• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Home
  • Research
  • Publications
  • People
  • Teaching
  • Media Outreach
  • News
  • AI Spies News

SPIES Lab, Computer Science and Engineering

Texas A&M University College of Engineering

Crypto Phones Security and Usability

Crypto Phones represent an important approach for end-to-end VoIP security, claiming to prevent “wiretapping” and session hijacking attacks without relying upon third parties. For slightly more detail about Crypto Phones please refer to our Wiretapping Via Mimicry project or the following figure.

Figure 1: Crypto Phones benign setting – original voices; matching SAS (this is the setting subject to our usability assessment).

Figure 1: Crypto Phones benign setting – original voices; matching SAS (this is the setting subject to our usability assessment).

In order to establish a secure session, Crypto Phones rely upon end users to perform two tasks: (1) checksum comparison: verbally communicating and matching short checksums displayed on users’ devices, and (2) speaker verification: ascertaining that the voice announcing the checksum is the voice of the legitimate user at the other end. However, the human errors in executing these tasks may adversely affect the security and usability of Crypto Phones. Particularly, failure to detect mismatching checksums or imitated voices would result in a compromise of Crypto Phones session communications.
We present a human factors study, with 128 online participants, investigating the security and usability of Crypto Phones with respect to both checksum comparison and speaker verification. To mimic a realistic VoIP scenario, we conducted our study using the WebRTC platform where each participant made a call to our IVR server via a browser, and was presented with several challenges having matching and mismatching checksums, spoken in the legitimate user’s voice, different speakers’ voices and automatically synthesized voices. Our results show that Crypto Phones offer a weak level of security (significantly weaker than that guaranteed by the underlying protocols), and their usability is low (although might still be acceptable). Quantitatively, the overall average likelihood of failing to detect an attack session was about 25-50%, while the average likelihood of accepting a legitimate session was about 75%. Moreover, while the theory promises an exponential increase in security with increase in checksum size, we found a degradation in security when moving from 2-word checksum to 4-word checksum.

People

Faculty

  • Nitesh Saxena

Student

  • Maliheh Shirvanian (PhD candidate)

Publication

  • On the security and usability of crypto phones.
    Maliheh Shirvanian, Nitesh Saxena.
    In the Annual Computer Security Applications Conference (ACSAC), December, 2015.
    [pdf]

Media Coverage

  • Users their own worst enemy when it comes to encrypted messaging apps, Graham Cluley, Dec 18, 2015
  • User Error Compromises Many Encrypted Communication Apps, MIT Technology Review, Dec 14, 2015
  • Dumb Human Errors Can Undermine the Security of Encrypted Communication Apps, Gizmodo, Dec 15, 2015
  • User Errors Often Compromise Encryption, Schneier on Security, Dec 17, 2015
  • Human error reduces security offered by encryption apps, Net Security, Dec 18, 2015
  • University Researchers Discover Security Flaws in VoIP ‘Crypto Phones’, EdTech, Nov 26, 2014
  • Cisco funds university research into VoIP security, Networked World, Nov 12, 2014
  • Mobile VoIP Security Vulnerable to Mimicry Attacks, CACM News, Nov 6, 2014
  • New research shows vulnerability in mobile phones’ applications offering voice communication security, Science Daily, Nov 5, 2014
  • New research shows vulnerability in mobile phones’ applications offering voice communication security, Phys.org, Nov 6, 2014
  • VoIP ‘Crypto’ Phones Can Be Fooled by Voice Impersonation, VOIP Monitoring Zone, Dec 3, 2014
  • Wiretapping via Mimicry: UAB Research Highlights a Fundamental Vulnerability of a Secure Communication Technology, UAB News, Nov 5, 2014
  • How secure is Skype? UAB gets $150K to improve VoIP security. Birmingham Business Journal, July 19, 2013
  • UAB research to improve online communication security, UAB News, July 17, 2013

Recent News

  • Paper accepted to ACM CCS 2025 July 2, 2025
  • News: Security and Accessibility Gaps in Web Authentication for Blind and Visually Impaired Users June 30, 2025
  • Paper accepted to ICME 2025 June 24, 2025
  • SPIES Lab’s Browser Fingerprinting Work in the News June 23, 2025
  • Journal paper accepted to IEEE TIFS June 19, 2025
  • SPIES Lab’s Browser Fingerprinting Work Features in News June 18, 2025
  • Paper Accepted to USENIX Security 2025 June 6, 2025
  • 2 Papers Accepted to PST 2025 June 6, 2025
  • AI Spies News — BPSniff (IEEE S&P 2025) Paper News Story May 12, 2025
  • Launching the AI Spies News Channel May 12, 2025
  • Paper accepted to WiSec 2025 May 11, 2025
  • SPIES Lab’s Secure Messaging Work Features in News May 3, 2025
  • SPIES Lab Student to Start as an Assistant Professor April 18, 2025
  • Dr. Saxena’s Primer on Secure Communications in News Media March 31, 2025
  • Dr. Saxena recognized with the Dean’s Excellence Award! February 14, 2025
  • Dr. Saxena appointed as the Senior Area Editor, IEEE TIFS February 6, 2025
  • 2 Full Papers Accepted to WWW 2025 January 20, 2025
  • Journal paper accepted to IEEE TMC December 18, 2024
  • New post-doctoral researcher joins the lab December 11, 2024
  • Paper Accepted to ACM Computing Surveys 2024 November 30, 2024

© 2016–2025 SPIES Lab, Computer Science and Engineering Log in

Texas A&M Engineering Experiment Station Logo
  • College of Engineering
  • Facebook
  • Twitter
  • State of Texas
  • Open Records
  • Risk, Fraud & Misconduct Hotline
  • Statewide Search
  • Site Links & Policies
  • Accommodations
  • Environmental Health, Safety & Security
  • Employment