Evaluation of Attacks against ZRTP

Abstract:

In times where communication systems must be designed with powerful nation-state ad- versarys in mind, the need for reliable and tested security standards is higher than ever before. Subject of our investigations is the de-facto standard key exchange protocol for VoIP applications: ZRTP. In this paper, we explore possible attacks to stealthly eavesdrop ZRTP-secured communications, after a Man-in-the-Middle attack has been achieved. Two main contributions are made: We conduct a case study of ZRTP implementations with fo- cus on user interaction by provoking errors in the exchange. Further we analyze the for- gability of Short Authentication Strings (SAS) used to detect Man-in-the-Middle attacks by applying probability theory. We find substantial flaws in the user interaction in some implementations, standard incompliance in others, as well as a devastating vulnerability that allows to completely bypass ZRTP-protection using standard hardware. The proba- bility analysis shows why previous SAS forging techniques have been so applicable. The findings are used to conclude design guidelines for precise security feature expression in implementations, as well as user recommendations that might defy all SAS forge attacks.