1. bookVolume 2017 (2017): Issue 1 (January 2017)
Journal Details
First Published
16 Apr 2015
Publication timeframe
4 times per year
access type Open Access

Phonion: Practical Protection of Metadata in Telephony Networks

Journal Details
First Published
16 Apr 2015
Publication timeframe
4 times per year

The majority of people across the globe rely on telephony networks as their primary means of communication. As such, many of the most sensitive personal, corporate and government related communications pass through these systems every day. Unsurprisingly, such connections are subject to a wide range of attacks. Of increasing concern is the use of metadata contained in Call Detail Records (CDRs), which contain source, destination, start time and duration of a call. This information is potentially dangerous as the very act of two parties communicating can reveal significant details about their relationship and put them in the focus of targeted observation or surveillance, which is highly critical especially for journalists and activists. To address this problem, we develop the Phonion architecture to frustrate such attacks by separating call setup functions from call delivery. Specifically, Phonion allows users to preemptively establish call circuits across multiple providers and technologies before dialing into the circuit and does not require constant Internet connectivity. Since no single carrier can determine the ultimate destination of the call, it provides unlinkability for its users and helps them to avoid passive surveillance. We define and discuss a range of adversary classes and analyze why current obfuscation technologies fail to protect users against such metadata attacks. In our extensive evaluation we further analyze advanced anonymity technologies (e.g., VoIP over Tor), which do not preserve our functional requirements for high voice quality in the absence of constant broadband Internet connectivity and compatibility with landline and feature phones. Phonion is the first practical system to provide guarantees of unlinkable communication against a range of practical adversaries in telephony systems.


[1] JackPair: secure your voice phone calls against wiretapping. https://www.kickstarter.com/projects/620001568/jackpairsafeguard-your-phone-conversation/video_share.Search in Google Scholar

[2] C. Action and the National Consumers League. Protect your phone records. http://www.consumer-action.org/downloads/english/Pretexting.pdf, 2007.Search in Google Scholar

[3] Ad Hoc Labs. Burner: Free phone number, temporary disposable numbers. http://www.burnerapp.com/.Search in Google Scholar

[4] C. Aguilar Melchor, Y. Deswarte, and J. Iguchi-Cartigny.Closed-circuit unobservable Voice over IP. In Annual Computer Security Applications Conference. IEEE, 2007.Search in Google Scholar

[5] Android Developers Documentation. Android Debug Bridge. http://developer.android.com/tools/help/adb.html.Search in Google Scholar

[6] V. A. Balasubramaniyan, A. Poonawalla, M. Ahamad, M. T.Hunter, and P. Traynor. PinDr0P: using single-ended audio features to determine call provenance. In ACM Conference on Computer and Communications Security, 2010.Search in Google Scholar

[7] M. Baugher. The Secure Real-time Transport Protocol (SRTP). IETF RFC 3711, Mar. 2013. https://rfc-editor.org/rfc/rfc3711.txt.Search in Google Scholar

[8] E. Ben Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, and M. Virza. Zerocash: Decentralized anonymous payments from Bitcoin. In 2014 IEEE Symposium on Security and Privacy (SP), 2014.Search in Google Scholar

[9] A. Biryukov and I. Pustogarov. Proof-of-work as anonymous micropayment: Rewarding a Tor relay. In Financial Cryptography and Data Security 2015, 2015.Search in Google Scholar

[10] N. Borisov, G. Danezis, P. Mittal, and P. Tabriz. Denial of service or denial of security? In ACM Conference on Computer and Communications Security, 2007.Search in Google Scholar

[11] M. Bowman. Employers can snoop through your cell phone. http://blogs.lawyers.com/2013/01/employers-snoop-through-cell-phone/, 2013.Search in Google Scholar

[12] V. Buterin. A next-generation smart contract and decentralized application platform, 2014. https://github.com/ethereum/wiki/wiki/White-Paper.Search in Google Scholar

[13] J. Callas, A. Johnston, and P. Zimmermann. ZRTP: Media path key agreement for unicast secure RTP. IETF RFC 6189, Oct. 2015. https://rfc-editor.org/rfc/rfc6189.txt.Search in Google Scholar

[14] D. L. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, 24(2), 1981.Search in Google Scholar

[15] C. Chen, D. E. Asoni, D. Barrera, G. Danezis, and A. Perrig. HORNET: high-speed onion routing at the network layer. In ACM Conference on Computer and Communications Security, 2015.Search in Google Scholar

[16] S. Chen, X. Wang, and S. Jajodia. On the anonymity and traceability of peer-to-peer VoIP calls. IEEE Network, 20(5), 2006.Search in Google Scholar

