Slashdot Mirror
80% of Cell Phone Encryption Solutions Insecure
An anonymous reader writes "Mobile Magazine writes about a blogger named Notrax who has tested 15 methods of secure encryption for mobile phones; out of those he found only 3 could not be cracked at some level. '12 of them were "worthless." It's easy to take the software at face value when it "tells you" that the call is secured. But how does someone actually go about being sure that it is secured? Notrax did some digging and discovered he could break in to almost all of them in under 30 minutes.'" (Above link is to a slightly older description of Notrax's approach; then, it was 9 out of 10 products that were worthless, instead of 12 out of 15.)
yeah, i can hear you now.
The way people shout into their phones, you can hear what they say a mile away.
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
Oh, a lock just keeps an honest man honest?
What else is new?
Are you honestly surprised by this news? Having backdoors in cell phones is a de facto legal requirement for cell phone manufacturers.
News flash: if someone installs a trojan on your phone, then encrypting your call is insecure.
No sh*t. Don't let people install trojans on your phone.
Most of my cell calls are less the 10 minutes long.
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
Earlyclay itway isway upway otay ethay userway otay useway omesay otherway ormfay ofway obfuscationway
Call me paranoid, but I don't. Even wireless networks with WPA2. Too many ways they can be spoofed, or cracked, or hacked, or man-in-the-middle'd. But that's just me.
Cogito, igitur comedam pizza.
It's so efficient, not even my recipient can make out what I mean.
The Missile from France went down my pants, so I need you to dance and prance
"Are you breaking up with me?"
This tactic requires you to install software on the target's phone without their knowledge. That doesn't render the encryption faulty, it's just stealing the voice signal before it gets encrypted. I like this part from the vendor's web site: "$PRODUCT_NAME for iPhone is professional grade spy phone software that takes minutes to install on a jailbroken iPhone, and instantly starts sending data to a secure web account where you can log in and view records..."
This guy didn't break any encryption. He admitted up front he couldn't, except for some vague handwavy stuff about distributed brute force key attacks. Instead, he installed a trojan on the phone that records the phone conversation. He didn't even write the trojan. The awesome software he couldn't crack (the "20%") were "secure" because it was either different hardware his cool program didn't work for, or some older gear the program didn't run on. Phew! I'll make sure to buy those now that I know they're air tight.
Came for a cool story about breaking over the air phone encryption but all I got was a script kiddie installing software and making grand pronouncements to get pageviews.
100% of encryption is insecure, if you throw enough resources into breaking it. The real question is how much effort is put into the encryption (both human-hours developing the system, and cpu-cycles doing the math) vs how much effort the attacker can/will put into breaking it.
I'm guessing PhoneCrypt (just to pick one from tfa) is breakable if Eve has enough resources to spend, and is willing to spend them.
I am not a sig.
http://en.wikipedia.org/wiki/One_time_pad
One-time pad encoded messages look like total gibberish.
People eavesdropping on you, will think that you are just sending Twitter messages . . . total gibberish . . .
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
don't worry linux fags. you're still not as bad as that dick smokers over at the apple camp.
IMHO people should use malware / potentially unwanted program PoP and anti-virus software on their phones, problem solved.
I can't help but wonder which of the 3 remaining vendors Notrax was paid by to 'hack' the other ones...
As the title says.
Oblig: http://xkcd.com/257/ [xkcd.com]
He might be able to trick someone into throwing a huge amount of money his direction because he proved something everyone knew already, using techniques that really don't prove all that much more than you can get a trojan on a phone, but most folks aren't buying it. The majority of software solutions for mobile devices tend towards being focused on blocking the "casual" hacker, for example, the friend who picks up your phone when you leave it out somewhere, or the phone you left in the coffee shop that the stranger who finds it might have something interesting on it (or might be good for some calls). That takes into account the typical use-case scenarios for a mobile device. Of course that stuff isn't going to block a trojan, because that comes down to the OS running on that phone having enough built in security to make it difficult for it to gain root access, or a virus scanner that runs on that phone (which is painfully hard on your battery life, and most people avoid that solution altogether) that keeps itself properly updated at all times.
> then, it was 9 out of 10 products that were worthless, instead of 12 out of 15.)
