1

I am asking the questions because of the latest news: https://www.bbc.com/news/world-middle-east-50095448

I wonder how the ISP can detect the use of call and video calls, without detecting or blocking the rest of the app?

Filipon
  • 1,204
  • 10
  • 22
  • 7
    This is basically the same as [How do countries block encrypted protocols like Skype?](https://security.stackexchange.com/questions/57716) only for WhatsApp. The answers there apply here too. See also [YES! Encrypted Traffic Can Be Classified](https://www.qosmos.com/blog_qosmos/yes-encrypted-traffic-can-be-classified/) from a vendor of such DPI based detection. And note that the classification does not need to be fully reliable - if it disrupts half of the calls (blocking, delaying...) and has zero false positives it will be enough to annoy users and let them abandon WhatsApp calls. – Steffen Ullrich Oct 19 '19 at 15:08
  • 2
    All the ISP would have to do is check for connections going to the WhatsApp servers on whatever port(s) WhatsApp uses, and block them. Encrypted or not, it's still gotta connect somewhere. They don't need to see inside the traffic to know where it's going - headers aren't encrypted, just the data. – Jesse P. Oct 19 '19 at 15:39
  • 2
    @JesseP.: The OP is not asking how WhatsApp can be detected but specifically how audio and video calls can be detected. The ISP don't want to block WhatsApp but only audio and video since these conflict with their business model of providing calls themselves. In other words: the OP asks how they block audio/video without blocking the rest of WhatsApp. – Steffen Ullrich Oct 19 '19 at 16:57
  • @SteffenUllrich Fair enough, though the question doesn't actually say anything about ONLY blocking audio/video and not blocking the rest (text chat); that's just an assumption at this point. – Jesse P. Oct 19 '19 at 17:00
  • Not its not assumptions jesse.If you read the article its written there. – yeah_well Oct 19 '19 at 17:17
  • 1
    @VipulNair Unless they literally say "without detecting or blocking the rest of the app", it's an assumption that that's what they were implying. – Jesse P. Oct 19 '19 at 17:19
  • 1
    fair enough.I will admit. – yeah_well Oct 19 '19 at 17:26
  • @JesseP. - I will add it to the question. – Filipon Oct 20 '19 at 16:19

2 Answers2

1

ISPs in general can detect VoIP connections because these network flows in general have specific network metrics such as , constant rate, a relationship between up stream and downstream and some more. However, some applications such Skype the embed all encrypted traffic on one network flow, make impossible to know how many messages has been sent. In the case of whatsappp you can take some samples and analyze but I suspect that works in a similar way as skype.

camp0
  • 2,172
  • 1
  • 10
  • 10
1

Whatsapp asynchronous messaging and calling use different protocols for communication. For messaging it uses XMPP and for VoIP it uses SRTP for multimedia communication.

Both can be distinguished by their different traffic fingerprints. SRTP uses UDP as transport protocol and media elements are end-to-end encrypted. While directly analysing the UDP header does not reveal the presence of SRTP but analysing the behaviour of UDP traffic can determine if it's VoIP. VoIP uses more bandwidth and rate of incoming and outgoing traffic is nearly equal. It also has more network congestion due to synchronous flow of traffic. Combining these deterministic behaviour with average packet size of compressed voice, VoIP can be detected. Deep packet inspection uses more factors to fingerprint network protocols than mentioned.

An ISP cannot block VoIP from initialising because the signalling mechanism that establishes peer-to-peer channel is done via signalling server which is in this case is WhatsApp server. Blocking the server will block network activity for entire app. VoIP use ephemeral port so you can't associate specific open port with VoIP. Being peer-to-peer there is no server to block. ISP requires atleast some amount of data metrics from an active connection to determine VoIP communication.

Like WhatsApp, Facebook Messenger, Instagram and Signal are other apps which make use of WebRTC for NAT traversal and VoIP communication so same detection techniques apply to these apps also.

defalt
  • 6,231
  • 2
  • 22
  • 37