[17] Cisco Systems. Understanding codecs: Complexity, hardware support, MOS, and negotiation. http://www.cisco.com/c/en/us/support/docs/voice/h323/14069-codec-complexity.html#mos.Search in Google Scholar

[18] G. Danezis, C. Diaz, C. Troncoso, and B. Laurie. Drac: An architecture for anonymous low-volume communications. In Privacy Enhancing Technologies, 2010.Search in Google Scholar

[19] G. Danezis and A. Serjantov. Statistical disclosure or intersection attacks on anonymity systems. In International Workshop on Information Hiding, 2004.Search in Google Scholar

[20] Digium Inc. Asterisk. http://www.asterisk.org.Search in Google Scholar

[21] R. Dingledine, N. Mathewson, and P. Syverson. Tor: The second-generation onion router. In USENIX Security Symposium, 2004.Search in Google Scholar

[22] B. Doherty. Vodafone australia admits hacking Fairfax journalist’s phone. http://www.theguardian.com/business/2015/sep/13/vodafone-australia-admits-hacking-fairfaxjournalists-phone, 2015.Search in Google Scholar

[23] M. Edman and B. Yener. On anonymity in an electronic society: A survey of anonymous communication systems.ACM Computing Survey, 42(1), Dec. 2009.Search in Google Scholar

[24] Electronic Frontier Foundation. NSA spying. https://www.eff.org/nsa-spying.Search in Google Scholar

[25] Ethereum. Solidity 0.2.0 documentation. http://solidity.readthedocs.io/en/latest/index.html.Search in Google Scholar

[26] H. Federrath, A. Jerichow, D. Kesdogan, and A. Pfitzmann.Security in public mobile communication networks. In IFIP TC6 International Workshop on Personal Wireless Communications, 1995.Search in Google Scholar

[27] J. Feigenbaum, A. Johnson, and P. Syverson. Probabilistic analysis of onion routing in a black-box model. ACM Transactions on Information and Systems Security, 15(3), 2012.Search in Google Scholar

[28] A. Fessi, N. Evans, H. Niedermayer, and R. Holz. Pr2- P2PSIP: privacy preserving P2P signaling for VoIP and IM. In Principles, Systems and Applications of IP Telecommunications, 2010.Search in Google Scholar

[29] D. M. Goldschlag, M. G. Reed, and P. F. Syverson. Hiding routing information. In International Workshop on Information Hiding, 1996.Search in Google Scholar

[30] Google Inc. Google Voice. https://www.google.com/voice.Search in Google Scholar

[31] ITU-T. The E-model: A computational model for use in transmission planning. https://www.itu.int/rec/T-RECG.107.Search in Google Scholar

[32] ITU-T. P.862: Perceptual evaluation of speech quality (PESQ): An objective method for end-to-end speech quality assessment of narrow-band telephone networks and speech codecs. http://www.itu.int/rec/T-REC-P.862.Search in Google Scholar

[33] D. Kaplan. Suspicions and spies in Silicon Valley. http://www.newsweek.com/suspicions-and-spies-silicon-valley-109827, 2006.Search in Google Scholar

[34] H. Kargupta, S. Datta, Q. Wang, and K. Sivakumar. On the privacy preserving properties of random data perturbation techniques. In IEEE International Comference on Data Mining, 2003.Search in Google Scholar

[35] G. Karopoulos, G. Kambourakis, and S. Gritzalis. PrivaSIP: Ad-hoc identity privacy in SIP. Computer Standards & Interfaces, 33(3), 2011.Search in Google Scholar

[36] G. Karopoulos, G. Kambourakis, S. Gritzalis, and E. Konstantinou.A framework for identity privacy in SIP. Journal of Network and Computer Applications, 33(1), Jan. 2010.Search in Google Scholar

[37] A. D. Keromytis. A comprehensive survey of voice over IP security research. IEEE Communications Surveys & Tutorials, 14(2), 2012.Search in Google Scholar

[38] S. Le Blond, D. Choffnes, W. Caldwell, P. Druschel, and N. Merritt. Herd: A scalable, traffic analysis resistant anonymity network for VoIP systems. SIGCOMM Comput. Commun. Rev., 45(4), 2015.Search in Google Scholar

[39] M. Liberatore, B. Gurung, B. N. Levine, and M. Wright.Empirical tests of anonymous voice over IP. Journal of Network and Computer Applications, 34(1), 2011.Search in Google Scholar

[40] N. Mathewson and R. Dingledine. Practical Traffic Analysis: Extending and Resisting Statistical Disclosure. In Privacy Enhancing Technologies, 2005.Search in Google Scholar

[41] S. E. McGregor, P. Charters, T. Holliday, and F. Roesner.Investigating the computer security practices and needs of journalists. In USENIX Security Symposium, Aug. 2015.Search in Google Scholar

