Wiretapping End-to-End Encrypted VoIP Calls: Real-World Attacks on ZRTP

Dominik Schürmann 1 , Fabian Kabus 2 , Gregor Hildermeier 3 ,  and Lars Wolf 4
  • 1 TU Braunschweig,
  • 2 TU Braunschweig,
  • 3 TU Braunschweig,
  • 4 TU Braunschweig,


Voice calls are still one of the most common use cases for smartphones. Often, sensitive personal information but also confidential business information is shared. End-to-end security is required to protect against wiretapping of voice calls. For such real-time communication, the ZRTP key-agreement protocol has been proposed. By verbally comparing a small number of on-screen characters or words, called Short Authentication Strings, the participants can be sure that no one is wiretapping the call. Since 2011, ZRTP is an IETF standard implemented in several VoIP clients.

In this paper, we analyzed attacks on real-world VoIP systems, in particular those implementing the ZRTP standard. We evaluate the protocol compliance, error handling, and user interfaces of the most common ZRTP-capable VoIP clients. Our extensive analysis uncovered a critical vulnerability that allows wiretapping even though Short Authentication Strings are compared correctly. We discuss shortcomings in the clients’ error handling and design of security indicators potentially leading to insecure connections.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Devdatta Akhawe and Adrienne Porter Felt. Alice in warningland: A large-scale field study of browser security warning effectiveness. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pages 257–272, Washington, D.C., 2013. USENIX.

  • [2] akwizgran. basic-english. https://github.com/akwizgran/basic-english. (Accessed: 10/2016).

  • [3] K. Bhargavan, C. Brzuska, C. Fournet, M. Green, M. Kohlweiss, and S. Zanella-Béguelin. Downgrade resilience in key-exchange protocols. In IEEE Symposium on Security and Privacy (SP), pages 506–525, May 2016.

  • [4] R. Bresciani and A. Butterfield. A formal security proof for the ZRTP protocol. In International Conference for Internet Technology and Secured Transactions (ICITST), pages 1–6, Nov 2009.

  • [5] Riccardo Bresciani. The ZRTP protocol analysis on the diffie-hellman mode. Computer Science Department Technical Report TCD-CS-2009-13, Trinity College Dublin, 2009.

  • [6] Riccardo Bresciani and Andrew Butterfield. ProVerif analysis of the ZRTP protocol. International Journal for Infonomics (IJI), 3(3), 2010.

  • [7] Sergej Dechand, Dominik Schürmann, Karoline Busse, Yasemin Acar, Sascha Fahl, and Matthew Smith. An Empirical Study of Textual Key-Fingerprint Representations. In 25th USENIX Security Symposium (USENIX Security 16), pages 193–208, Austin, TX, August 2016. USENIX.

  • [8] Werner Dittmann. ZRTP4PJ README. https://github.com/wernerd/ZRTP4PJ/tree/develop, 2015. (Accessed: 10/2016).

  • [9] Electronic Frontier Foundation. Secure Messaging Scorecard. https://www.eff.org/secure-messaging-scorecard, November 2014.

  • [10] Facebook. Messenger Secret Conversations. https://fbnewsroomus.files.wordpress.com/2016/07/secret_conversations_whitepaper-1.pdf, July 2016.

  • [11] Michael Farb, Yue-Hsun Lin, Tiffany Hyun-Jin Kim, Jonathan McCune, and Adrian Perrig. SafeSlinger: easy-to-use and secure public-key exchange. In Proceedings of the 19th annual international conference on Mobile computing & networking, pages 417–428. ACM, 2013.

  • [12] Adrienne Porter Felt, Robert W. Reeder, Alex Ainslie, Helen Harris, Max Walker, Christopher Thompson, Mustafa Embre Acer, Elisabeth Morant, and Sunny Consolvo. Rethinking Connection Security Indicators. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), pages 1–14, Denver, CO, June 2016. USENIX.

  • [13] Guardianproject. Open {Secure, Source, Standards} Telephony Network (OSTN). https://dev.guardianproject.info/projects/ostn/wiki/Wiki, April 2016.

  • [14] Prateek Gupta and Vitaly Shmatikov. Security Analysis of Voice-over-IP Protocols. In 20th IEEE Computer Security Foundations Symposium (CSF 2007), pages 49–63, Venice, Italy, July 2007.

