Edited form of my comment from <a href="http://news.ycombinator.com/item?id=2590731" rel="nofollow">http://news.ycombinator.com/item?id=2590731</a>, which discussed the same finding:<p>- Skype's encryption algorithm is not, itself, broken;<p>- Skype uses a "prediction" algorithm (LPC) to compress voice streams;<p>- therefore, words etc. have a specific pattern of bandwidth use;<p>- bandwidth use of encrypted compressed data is equal to bandwidth use of data that has only been compressed;<p>- these patterns (which can be detected "through" the encryption) allow fairly good reconstruction of the voice stream.<p>If you like this kind of thing, Google "ssh keystroke timing attacks", or, more generally, "traffic analysis".
The article isn't really clear, you need to read the paper. Quick summary:<p>They can use the size of the packets to find boundaries to different phonemes, which can then be used to check for e.g. what language is used, or even against known phrases. They have also had some success at determining which phonemes are used based solely on the length of the VBR packets.
Interesting. They are using frequency analysis[1] of LPC phonemes rather than characters. This implies the sound is not encrypted at all (security by obscurity). It definitely implies the (voice) data stream is not being encrypted as a stream.<p>[1] <a href="http://en.wikipedia.org/wiki/Frequency_analysis" rel="nofollow">http://en.wikipedia.org/wiki/Frequency_analysis</a>