TS3Tunnel is a proof of concept showing how easy it is to spy on the private communications of the millions of TeamSpeak 3 users without anyone noticing it. This PoC aims to stress the urgent need for end-to-end encryption as a default.
"TeamSpeak is a proprietary voice-over-Internet Protocol (VoIP) application for audio communication between users on a chat channel, much like a telephone conference call."
TeamSpeak 3 works on a decentralized infrastructure: it means that anyone can host their own server. People can then connect to the server using its public IP address.
The problem is, users' voice data transit through these servers unencrypted. Thus, it becomes very easy for the server provider to capture the network traffic and eavesdrop on any conversation going on on their server. Actually, not only the server provider can do that, but also anyone having access to the network traffic between the TS3 client and server.
The captured network traffic must be reprocessed to extract only the voice data and produce a working audio stream: this PoC produces a PCM audio stream. It is trivially done by inspecting several samples of captured network traffic between a TS3 client and server.
The packets basically contain metadata such as:
- The CODEC used to compress/decompress the voice data (Speex, Opus, CELT): this PoC only supports the Opus CODEC (it is the default CODEC used by most TeamSpeak 3 servers) but it would be easy to add other CODECs
- Session ID
- Packet ID
- etc.
This PoC is made up of two parts:
- The "server", which must be running on the same machine as the TS3 server (for the sake of simplicity): it captures the network traffic intended for the TS3 server and sends it to...
- ... one or more "clients": it is a GUI program which plays back the audio communications live or save them to a file. It is possible to choose which sessions (i.e. users) to eavesdrop.
This PoC shows it is trivial for anyone having access to the network traffic between a TS3 client and server (e.g. TS3 server providers, ISPs, anyone in your house having access to the home router) to record private communications, or even listen to them as they are happening. Furthermore, this can be done massively without anyone noticing it.
To enhance privacy and avoid any abuse, we need end-to-end encryption as a default.
- Install dependencies and tools:
apt-get install g++ make qtdeclarative5-dev qt5-default libpcap-dev
- Generate Makefile using
qmake
:qmake TS3TunnelServer.pro
- Compile:
make
- Run as root (needed for packets capture)
Tested with:
- Debian GNU/Linux 9.4 (stretch) AMD64
- GCC 6.3.0
- Qt 5.7.1
- libpcap 1.8.1
Tested with:
- Windows 10 x64
- Visual Studio 2015 update 3 (compiling for x86)
- Qt 5.10.1
- PortAudio 19.0.6