Researchers hide messages in a sea of spam

The system mimics Tor by bouncing messages around servers, but shields metadata with fake 'noise.'

Sponsored Links

Steve Dent
December 14, 2015 9:22 AM
Researchers hide messages in a sea of spam

Researchers are trying quantum cryptography and other exotic ways to keep your missives safe, but here's a new one: junk mail. A team of computer scientists from MIT's CSAIL have devised a system called "Vuvuzela" that adds noise to messages, making them virtually untraceable to the recipient or sender. While it uses nodes like the Tor "dark internet" router, it only requires a few servers and relies more on numerous fake messages to confuse hackers. If scaled up, the technique could give you nearly mathematical certainty that your messages and even metadata are secure.

With the system, messages are never sent directly; instead, users deposit encrypted messages in a "dead drop" server mailbox. The exchange of messages is never initiated by the user -- something that could be detected by hackers -- but instead happens in "rounds" every 10-20 seconds. That increases security dramatically, but bad guys could still access metadata info by, say, knocking one user offline to see if the number of messages decreases. That's where the spam comes in -- each server sends "cover traffic" messages to random mailboxes to hide individual users' activities. The system even works even if many of the servers have been infiltrated, provided some are still "clean."

The scheme would be particularly useful to users worried about NSA-style mass surveillance, like whistleblowers or reporters. (Of course, like many legitimate services, it could also be misused by bad guys.) The drawback is the speed -- since server rounds are performed at set intervals, message speeds are limited to those times. The researchers ran a simulation on Amazon EC2 servers, and with a million simulated users and 15,000 messages per second, system latency was a foot-tapping 44 seconds per message. They plan to scale it up to see if that time can be improved, but we imagine that users who absolutely can't have messages traced back to them are cool with a small delay.

Turn on browser notifications to receive breaking news alerts from Engadget
You can disable notifications at any time in your settings menu.
Not now

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission. All prices are correct at the time of publishing.
View All Comments
Researchers hide messages in a sea of spam