Company Makes Inconspicuous Secure Cellphone

dponce80 writes "With concerns over privacy at an all-time high, it's refreshing to hear that Swiss company VectroTel is making a secure mobile phone. The X8 encrypts secure calls (the unit is also able to make regular calls) with a virtually unbreakable 128-bit key, itself generated through a Diffie-Hellman exchange. While transmission does get somewhat delayed, communication is secure."

What does this mean for eavesdropping?

[kneeslasher]

Does this mean that Government agencies cannot listen to our oh-so-important phone calls? Typical. Millions if not billions of our tax money wasted if this technology becomes widely adopted.

Re:What does this mean for eavesdropping?

[Bromskloss]

Millions if not billions of our tax money wasted if this technology becomes widely adopted.

Which is of course better than both having spent all the money _and_ then getting harmed (spied on) by it.

Re:What does this mean for eavesdropping?

[kneeslasher]

I think the above post should be taken in the spirit it was written: as a good joke suitable for chuckles all round. Would that I had mod points to mod it funny. Possibly we should petition /. to create a new type of modifier: ironic, but I fear its subtlety would be lost upon the majority.

Just in case the parent was not tongue in cheek:

Is it only myself for whom liberty from large entities (like the Goverment) is worth purchasing with a risk? Didn't many brave souls die for this in the past and continue to do so? Isn't that the bargain: liberty (and eternal vigilance), or the illusion of security?

Re:What does this mean for eavesdropping?

[advocate_one]

Somehow I fail to feel harmed if someone hears my conversations.

would you be happy then if the "government" listened in on your phonecalls with your lawyer? or your tax attorney? or your doctor? or your psychiatrist? or your stockbroker? or your mistress? or your wife? or your election campaign manager? or any of a myriad of things you would rather not get out into public or potentially be used against you?

Re:What does this mean for eavesdropping?

[99BottlesOfBeerInMyF]

In other words, live a good clean life, ignore outside influences, pay your taxes on time and you will have little to worry about; Like me :)

In other words, be completely boring, never upset the status quo, never fail to kow-tow to any government officials you meet (just in case) and be insignificant enough to escape notice and you're fine. Yeah, great plan. You'd do just fine as a serf in medieval europe too.

Who cares if the lord can fuck you in the ass whenever they want, so long as you are ugly and unimportant they won't bother.

Re:What does this mean for eavesdropping?

[TheSkyIsPurple]

So, let's say you're chatting with a friend, and he mentions how bad he things random wiretapping is.
That gets flagged as a potential terrorist conversation.
Since he's talking to you at the time, you both get investigated.
They find out that that one weird cousion of yours recently travelled to Italy, and by concidence a known terrorist contact was also in Italy.
You now look like the perfect cover, and warrant a REAL investigation... ie, asking your neighbors and employer questions.
Since they've been asked, and "they wouldn't be asking if there wasn't something to worry about", you are now suspected by your neighbors.
So, they've talked to you boss as well, who recalls that you were late coming back from lunch awhile back. (You're wife's prenatal checkup ran a little long) That story checks with the gov't, but they, naturally, never call your boss back to tell him.. so he's now a little suspicious.

You can't guarantee none of this could ever happen. (And you know the old byline... with the government, any possible abuse is a guaranteed abuse at some point. Do you want to be THAT guy?)
However, if they didn't pick up on the original conversation, that completely removes the most probable vector for something like this happening.

This sounds like a really good idea

[Freaky+Spook]

Except anyone who uses one would probably be labelled a terrorist.

Re:This sounds like a really good idea

[Opportunist]

So label me.

I'm willing to defend my freedom to death. If necessary, against my government.

And I bet, the US founding fathers would be proud of me.

Re:This sounds like a really good idea

[BkBen7]

[blockquote]"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God! I know not what course others may take; but as for me, give me liberty or give me death!"[/blockquote]

Virtually unbreakable?

[foundme]

I think it's asking to be broken, and I bet it will be.

Re:Virtually unbreakable?

[Stellian]

Vanilla Diffie-Hellman is susceptible to man in the middle attacks because it provides no authentication.
The only way to have true security is to cache the public key of the other party on first call (a la ssh), or better, to have the phones exchange keys through IR when they are placed one next to the other.