So it's an improvement, right?
So what if some geek listens in on my phone calls as they're recorded by big brother. I'm not dumb enough to say anything I want to keep private over a cel phone anyway. And I'm not even a drug dealer.
War as we knew it was obsolete
Nothing could beat complete denial
- Emily Haines
So we have a hacker that noone has heard from before, who uses a very obvious method (installing a local trojan by having physical access to a phone) and magically, the only product who detects that trojan happens to be made by someone who has been trying to sell a "cellphone trojan remover" before. The guy is named Winfried Hafner. And his company happens to have a nice PR agency lined up to point all the tech journals to that freshly set up blog of this cool hacker who is so much in love with his product. Google Winfried Hafner and Trojans, the whole thing smells of rotten fish...
I just posted the following comment on this asshole's website:
Your article is totally misleading.
You say that you managed to prove those products insecure.
Well, YOU DIDN'T. The intention of all the products you mentioned is to provide encryption
to protect you from someone intercepting your phone call. You didn't test any of this.
You just directly accessed the mic on the cellphone. Well, off course you'll get the audio!!
A little analogous situation to better explain what you did:
I will prove that this high security reinforced door is totally insecure. I'll get in the house through
the window. Oh No! It worked, I'm inside the house and I didn't even touch the door! Those doors
are Insecure!
That's exactly what you did. Those systems encrypt your voice. Your call is secure from interception.
If you knew anything about security, you would know this: Physical access is total access.
You had PHYSICAL access to the phone. Well, off course you where able to "crack" it. Guess what?
You could have manually connected the mic cables to an mp3 recorder for all I cared.
It's like saying "I am going to prove that this OpenBSD-based firewall is insecure, but connecting
to the machines behind the firewall with this directly with this ethernet crossover cable".
So, are you really that naive, or you have financial interests in some phone crypto technology?
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Such a lame article. Wow.
That's a full 10% better than Sturgen's Law predicts.
We hope your rules and wisdom choke you / Now we are one in everlasting peace
Then they're not really solutions, are they?
So somebody could go to a lot of trouble to listen to me talk with one of my geek friends about the iPad or brazing bicycle frames, or audio design or some other totally boring topic that if it was at all interesting would show up on the net somewhere already. Lord help them if they want to listen in to a conversation with my or my wife's parents. I'd be bummed if I went to that much trouble for so little return.
Sheldon
Blah blah don't attack the encryption; attack how it's used! blah.
The World Wide Web is dying. Soon, we shall have only the Internet.
I'm not sure how much faith I have in this guy as a "security expert" when this is the second paragraph in TFA:
He comes within a whisker of implying that AES-256 will be breakable by distributed computing at some point.
If anyone knows what I'm putting on my pizza, I'm FUCKED.
"If you are a dreamer, a wisher, a liar, A hope-er, a pray-er, a magic bean buyer
and if it weren't for the summary here, you'd have no way of knowing that WTF he was reviewing. His article references "Voice Encryption," but nowhere does it mention that he's talking about software interception of cellular or mobile phones. From his description of Flexispy - "simply tap the microphone and it can be used in a wiretap mode to listen in to an active phone conversation or simply as a remote electronic bug for proximity eavesdropping" one might think that it's a hardware solution which wiretaps into the microphone. It's not. There is no "wiretap."
"National Security is the chief cause of national insecurity." - Celine's First Law
All these applications must run on the phones at both ends of the call, so recording it in the middle would be largely of no use if the exchange of keys was secure and the encryption was up to standard (256-bit AES). And The author acknowledged he couldn't break that encryption (and only speculated this was feasible with a distributed computing network.)
Hacking the device is the low hanging fruit was the point. Seams only A backdoor for the NSA/etc, in these applications would change that.
Okay, so with the right technology in the hands of the hacker, my cell phone has the same security as the old POTS line running into my house.
Pardon me if I don't freak out about it. For years all I've needed was a handset and a knife and I could listen in on peoples phone calls. This is still harder than that.
Sorry if I'm not concerned about something thats not ever been a problem for me or anyone I've ever known even though it has been trivial to do.
Yes yes, its wireless and its easier to hide, but guess what, once again I have to point out ... NO ONE GIVES A SHIT ABOUT WHAT YOU DO, YOU AREN'T THAT SPECIAL.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
You are at best uninformed and extremely hostile. Having problems installing linux huh?
