Is the Short Authentication String (SAS) vulnerable to an attacker with voice impersonation capabilities?
In practical terms, no. It is a mistake to think this is simply an exercise in voice impersonation (perhaps this could be called the “Rich Little” attack). Although there are digital signal processing techniques for changing a person’s voice, that does not mean a man-in-the-middle attacker can safely break into a phone conversation and inject his own short authentication string (SAS) at just the right moment. He doesn’t know exactly when or in what manner the users will choose to read aloud the SAS, or in what context they will bring it up or say it, or even which of the two speakers will say it, or if indeed they both will say it. In addition, some methods of rendering the SAS involve using a list of words, notably the PGP word list, in a manner analogous to how pilots use the NATO phonetic alphabet to convey information. This can make it even more complicated for the attacker, because these words can be worked into the conversation in unpredictable ways. Remember that the attacker pl
Related Questions
- Convergence of voice and data networks can make communications more vulnerable (single point of failure - SPF, opens voice to data network security issues); what can be done about that?
- Is the Short Authentication String (SAS) vulnerable to an attacker with voice impersonation capabilities?
- How much does CIS charge for the SAS short courses?
