIP Security: How encrypted VoIP calls are secured from cyber threats,” by Dyrnan Communications on July 12, 2017 at https://www.dyrnan.com/2017/07/12/dyrnan-secure-and-voip/,
“Market Overview: Secure Chat Apps and Messengers for Enterprises,” by Tobias Stepan on July 12, 2017 at https://www.teamwire.eu/company/blog/market-overview-secure-chat-apps-and-messengers-for-enterprises/
“Hacker Lexicon: What Is End-to-End Encryption?” by Andy Greenberg, on November 25, 2014 at https://www.wired.com/2014/11/hacker-lexicon-end-to-end-encryption/
“End-to-End Encryption Now a Killer App for VoIP,” by Mark Zezula, on October 13, 2015 at https://www.edgewaternetworks.com/blog/end-to-end-encryption.
“Why end-to-end encryption is about more than just privacy,” by Zeljka Zorz on September 13, 2017 at https://www.helpnetsecurity.com/2017/09/13/end-to-end-encryption/.
“End-to-end encryption isn’t enough security for ‘real people’.” by Megan Squire on August 14, 2017 at https://phys.org/news/2017-08-end-to-end-encryption-isnt-real-people.html.
“Encryption: More and more companies use it, despite nasty tech headaches,” by Steve Ranger on April 20, 2015 at http://www.zdnet.com/article/encryption-more-and-more-companies-use-it-despite-nasty-tech-headaches/.
“How Classical Cryptography Will Survive Quantum Computers,” by Joshua Holden on February 28, 2017 at http://nautil.us/blog/how-classical-cryptography-will-survive-quantum-computers