[42] T. Meyer. No warrant, no problem: How the government can get your digital data. https://www.propublica.org/special/no-warrant-no-problem-how-the-government-can-stillget-your-digital-data, June 2014.Search in Google Scholar

[43] S. Nakamoto. Bitcoin: A peer-to-peer electronic cash system. http://bitcoin.org/bitcoin.pdf, 2008.Search in Google Scholar

[44] N. O’Brien. Mobile security outrage: Private details accessible on net. http://www.smh.com.au/technology/security/mobile-security-outrage-private-details-accessible-on-net-20110108-19j9j.html, 2011.Search in Google Scholar

[45] Open Whisper Systems. Signal. https://whispersystems.org.Search in Google Scholar

[46] A. Pfitzmann, B. Pfitzmann, and M. Waidner. ISDN-mixes: Untraceable communication with very small bandwidth overhead.In Kommunikation in verteilten Systemen, volume 267, 1991.Search in Google Scholar

[47] A. Pfitzmann and M. Waidner. Networks without user observability - design options. In Advances in Cryptology - EUROCRYPT. International Conference on the Theory and Applications of Cryptographic Techniques, 1986.Search in Google Scholar

[48] A. Ramo. Voice quality evaluation of various codecs. In IEEE International Conference on Acoustics Speech and Signal Processing, March 2010.Search in Google Scholar

[49] B. Reaves, L. Blue, and P. Traynor. AuthLoop: Practical end-to-end cryptographic authentication for telephony over voice channels. In USENIX Security Symposium, Aug. 2016.Search in Google Scholar

[50] B. Reaves, E. Shernan, A. Bates, H. Carter, and P. Traynor.Boxed out: Blocking cellular interconnect bypass fraud at the network edge. In USENIX Security Symposium, 2015.Search in Google Scholar

[51] M. Rizal. A Study of VoIP performance in anonymous network - The onion routing (Tor). PhD thesis, Niedersächsische Staats-und Universitätsbibliothek Göttingen, 2014.Search in Google Scholar

[52] A. Ronacher. Flask (A Python microframework). http: //flask.pocoo.org/.Search in Google Scholar

[53] J. Sanchez. Verizon employees fired after peeping Obama cell records. http://arstechnica.com/tech-policy/2008/11/verizon-employees-suspended-after-peeping-obama-cellrecords/, 2008.Search in Google Scholar

[54] J. Sanchez. Other uses of the NSA call records database - Fingerprinting burners? http://justsecurity.org/1971/nsacall-records-database-fingerprinting-burners/, Oct. 2013.Search in Google Scholar

[55] G. W. Schulz. Virginia police have been secretively stockpiling private phone records. http://www.wired.com/2014/10/virginia-police-secretively-stockpiling-private-phonerecords/, Oct. 2014.Search in Google Scholar

[56] M. Schwartz. Lose the burners: Court okays prepaid phone tracking. http://www.informationweek.com/security/mobile/lose-the-burners-court-okays-prepaid-pho/240005614, Aug. 2012.Search in Google Scholar

[57] Selenium HQ. Selenium WebDriver. http://www.seleniumhq.org.Search in Google Scholar

[58] R. Siciliano. Protecting mail from identity theft. http: //robertsiciliano.com/blog/2011/03/22/protecting-mailfrom- identity-theft/, 2011.Search in Google Scholar

[59] Silent Circle. SilentPhone. https://www.silentcircle.com/products-and-solutions/software/.Search in Google Scholar

[60] The Guardian Project. Orbot: Mobile anonymity + circumvention. https://guardianproject.info/apps/orbot/.Search in Google Scholar

[61] The Register. The death of voice: Mobile phone calls now 50 per cent shorter. http://www.theregister.co.uk/2013/01/30/mobile_phone_calls_shorter/.Search in Google Scholar

[62] The Tor Project. Mumble - Tor bug tracker & wiki. https: //wiki.mumble.info/wiki/Main_Page.Search in Google Scholar

[63] Twilio. APIs for text messaging, VoIP & voice in the cloud. https://www.twilio.com.Search in Google Scholar

[64] O. Verscheure, M. Vlachos, A. Anagnostopoulos, P. Frossard, E. Bouillet, and P. S. Yu. Finding ”who is talking to whom” in VoIP networks via progressive stream clustering. In International Conference on Data Mining. IEEE, 2006.Search in Google Scholar

[65] A. M. White, A. R. Matthews, K. Z. Snow, and F. Monrose.Phonotactic reconstruction of encrypted VoIP conversations. In IEEE Symposium on Security and Privacy, 2011. Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo