Italian Phone Taps Spur Encryption Use

manekineko2 writes "This article in the NYTimes discusses how a recent rash of high-profile mobile phone taps in Italy is spurring a rush toward software-encrypted phone conversations. Private conversations have been tapped and subsequently leaked to the media and have resulted in disclosures of sensitive takeover discussions, revelations regarding game-fixing in soccer, and the arrest of a prince on charges of providing prostitutes and illegal slot machines. An Italian investigative reporter stated that no one would ever discuss sensitive information on the phone now. As a result, encryption software for mobile phones has moved from the government and military worlds into the mainstream. Are GSM phones in the US ripe for a similar explosion in the use of freely available wiretapping technology, and could this finally be the impetus to for widespread use of software-encrypted communications?"

Nice thing

[crunzh]

It would be really nice if that came standard in cellphones (Properly just a empty dream). But maybe a plugin for windows mobile and symbian handsets could be possible.

Re:Nice thing

[cl191]

I don't really know much about voice encryptions, but does the regular "dumb" phones even have enough power to do voice encryption?

Re:Nice thing

[tronicum]

Just use a cryptophone or their free Windows Software.

Re:Nice thing

[crunzh]

The dumbest phones properly don't but for example the recent nokia smartphones are pretty widespred where I come from and they should have the power to do it. Heck they can dop videocalling so why not encryption of regular calls.

Re:Nice thing

[smilindog2000]

Software or hardware encryption of streams using ARC-DROP(768) seems plenty secure for real world applications, and the inner loop is only about 10 lines of code to process 1 byte. At voice speeds, your average $0.25 microcontroller should have plenty of horsepower, so long as it's got 256 bytes of RAM. I've built a simple file encryptor at tinycrypt.sf.net based on it. Let me know if you find any bugs!

Re:Nice thing

[squiggleslash]

Yes, all GSM phones since the Motorola International 3200 (the first) do encryption. It's part of the spec.

The problem is that the algorithms have always been less than ideal due to government paranoia. And sometimes it's switched off. And it's not end-to-end, it's just handset to basestation/basestation to handset.

It's still hard to tap a specific GSM phone by pulling signals from the air, but it's obviously easier than it should be.

Companies first

[sckeener]

I doubt it'll break into the public domain any time soon.

Here at Chevron we encrypt our Blackberries, both on the unit and during transmission. If the Blackberry is lost, the data is safe because of the encryption.

I don't see it happening for the public unless the carrier provides the service and then wouldn't the government just request the carrier to give them access?

Re:Companies first

[Dr_Barnowl]

If the carrier is just that, a carrier of data, it doesn't matter what the carrier does, you can establish an encrypted link without it's involvement beyond moving the data.

Making the carrier the sole means of key exchange would be the only way to give them access (they could perpetrate a man-in-the-middle attack). But if you are able to meet physically with your call partner, or exchange keys through an alternate secure medium, the intermediary would have no cheap means of intercepting.

Only one-time pads are unbreakable, and using one-time pads makes key exchange *much* less secure. But public key methods are enough to make it very hard to break a single transmission. Programs like ECHELON would be utterly stuffed.

And of course, if you have a mobile data plan with more than a few kBit/s of bandwidth, this is entirely possible now, as demonstrated by these Italian chappies.

Blooming heck though - $410 for their SMS encryption package and $2,200 for the voice version. I'm willing to bet that even with patent licensing, the per unit cost is very small. I could probably write Windows Mobile software to do encrypted SMS in a day or so, and I'm no encryption whiz.

Re:Companies first

[Dr_Barnowl]

To confirm this, I was able to find two suppliers of encryption software for SMS in the UK.

http://kryptext.com/faq.html
This downloadable product (£6.99 per phone) can't be very secure, as the manual has no key exchange protocol in it. I suspect that it uses hashed data to derive keys (or has a fixed key), probably phone numbers. It's very cheap, and certainly sufficient to hide data from your spouse, but a determined assault on their algorithm will probably open it up like a book.

http://www.emosecure.com/
This one is SIM dependant, and while users can exchange keys, it looks like they are symmetric (all users in a group share the same password), which means you only have to compromise one key to read all messages, and key exchange is a weak link.

Alas, I don't read enough Italian to discover what kind of protocol the Caspertech solution uses, so perhaps someone can have a look and enlighten us.

Italy & US

Under US law, such a tap is illegal. There are some encrypted channels for cel phone conversations in America, but they have been mostly phased out because of the lack of consumer demand. In the US, such a tap is illegal. Even if such inflamatory behaviors were discovered, the person who did the tap would not disclose it as it would highlight personal illegal activities. Note that there is nothing that the technology is doing to prevent it.

On the other hand, wireless phones in the US typically do use encryption because they operate in the same frequency range as other devices (cel phones have their own dedicated frequency range). When baby monitors started picking up the conversations down the street, people took notice.

Re:Italy & US

[jonwil]

I believe the GSM standards actually mandate encryption. However, such encryption isn't going to do very much to protect you from wiretaps if the wiretapper has the permission from the carrier.

OpenMoko (or other communications platform with open software) + VoIP + AES encryption + Diffie-Hellman (or use RSA and public key cryptography) is the solution if you REALLY need to keep your stuff secret.
Even the NSA doesn't have enough computing power to decrypt THAT. And, the same solution could run on a PC or anything else with enough CPU power.

Re:Italy & US

[el_flynn]

Even the NSA doesn't have enough computing power to decrypt THAT

Yes, of course. Until you realize, at the end of the conversation, that the NSA's already bugged the room you're talking in.

Re:Italy & US

[gambit3]

Actually, the GSM standard DOES mandate the ability to tap cell phone conversations at the network provider level. I should know. I worked for 6 years for a GSM network equipment maker, and I was actually part of the team that tested the functionality of this "feature". It is called CALEA, and it will record not only every detail of the call, but even every button pressed during the call. And it was completely transparent to both ends of the call. That was one crucial aspect of this "feature" that was tested for.

Re:Italy & US

[mpe]

I believe the GSM standards actually mandate encryption. However, such encryption isn't going to do very much to protect you from wiretaps if the wiretapper has the permission from the carrier

The encryption is only between the handset and basestation. If people have the ability to make "legal" taps it wouldn't even help with a call between two phones connected to the same basestation.
You'd need end to end encryption which would also require you to establish a "data" call, which could well be charged differently from a "voice" call.

Re:Italy & US

[anothy]

CALEA is a US-only term; the more generic industry term is Lawful Intercept; while CALEA is reasonably representative and your comments hold true for every Lawful Intercept regulation i know anything about, the specifics vary by jurisdiction. this is a current issue for folks looking at deploying WiMAX services/networks, my current area of focus. it's a major hassle, and once you offer a plain data pipe as a service option, it's futile, since genuine "bad guys" can simply employ end-to-end encryption and bust the whole theory.

Re:Key Exchange?

[jez9999]

Why would it be a problem? Only private keys ca be used to decrypt data. Unless you were concerned about the man-in-the-middle just rewriting the data to say something else, but it's hard to imagine how they'd do that to a live voice conversation.

Re:Key Exchange?

[jrumney]

It's a fundamental feature of public key encryption that public keys can be exchanged in the clear without compromising security.

Worried now?

[Baavgai]

An Italian investigative reporter stated that no one would ever discuss sensitive information on the phone now.

Why on Earth would you ever discuss sensitive information on the phone before? There's always been phone tapping tech. It's only the laws for that technology's usage that protected anyone from it. You never say anything on the phone that you wouldn't say to a cop. If you don't know that rule, you're a pretty inept criminal.

Re:Worried now?

[ianezz]

Why on Earth would you ever discuss sensitive information on the phone before? There's always been phone tapping tech. It's only the laws for that technology's usage that protected anyone from it. You never say anything on the phone that you wouldn't say to a cop. If you don't know that rule, you're a pretty inept criminal.

• by no means discussing "sensitive" information does imply underlying illegal activities (even if it is the case sometimes);
• there are a lot of details everyone would tell a cop if requested to, but would not reveal in a public place. Having the cops hearing your business plans is not the same as your competitors hearing them.
• also you can rightfully expect the cops not to reveal your business plans to your competitors even after.

As low as it may be, there still is some expectation of privacy on the phone (that's why wiretapping is regulated by a law): unfortunately even that low barrier has been broken in a quite spectacular way, so people now are outraged and asking for end-to-end encrypted phones, since they can't trust the phone company (the tapping apparently was done by insiders at the phone company...).

It does!

[bWareiWare.co.uk]

http://en.wikipedia.org/wiki/A5/1

It can be broken, but considering the power of early GSM handsets this was quite an effective system. One of the major factors driving G2 (digital) phones was the easy of eavesdropping on the old analogue G1 network.

Not Gonna Happen in US

[gambit3]

Quite simply, one of two things would prevent encrypted cell phones from becoming successful in the US:

1. The government would simply make it illegal (don't want to give the terrorists any new tools).

2. The government would require a backdoor be built in by manufacturers, defeating the purpose.

Re:Not Gonna Happen in US

[h4ck7h3p14n37]

I work for a telecom provider (mostly hosting of SIP apps) and we are not required under CALEA to provide access to law enforcement. Rather, the telco carriers that _we_ use, like AT&T, Qwest, etc. are required to provide access. What that means is that we could offer customers a VPN connection to our network, give them a soft-phone and ensure that their SIP traffic remains encrypted. You'd probably have to do SIP to SIP since I don't know how you'd encrypt the PSTN leg of the call.

Cell phones would be tricky to encrypt since you'd have to run specialized software on the phone. For fixed stations it would be trivial. Setup SIP gateways on both ends, connect the gateways using a VPN and use either a hardware or software based SIP phone. The two parties would then need to physically exchange the encryption keys needed for the VPN. In this sort of arrangement CALEA would not apply and law enforcement would not be able to demand access to the network traffic.

I currently have access to all the necessary software and hardware, but simply haven't have the time to setup an experimental system like the one I described. This sort of system has been technically feasible for over a decade. Perhaps I should start selling all-in-one packages?

For a very long time

[kilodelta]

Law enforcement has had the ability to tap in and monitor cellular communications.

In the days of AMPS and NAMPS it was a piece of cake. Friend of mine worked in IT for the local PD and was able to get a scanner that wasn't 800-900 blocked, and a little card and software for the computer that allowed us to follow calls as they went from cell to cell.

CDMA and GSM just throw a little wrinkle in.

Re:Key Exchange?

[jimstapleton]

In certain situations, a phone might have a bit of 'echo' (the reciver picks up a bit from the speaker). How much of a help could this echo be, in conjunction with a public key, to help identify the private key?

GSM encryption is not all that trivial

[iceco2]

Though in the acedmic circles, serious flawa with GSM encryption
have been found they are still not all that trivial to implement.

The main work on attacking GSM in a practicle scenario was done by
Elad Barkan with the help of Eli Biham and Nathan Keller.

to briefly explain the security you must notice there are diffrent variants for
GSM encryption the weak one being A5/2 anf A5/1 and A5/3 being considarbly stronger.

breaking A5/1 in a passive attack requires a significant amount of precomputation and storage
that though one could buy of the self, I find it unlikely any private citizen will set up
a cluster of two dozen computers to crack GSM for the fun of it, though obviously a large
evil corparation or a small company would easily have the resources.

an active attack could convince a cell phone to use A5/2 even if it prefers A5/1 or a diffrent variant,
this requires more specialized equipment and it easier to catch the attacker as he must be sending out
radio signals, these may also interfere with normal cellphone traffice.

This is just to put the threat into proportion,
your own govement can wiretap without breaking encryption,
A serious enemy can probably muster up the resources to wiretap by breaking GSM encryption
but your next door neighboor will probablby find it exremly difficult to listen in on encrypted GSM cell
phone traffic.

    Me.

Re:GSM encryption is not all that trivial

[mobileTen]

An attack is very simple. You need to implement a Man in the Middle Attack. All you need to do is have your own base station. Low power base station are becoming cheaper, even to the extent that they are being put into aircraft. There is no authentication under GSM of the base station. The base station can switch encryption on and off between the base station and the phone. The phone will not warn you that encryption has switched off! Therefor to eavesdrop on a phone, when you can not get a tap at an exchange you need to buy yourself a small portable base station (Getting cheaper all the time), follow your victim, and listen.

Re:Key Exchange?

[d3ac0n]

We seem to have a fundamental misunderstanding of PKE here.

Person A wants to talk to person B using encryption.

A sends B his public Key, B sends A her public key. They each then use the combination of the other's public key and their own private key to encode and decode messages to and from each other.

Let's say A goes to send B his key, but it's intercepted by C, and C sends B a modified key (man in the middle attack). Then B will not be able to initiate communication with A because the key won't match. This is how and why PKE works. If it was possible to capture and send a modified key and have the conversation still function then PKE wouldn't be very useful, would it?

Voice encryption made easy

I'veway eenbay usingway oicevay encryptionway orfay earsyay.
It'sway easyway andway otallytay onfusescay anyway
eavesdroppersway.

Re:Your parent is talking about the issue of trust

[jrumney]

Clearly you don't want a central agent (like a CA) be in control of trust, because the problem here is the central control over encryption in the 1st place.

A CA is not in central control over encryption. They are only in control of authenticating keys. The only way they can subvert the encryption process is to issue matching (in details, but not in keys) certificates to you and the man in the middle. If they were to do this, it would be detected quickly, and their reputation as a trusted CA would suffer.

Are the solutions open source

[Aceticon]

Is the encryption software open-source?

If not, how do we know that it doesn't have a back-door?

And if it does indeed have a back-door, how can people ever be sure that the "wrong" people (definition of "wrong" depending on the user) will not intercept and decode the communications using said back-door?

In this world of powerfull Intelligence Agencies, any kind of communications security software/hardware which is not at the very least peer-reviewed is bound to have some sort of backdoor.

Re:Key Exchange?

[morgan_greywolf]

Easy. Do what SSH does. Cache the public keys with the address (phone #, in this case). You accept the public key the first time it's used, and if a different public key is presented for a particular caller or recipient, you get warned that something funny is going on. The only difference being while SSH will outright refuse to connect to a key that's changed from the cached key, you would probably make the phone simply inform the user that the caller gave a different public key this time. It's up to the user to verify if this call is not subject to a MITM attack.

Get a CryptoPhone

[mwilliamson]

It looks like a firm in Germany already offers a AES-256 bit encrypted mobile and POTS phone, as well as a softphone. Although their hard phones aren't cheap, the softphone is free to give to your contacts. http://www.cryptophone.de They alse include source code for "full independent review" with their products.

Similarly, Phil Zimmermann, the creator of PGP has released his Zphone to make encrypted VoIP calls. Also, the Asterisk project offers an encrypted IAX channel.

Freely Available Wiretapping Technology?

[blantonl]

Are GSM phones in the US ripe for a similar explosion in the use of freely available wiretapping technology, and could this finally be the impetus to for widespread use of software-encrypted communications?"

Unless I'm missing something, there certainly is not any freely available wiretapping technology for GSM phones and networks. There are a few vendors that sell very expensive GSM tapping and over the air capture devices and platforms, but they are extrememly expensive and only for sale to authorized buyers (law enforcement, military, and feds)

What about Skype?

[Bearhouse]

They claim that communications are end-to-end encrypted, although they don't publish the source code, so hard to verify for backdoors etc. They have a client available for mobile devices - you can then call from any hotspot. Free, too, unless you take or make calls to/from normal lines (which are then, of course, not encrypted).

An another point, some of the posts here seem to be missing the point - the Italian wiretaps involved not just the state, but also illegal snooping done by powerful individuals, corporations and also the state phone company. It's not just the mobiles that were tapped, but land lines too. No point in having an encrypted GSM if you then use it to call a bugged land line...

Public Key not spoofable; here's how:

[KWTm]

Wow, my head is still spinning after reading the flurry of comments in response to the sibling posts, and responses to those, ad infinitum. Maybe if I summarize stuff here, we can all get on the same page and move on. All the Public Key Encryption (PKE) problems have been addressed in systems like PGP/GPG and SSH, etc. I have to remember that not everyone is familiar with this, and the number of queries about "but wouldn't this or that be insecure?" is a reminder of the fairly substantial problems which which the crypto community has had to deal with, and the elegant way in which they have done so. Sometimes I take it for granted.

In short: public key exchange is not a problem, not even for man-in-the-middle, if you do it right.

The parent poster said: public key exchange is a problem. People seemed to think that the "problem" in question was that public keys must be kept secret, and answered, "No need to keep it secret." A better answer might have been: "You MUST NOT keep it secret," and that would answer the comments about man-in-the-middle as well.

People worried about man-in-the-middle note that the phone company owns the channel, and thus can intercept everything! But that's not enough for a man-in-the-middle attack (MitM attack, where attacker K intervenes in the conversation between A and B; K tells A that K is really B, and K tells B that K is really A, and relays the conversation). The key to breaking MitM is to recognize the additional condition for such an attack: the attacker must completely replace the messages from the sender with his own messages. Otherwise, either:

• the attacker is only eavesdropping, but won't be able to get any info once sender and receiver start using encryption, or
• sender and receiver realize that there is someone intercepting, and switch encryption or move to a different channel

Thus, sender and receiver must prevent a MitM attacker from completely replacing all the messages. The way to do this is to exchange messages through more than one channel, at least in the beginning.

With the usual PKE such as GPG over email, for example, the sender doesn't just send public keys to you and say, "Here's my public key; now let's talk." That's a foolish and insecure way to do it, and the importance of drilling this into the users' heads is the number one reason why GPG isn't that well-promoted: its proponents (rightly) prefer to have the system less popular but secure, rather than have some AOL weenie start using GPG improperly and getting a false sense of security.

And, no, the way to make it more secure is NOT to send more data, like "Here's my public key and my photo. Now do you believe that it's my real key?" That would just be sending more data over the same channel. You need another channel.

If sender and you have already exchanged public keys before, assuming it was in a secure way, then we're good, because the exchange was made in a previous conversation over which the MitM attacker had no control. That's an additional channel.

But say they've never exchanged public keys before. Well, you can check if the sender has published the public key on some keyserver, or hopefully multiple independent keyservers. These would be separate channels over which the MitM attacker would have no control. The sender puts up the key (or has already put up the key) on the pgp.mit.edu server (for example) and has already checked that it had been uploaded correctly. Once it's published, no MitM can modify the key. Note that you just need any publicly accessible info source where published data cannot be changed, so you don't need to trust the keyserver as much as, say, a SSL Cert authority like VeriSign. The "keyserver" could be the local newspaper classifieds, for example.

But let's say that there is no trusted key repository. What now? Well, if you have someone you mutually trust, who has a public key known to and trusted by you, and who knows and trusts

Re:Key Exchange?

[RSquaredW]

Backwards: C intercepts A's public key. Therefore C can send encrypted data to A. C then passes a modified key to B, allowing B to send encrypted data to C (and similarly for the opposite direction). If C intercepts one direction, but does not intercept the other, the attack may or may not be detected...but C can only read from the side that it has sent a modified public key.

Sending someone a public key that decrypts YOUR transmission is Authentication, not Encryption. Key transmission must be done in the clear or PKE won't work by itself.