Useless

[cerberusss]

While transmission does get somewhat delayed, communication is secure.

This is of course useless for phone sex.

Me: "So, what are you wearing?"
Gf: "..."
Me: "What are you wea*"
Gf: "A hot small negli*"
Me: "Sorry, please continue"
(...)
Gf: "A hot small neglige and nothing else"
Me: "*grunt* and then?"
(...)
Gf: "I didn't hear you. What did you say after then?"
Me: "Uh nothing, I was just asking, what do*"
Gf: "Is this thing on? Oh wait now I hear you. Can you repeat?"
Et cetera.

Re:Useless

Or:

GF calls.

GF: Hi, could you..
BF: Wait! Read the hash to me on the screen.
GF: but..
BF: someone might be doing a man-in-the-middle attack. just read the hash.
GF: *sigh* [reads long string of numbers]
BF: 8? did you say 8? not A?
GF: No. AAY! Like APPLE.
BF: Oh, phew.
GF: *sigh*
GF: now, could you pick up some milk?
BF: okay.
GF: *sigh* bye.

unbreakable?

[legallyillegal]

virtually unbreakable 128-bit key,

isn't WEP also 128 bit?

Re:unbreakable?

[Bromskloss]

isn't WEP also 128 bit?

WEP isn't insecure due to its 128 bits, but due to other problems. As I understand it, anyway.

Feasibility for US Market?

[oostevo]

This may sound like an asinine question, I know, but I don't have much experience with cell phones at all.

Since this cellphone is made in Switzerland, a country that presumably has differing cell phone communication standards than the US does, is it possible to buy and use this cellphone in the US with a normal US carrier? Or would we have to wait and hope for a company to build something similar for the US?

Thanks, and sorry for the ignorance.

Re:Feasibility for US Market?

[Bromskloss]

is it possible to buy and use this cellphone in the US with a normal US carrier?

I think so, at least one of their phones. That one uses the three bands 900 MHz, 1800 MHz and 1900 MHz. The former two is used in europe (during a call the phones switches frequency bands depending on which one gives the best connection, or something similar), while the latter is used in USA (among other places, I think). That indicates that it is possible to use it in the states too.

Re:Feasibility for US Market?

[ajs318]

Not quite. The 900 and 1800MHz bands are used by different service providers. In the UK, 900MHz is used by Vodafone and O2, and 1800MHz is used by Orange and T-Mobile. Before the advent of the venerable Nokia 3210, most phones were single-band and were built using two PCBs: one for the main processor, audio circuitry, keypad and display, and one for the RF stuff {which would be made in 900 and 1800 versions and the phone assembled accordingly}. The 3210 used a single PCB capable of doing both RF bands. The cost saving associated with the single-board design {no expensive multiway connectors, and a better process hit rate} outweighed the cost of the extra components.

A phone connected to a base station will always us one or the other band. But within each band there are several channels; the phone and base station automatically select the best channel continuously throughout a call {if another subscriber disconnects and the channel they were using is better, your conversation will switch to that channel}. The whole process is kept seamless because both phone and base station change at the same time, between data packets.

What about authentication?

[marsvin]

DH is a way to exchange an encryption key over a public network, but it doesn't tell you who you are talking to. GSM calls are never point to point, so there is always a "man in the middle".

I'm not saying it's necessarily snake oil, but the lack of any details certainly doesn't inspire any confidence.

Re:What about authentication?

There are several known ways of defeating this for DH key agreement. The simplest is to display a hash on both ends. Talk to each other. If you recognize the voice on the other end and the hashes match, you're golden. Dead simple, low tech, and reliable. Also, tough to fool.

Re:What about authentication?

[Stellian]

First, you can recognize your peer's voice. As for the man in the middle, for real time, voice conversation, the delay would be too big to go undetected.

Funny guy.
Just in case you were serious, a MIM attack against this phone would tap in the data path with 0 delay, there is no need for an actual "man" in the middle. Eve makes the key agreement with both Alice and Bob (different keys), and then decrypts and re-encrypts the data stream on the fly.

Re:What about authentication?

[bananaendian]

it doesn't tell you who you are talking to. GSM calls are never point to point, so there is always a "man in the middle".

ah, but this point was made well with Zimmerman's Zfone - you do the authentication yourself by having a conversation with the person on the other end and determining if he is the person he claims he is. Relying on complex certificate authorities and key management schemes makes most secure communications systems unfeasable - the old usability vs. security paradox.

Additional security and integrity is ensured by a calculated HASH checksum that is indicated on the display

and it seems you also stop Man-in-the-Middle attack similarly as in Zfone, by being able to read and confirm the hash checksum with the person you're talking to...

Re:What about authentication?

[ajs318]

This is how it's supposed to work: Alice calls Bob. Bob answers. Alice generates a key pair and sends one of the keys to Bob, keeping the inverse. Bob also generates a key pair and sends one to Alice, keeping the inverse. Alice encrypts everything she sends against the key she received from Bob. Bob decrypts it using the inverse key he generated. Bob sends everything to Alice encrypted against the key Alice sent him. She has the inverse key and can decrypt everything Bob sends.

All clear now? Well, this is how it might work in practice, with a malicious interloper we'll call Mallory:

Alice tries to call Bob. Mallory intercepts the call, pretending to be Bob; gets the key Alice sends, and in return sends her a key {which Alice thinks is from Bob}. A fraction of a split second later Mallory places a call to Bob, pretending to be Alice, and sends Bob a key. Bob thinks Mallory's key is really Alice's key and sends a key to "Alice". Whatever Alice says is encrypted against the key sent to her by Mallory, who -- having the opposite key -- can decrypt it, re-encrypt it against the key which Bob has, and send it on to Bob. Mallory has a nice, fast computer that can do decryption and re-encryption in real time; in reality, it only has to be twice as fast as the processor in either of their telephones. Whatever Bob says is encrypted against a key sent to him by Mallory, who can decrypt it and re-encrypt it against Alice's key. Mallory has both sides of the conversation, in the clear, and neither Alice nor Bob are any the wiser.

Re:What about authentication?

[jthill]

Fortunately, you're wrong.

The crucial requirement is that you can verify your partner's identity regardless of the security (or lack thereof) of the current conversation. Recognizing something unforgeable about them will do it: their voice, in this case.

This works because, in order to establish communications at all, each party has to split a secret:

AB' <—> A'B

A' being the public part of Alice's one-time key, B' Bob's. AB' can be used to generate the same key as A'B: each end is using the other's public part to share the key being used over that channel. Here's the thing: B' is already public. So, Alice's phone simply shows it to her, and she reads it aloud over the supposedly secure channel.

Now: if there's a man in the middle, Alice is really using AM', and Bob is really using BM'. Which means that when Alice reads it, Bob can tell that it's her voice, and she's not using what he sent her. So the man in the middle's screwed: if he doesn't pass along B' to be used in the conversation, he'll be detected. If he does pass it along, he won't be able to eavesdrop.

There are simplifications in this description, and they leave vulnerabilities that you can spot if you think hard enough. But if you're thinking hard enough to spot the vulnerabilities, extending the idea to cover them will be easy.

Man in the middle

[nfarrell]

Just in case you didn't RTFA, the phone displays a hash on the display. As long as you read this one to whoever you're talking to, you more-or-less foil a man-in-the-middle attack.

I'm more worried about the proprietry algorithm for the encryption, and how it's implemented. Any conspiracy theorists will still think there's a back door for the government (or swiss secret service?) to listen in.

Anyone with anything really important to say would use GPG on an MP3 and maybe a lashing of stenography on top.

Why not get one from cryptophone.de?

[fe105]

Cryptophone is a company that has been making phones like this for some time already.

They employ some of the smartest crypto people, use well-known algorithms and publish their sources so you can check them yourself.

Some points...

[Kaptain_Korolev]

Reading the comments made me cringe, so here goes....

Some points;

- 128 bit keys are probably good enough, depending on the nature of the conversation. Diffiehellman generates a per-session master secret. To this you would then apply a KDF ( Key Derivation Function ) in order to produce your session key for use with your symmetric cipher, most likely AES or 3DES, maybe even TwoFish. A new master secret is generated every time you make a call, hence the session key changes per call, this is UNLIKE your WEP key, which is constant or one value selected from a set. The consequence of this is that although it is practical to break an 128 bit symmetric key, it is NOT practical to do so in the time interval in which the call is taking place. Hence the encryption applied is strong enough for protecting calls in the short term, although if someone captured the call they could possibly decrypt it at a later date.

- GSM does feature limited cryptography. Unfortunately, and rather amusingly this encrypting is only carried out on radio traffic. Once the data reaches the base station / cell, it is sent in the clear around the cable cellular netork's backbone infrastructure.

Re:need to ask Bruce on this one..

[Havenwar]

Uhm... you should realize the pin code is on the phone, securing access to the crypto functions of that specific phone... if you want to listen in without being a part of the conversation you will still have to break the session key.

Re:need to ask Bruce on this one..

[bananaendian]

The pin number is something you input on the phoneset to get physical access to the crypto software. It has nothing to do with the over-the-air encryption.

Its a good as your surroundings

[rf0]

This is all great but can you trust the person sitting next to you on the bus? The stranger behind you? How many of us have eve's dropped on other peoples conversations?

Big question is

[danceswithtrees]

Does it work with a foil hat?

Can you hear me now??

[ghoul]

Verizon Guy: Can you hear me now?
NSA analyst: No

Re:Can you hear me now??

[ArsenneLupin]

Which in NSA speak means, yes... most definitely.

Obviously.

If he truly hadn't heard the Verizon guy, he wouldn't have answered anything at all, hehe.

Re:Can you hear me now??

[pyite]

Now if there were just a handful of these cell phones being used, the NSA could (probably) handle that and decrypt them.

It's unlikely they could. Assuming the key exchange works properly, and assuming they're using a known good algorithm (such as Rjindael aka AES), the NSA has no shot. Assume they use AES. Default is 128 bits and 10 rounds. Then the following little blurb from Apple's website applies:

AES gives you 3.4 x 10^38 possible 128-bit keys. In comparison, the Digital Encryption Standard (DES) keys are a mere 56 bits long, which means there are approximately 7.2 x 10^16 possible DES keys. Thus, there are on the order of 10^21 times more possible AES 128-bit keys than DES 56-bit keys. Assuming that one could build a machine that could recover a DES key in a second, it would take that machine approximately 149 trillion years to crack a 128-bit AES key.

(To put that into perspective, the universe is believed to be less than 20 billion years old.)


Now, that assumes you can crack a DES key in a second. The fastest successful crack by Deep Crack was just shy of 24 hours, or, 86400 seconds.

Re:Can you hear me now??

[rossifer]

The NSA does not need a back door with 128 bit encryption they can attack it head on.

2^61 / 2^59 = 2^2 hours or 4 hours to crack 128 bit inscription.

Something's not right...

PS: Now this is a vary low ball estimate. I was just pointing out that they could crack 128 bit encryption. However, if you use 2 * 128 bit primes to make a 256 bit key your probably safe, unless they found new math to make cracking such key's easy.

Ah. I see the problem. You're confusing public key encryption and single-key encryption. Nominal key lengths for public/private key systems is 4096 bits not 128-bits. In RSA, 4096-bits is believed to be almost as secure as 128-bit IDEA. Nobody does 128-bit public key encryption. Factoring a 128-bit number to two primes is solvable with modern PC's in hours. No 10k CPU supercomputer needed.

Assuming a known plaintext brute-force attack against 128-bit IDEA, on average, you'll find the key after searching half of the keyspace. So you'll have to test 2^127 keys.

Now, lets assume for the moment that the NSA does have your 10k CPU "16 billion complete key tests per second". So they can test 2^54 keys per second. 2^127 / 2^54 = 2^73 seconds. At 2^25 seconds per year, that's a mere 2^49 years, and since the universe is about 2^34 years old, that's only thirty two thousand times as long as the universe has been around.

That's a long time. A little longer than four hours. And a specialized CPU that can completely encrypt 2 billion blocks with different keys per second (let alone 8 pipelines in one chip) is thousands to millions of times faster than current state of the art hardware. Sure the NSA has stuff better than can be found on the market. But not that much better.