Quit getting your information from Fox news and start checking out sites like the BBC and Al-Jazeera...or better yet read "The Shadow Factory" by James Bamford...the writer who broke the story about the existence of the NSA.
He painfully details the COMPLETE monitoring of all domestic and international landline, voip, sms/mms and e-mail communications...and all references are sourced by actual newspaper articles, journals or conference talks.
I know what you're going to say next...that you have nothing to hide. While I'm sure the feds could care less that you bought nunchakus over the web, once this monitoring capability trickles down to the state and local level this will be a valid concern.
Say you're a lawyer...forget about client-confidentality. Running for AG? Well the current attorney general will spy on you and get dirt on your affairs, pot consumption or whatever else he can use to KEEP HIMSELF IN POWER.
Local police will be free to use the same systems to keep cities in check, etc.
Due to the complexities of current laws (CA are you listening?) the average citizen commits several felonies a year without realizing it.
Your arguments are horseshit...
Even a novice with a little cash can purchase software, and if given physical access for 10 minutes, will own your phone. They will have access to all the data stored on it, your photos, your CC numbers, email, phone logs, and possibly even know where you are if you have a built in GPS on the phone. I have seen where the contents of the phone are compressed into an alternate stream of data in an MPEG4 video file and off loaded across the carrier network. If you think someone around you might be untrustworthy you might want to check your itemized billing records if you can get your hands on them. You may see data network usage you don't remember using. You may also notice your battery running low fairly quickly, or your phone getting warm when not in use. All these can be a clue.
That seeems nonsensical. Each phone has both input (at the microphone) and output (at the speaker), so it certainly has access to unencrypted access to both sides of the phone call.
The trivial backdoors for the NSA would seem to be in the server rooms, not the phones themselves, and have been for years as demonstrated by the AT&T fiber-optic taps.
And what if the room is bugged? Possibly by the very software described in the article. So leaving your cellphone outside helps, but is still no guarantee.
Your two scenarios of insecure (electronic) and secure (in person) is a false dichotomy. There's no such thing as "secure" or "insecure", just degrees of security. How much communication security do you need? That depends on how badly you want privacy — and how badly somebody else wants to deprive you of it.
The real lesson here is the one Bruce Schneier keeps trying to teach (with little success, it seems): security is a process, not a product. If you're worried about somebody listening in, look for weak points in the channel. Don't try to find a magic 128-bit shield at Radio Shack.
Those products are hyped as a means to prevent your calls from being intercepted by a third party. They do indeed protect the call in transit as promised. The flaw being pointed out is that if the endpoints (the phone) are compromised, you can't guarantee the security of the call. Well duh, there's a no brainer. That's like claiming your VPN software isn't secure if someone surreptitiously slipped a keylogger into your computer.
Did anyone else notice that this seems to be an ad for flexispy?
[you're] delusional. The most important fact is that no one actually gives a shit about your phone calls
Parent never said "they're out to get me." He just said he didn't trust wifi. I don't trust that no one at my CS dept. Will sniff the wireless network (and my slashdot password)---I'm not certain of it. But I use it anyways.
Where do you pick out the delusional thoughts, rather than just fear and mistrust?
100% of encryption is insecure, if you throw enough resources into breaking it.
Suppose I'm thinking of a number x between 1 and 10. I choose a uniformly random number y between 1 and 10. I transmit z = (x + y) modulo 10 over the wire, which you get to look at. Let's say I transmit z = 7. Which number x am I thinking of?
No matter what you do, you can do no better than guessing. You might know that 4 is my favourite number, but that's independent of the value of z. Seeing the cipher text provides you with no additional information over what you already know.
It's impractical, because the person decrypting needs to know the y I chose, so I have to send that too, in some way. You can do quantum key distribution if you have the infrastructure for it (which you don't), or you can give them a 1TB drive full of pre-chosen y-values if you meet with them in person (which you don't if they're ebay/visa/${e-shop}).
Not all crypto can be broken. Only well over 99% of it :)
</pedantic>
I'm not dumb enough to say anything I want to keep private over a cel phone anyway.