  • [15] Helmut Hlavacs, Wilfried Gansterer, Hannes Schabauer, Joachim, Martin Petraschek, Thomas Hoeher, and Oliver Jung. Enhancing ZRTP by using Computational Puzzles. Journal of Universal Computer Science, 14(5), 2008.

  • [16] IETF. SIP Working Group. https://datatracker.ietf.org/wg/sip/, July 2009.

  • [17] O. Jung, M. Petraschek, T. Hoeher, and I. Gojmerac. Using sip identity to prevent man-in-the-middle attacks on zrtp. In 2008 1st IFIP Wireless Days, pages 1–5, November 2008.

  • [18] Patrick Juola. Isolated-Word Confusion Metrics and the PGPfone Alphabet. In International Conference on New Methods in Natural Language Processing, 1996.

  • [19] Patrick Juola. Whole-word phonetic distances and the PGPfone alphabet. In Fourth International Conference on Spoken Language (ICSLP 96), volume 1, pages 98–101 vol.1, October 1996.

  • [20] Kamailio. Kamailio SIP-Server. https://www.kamailio.org. (Accessed: 10/2016).

  • [21] Moxie Marlinspike. Creating a low-latency calling network. https://whispersystems.org/blog/low-latency-switching/, January 2013.

  • [22] Aaron van den Oord, Sander Dieleman, Heiga Zen, Karen Simonyan, Oriol Vinyals, Alex Graves, Nal Kalchbrenner, Andrew Senior, and Koray Kavukcuoglu. Wavenet: A generative model for raw audio. arXiv preprint arXiv:1609.03499, 2016.

  • [23] Saurabh Panjwani and Achintya Prakash. Crowdsourcing Attacks on Biometric Systems. In Symposium On Usable Privacy and Security (SOUPS 2014), pages 257–269, Menlo Park, CA, July 2014. USENIX.

  • [24] Martin Petraschek, Thomas Hoeher, Oliver Jung, Helmut Hlavacs, and Wilfried Gansterer. Security and Usability Aspects of Man-in-the-Middle Attacks on ZRTP. Journal of Universal Computer Science, 14(5):673–692, 2008.

  • [25] Pew Research Center. The Smartphone Difference. http://www.pewinternet.org/2015/04/01/us-smartphone-use-in-2015/, April 2015.

  • [26] PjProject. PjProject. http://pjsip.org/, 2015. (Accessed: 10/2016).

  • [27] Peter Saint-Andre. Use of ZRTP in Jingle RTP Sessions. XEP-0262, June 2011.

  • [28] Dominik Schürmann and Stephan Sigg. Poster: Handsfree ZRTP - A Novel Key Agreement for RTP, Protected by Voice Commitments. In Symposium On Usable Privacy and Security (SOUPS), July 2013.

  • [29] Joe Beda Peter Saint-Andre Robert McQueen Sean Egan Scott Ludwig and Joe Hildebrand. Jingle. XEP-0166, May 2016.

  • [30] Peter Saint-Andre Sean Egan Robert McQueen Scott Ludwig and Diana Cionoiu. Jingle RTP Sessions. XEP-0167, July 2016.

  • [31] Maliheh Shirvanian and Nitesh Saxena. Wiretapping via Mimicry: Short Voice Imitation Man-in-the-Middle Attacks on Crypto Phones. In Proc. of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS 14), pages 868–879, New York, NY, USA, 2014. ACM.

  • [32] Maliheh Shirvanian and Nitesh Saxena. On the security and usability of crypto phones. In Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, pages 21–30, New York, NY, USA, 2015. ACM.

  • [33] Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. Crying wolf: An empirical study of ssl warning effectiveness. In Proceedings of the 18th Conference on USENIX Security Symposium, SSYM’09, pages 399–416, Berkeley, CA, USA, 2009. USENIX.

  • [34] N. Unger, S. Dechand, J. Bonneau, S. Fahl, H. Perl, I. Goldberg, and M. Smith. SoK: Secure Messaging. In IEEE Symposium on Security and Privacy, pages 232–249, May 2015.

  • [35] WhatsApp. WhatsApp Encryption Overview. https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf, April 2016.

  • [36] Wikipedia. Commitment scheme. http://en.wikipedia.org/wiki/Commitment_scheme. (Accessed: 10/2016).

  • [37] P. Zimmermann, A. Johnston, and J. Callas. ZRTP: Media Path Key Agreement for Unicast Secure RTP. RFC 6189 (Informational), April 2011.


Journal + Issues