The new math is definitely still a threat. Actually, that's the threat against 4096-bit public key encryption, but with the UK government making such a squawk about giving up keys, I'd say they haven't cracked it yet.

Regards,
Ross

Sectra Tiger

[martingunnarsson]

A Swedsh company called Sectra has made secure cellphones for years. Their latest model is the only cellphone certified to the security level NATO SECRET by NATO.

http://www.army-technology.com/contractors/navigat ion/sectra/

Re:Are people really this paranoid?

To paraphrase the saying, "it's not paranoia if you're actually being watched."

The reason to encrypt is not to make it impossible for investigators to hear you -- because, as you said, they can bug you in some other way. The reason is to make it impractical to do widespread monitoring of innocent people. When all calls are encrypted, investigators have to do a little actual work to bug a call, so it's impossible to instantly tap all the innocent callers as they'd like.

And if you've been following current events at all, you'll notice that a large portion of America isn't nearly as "paranoid" as it should be.

Regular-use crypto

[Shadows]

This seems like a neat little gizmo but I doubt I'll be able to convince my girlfriend, father, sister, friends, etc. to buy one too -- so the encryption feature would actually do something. As nice as the idea is, you still need two of these phones for it to work.

There's a parallel problem with GPG or the like. Since very few people have or want to use it, sending unencrypted e-mail is the only way to communicate with most of the world.

This phone is worse than that, though, since I can download GPG/cyrpto-software-of-your-choice and even install it for someone and show them how to use it -- but I'd have to persuade them to spend money on new hardware (and then convince them to actually use it with the crypto on!) in order to use the features of this phone.

Apathy/Laziness: 1
Discerning Citizens: 0

Re:Cryptography?

[lawnjam]

You assume wrong; the encryption is end-to-end. It will be pretty easy for anyone eavesdropping to tell you're having an encrypted conversation though. And the eavesdroppers can still tell where you are and what numbers you are calling...

Nice

[hummassa]

Not only you are Anonymous, but these were spoken like a true Coward!!!!

Re:Are people really this paranoid?

[meringuoid]

if you want to stop the government listening in to your conversations then you're out of luck anyway , since they'll just bug you some other way.

It's far, far easier for the government to bug all the phone lines (as they're currently doing, I might add) at a central point, and then plug in to someone's conversations at will. If you're using an encrypted phone, then Echelon / Carnivore / AT&T / Dubya's Latest Secret Illegal Wiretap can't listen in. The government have to break in to your house, take a screwdriver to your phone and physically bug the thing.

Can the government spy on everybody by bugging the telephone exchange? Yes, easily, and they're doing just that. Can the government spy on everybody by secretly bugging every last individual phone? No, it would be prohibitively expensive. Have the NSA burgle every single house individually and fiddle every single phone? Impossible.

Encrypting phone calls makes it enormously more expensive and difficult for the government to spy on you. That's got to be a good thing.

How about backdoors

[Aceticon]

I vaguelly remember some investigatory documentary on Discovery or some other such channel where they were investigating how information on a bid by an European company for the rights to explore an oilfield somewhere in Asia had been intercepted by NSA and provided to the competing US companies.

The interesting (not to mention relevant) detail here is that they (the Europeans) where using a supposedly safe mobile phone (made by a Swiss company i believe) which turned out to have a backdoor that allowed NSA to decrypt the calls.

Why should we expect these guys to be any more honest than those other ones where (assuming they're actually not the same ones)?

As i see it, the best way to make sure you have a backdoor free safe phone is to have a generic open-mobile solution, a bit like a mini-PC but for a mobile phone, with an open communications API that allows development and deployment on such a mobile of software which provides the safe communications.

As long as the encryption layer is implemented by the provider and cannot be checked by any independent 3rd party, there is no guarantee whatsoever that it ain't filled with backdoors/weaknesses put there on purpose to allow the sig-int agencies (of one or more countries) to be able to spy on calls made via those mobile phones.

Concerns over privacy at all time high?

[ambrosen]

Really? I'm not aware of any particular events that are going on at the moment that would make people especially worrried about privacy.