"Hi, lover. Let's get it on tonight. I love it when you {lick my {balls,pussy}, put whipped cream up my butt and eat it back out while you pour hot wax on my nipples and whip me with your sister watching}."
See also http://bash.org/?246405
I'm not sure about the laws in the US of A, but here in Europe, there are some legal things to consider.
You will probably not find anything secure in the market, because there is most of the time a backdoor built in.
GSM is "encrypted", but this can be switched off remotely for easy interception.
Most commercial software have weaknesses, or an escrow key, built-in to decrypt after interception.
It's not that it is required by law to have this, but when you have build a commercial encryption tool, and the authorities ask for your help to decrypt it because they intercepted communications for some reason, you are required to cooporate.
If you don't it can be considered as obstruction of law enforcement.
Many commercial entities don't want to run this risk, and that's why so many of make sure they have the possibility to decrypt. This way there is no chance of "obstruction".
...when you think phone encryption and recall devices approximately the size of an ATM.
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
I think AC firmware dev answered your question well, but there's more to consider: Phones have varying definitions of "OFF" these days.
There's:
- Standby mode with cell modem still on (unsafe, duh)
- The increasingly rare "cell modem off, phone (and possibly other wireless features) on" (safe)
- True "Flight mode" where all wireless connectivity is off (safe)
- The increasingly common "all wireless off except cellular which is in emergency call only mode" (unsafe, and on many new phones the only way to power down the cell modem is to remove the battery)
- Fake "Flight mode" which is the same as the above (unsafe)
- The increasingly rare "true shutdown" where the phone is off and absolutely won't power up again without user intervention.
- "Fake shutdown AKA playing dead" where the phone appears to be totally off but will spring to life, possibly enabling the cell modem, if there's an alarm scheduled or you plug it into a charger / PC. Common on Nokias, including the N900.
- And the only always-safe mode (assuming the phone hasn't been hard-bugged), "battery removed."
"When information is power, privacy is freedom" - Jah-Wren Ryel
put that old source code for PGP-Phone...
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
It seems to me that the vast majority of vendor-supplied cellular phones which are capable of doing encrypted VoIP also implement firmware update Over-the-Air, and I wouldn't be surprised if even those models/vendors which ordinarily notify their customers about such updates (or even ask for confirmation) have a special backdoor which skips that for "updating" the phone for the three-letter agencies/law enforcement.
If you worry about this kind of stuff, you take your phone battery out when you don't need to use it (turning the phone off is reported to be insufficient). Or you use a really really old phone which you know can't be updated over the air (but that still doesn't stop the cellular provider from knowing where you are).
This is about companies that sell encryption software, where 2 phones are pre-setup with additional software to be secure when talking to each other (not about standard phone calls.) Essentially we could re-write this article for ssh simply saying Open-SSH isn't secure because it doesn't detect trojans installed on the PC.
The server room isn't "trivial" because all of the data is encrypted at that point, requires significant computing resources to first crack the stream, and that can be done in real time, even by the NSA. Yes, the phone un-encrypts the audio out stream and also encrypts the audio in, that is why the weak point is at the phone, not the server room. Same with SSH, logging the data at the server room is very difficult to un-encrypt, much easier to just install a back door on the PC.
meant to say "that can't be done in real time, even by the NSA" for the AES-256 used by these phones. Of course that's only true if the venders didn't put in a backdoor for governments.
Excellent point! It is just like sex. Why only have sex with my high school sweetheart when she might have had sex before. That's why I just go right out and screw whores without a condom. It's the same thing! She isn't going to fool me with her "safe sex" agenda!
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Hi all,
i don't know how many of you have read "deeply" about the analysis done on http://infosecurityguard.com .
I have made a detailed analysis of their initiative and the result is that:
- it's most probably a camouflage marketing initiative and not a independent security research
- they consider *only* a security context where local device has been compromised (no software can be secured in that case)
- they do not consider cryptographic security arguments
Below my analysis on this (read it carefully):
http://infosecurity.ch/20100130/about-the-voice-encryption-analysis-phonecrypt-can-be-intercepted-serious-security-evaluation-criteria/
Maybe it's interesting, maybe not, but for sure some facts are very relevant!
Fabio Pietrosanti (naif)