80% of Cell Phone Encryption Solutions Insecure

← Back to Stories (view on slashdot.org)

80% of Cell Phone Encryption Solutions Insecure

Posted by timothy on Thursday January 28, 2010 @11:21AM from the nsa-working-on-the-rest dept.

An anonymous reader writes "Mobile Magazine writes about a blogger named Notrax who has tested 15 methods of secure encryption for mobile phones; out of those he found only 3 could not be cracked at some level. '12 of them were "worthless." It's easy to take the software at face value when it "tells you" that the call is secured. But how does someone actually go about being sure that it is secured? Notrax did some digging and discovered he could break in to almost all of them in under 30 minutes.'" (Above link is to a slightly older description of Notrax's approach; then, it was 9 out of 10 products that were worthless, instead of 12 out of 15.)

13 of 158 comments (clear)

Min score:

Reason:

Sort:

Nothing to see here, move along by johndoe42 · 2010-01-28 11:31 · Score: 5, Insightful

News flash: if someone installs a trojan on your phone, then encrypting your call is insecure.
No sh*t. Don't let people install trojans on your phone.
1. Re:Nothing to see here, move along by Third+Position · 2010-01-28 11:57 · Score: 2, Insightful
  
  I concluded long ago that all electronic communications are by definition insecure. If what you're communicating is really that private, say it in person or use the post office. Other than that, don't be surprised when you find out your private information, isn't.
  
  --
  American Third Position
  Finally, a real choice!
I Don't Trust Wireless In General by smpoole7 · 2010-01-28 11:35 · Score: 2, Insightful

Call me paranoid, but I don't. Even wireless networks with WPA2. Too many ways they can be spoofed, or cracked, or hacked, or man-in-the-middle'd. But that's just me.

--
Cogito, igitur comedam pizza.
1. Re:I Don't Trust Wireless In General by maxume · 2010-01-28 12:00 · Score: 2, Insightful
  
  At the moment, if you have needs that WPA2 doesn't meet, you probably need to worry about Van Eck phreaking too.
  The most important question is not whether you are being paranoid, it is whether you are being paranoid enough.
  
  --
  Nerd rage is the funniest rage.
2. Re:I Don't Trust Wireless In General by BitZtream · 2010-01-28 15:48 · Score: 4, Insightful
  
  Okay, you're paranoid. And delusional.
  The most important fact is that no one actually gives a shit about your phone calls so even if they could listen to every word any time they wanted to, it still wouldn't matter. The sooner you realize you aren't that special, the sooner your paranoia will go away.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Misleading article by badboy_tw2002 · 2010-01-28 11:40 · Score: 5, Insightful

This guy didn't break any encryption. He admitted up front he couldn't, except for some vague handwavy stuff about distributed brute force key attacks. Instead, he installed a trojan on the phone that records the phone conversation. He didn't even write the trojan. The awesome software he couldn't crack (the "20%") were "secure" because it was either different hardware his cool program didn't work for, or some older gear the program didn't run on. Phew! I'll make sure to buy those now that I know they're air tight.
Came for a cool story about breaking over the air phone encryption but all I got was a script kiddie installing software and making grand pronouncements to get pageviews.
1. Re:Misleading article by PybusJ · 2010-01-28 12:17 · Score: 5, Insightful
  
  In my opinion this whole this is a marketing scam for one of the products mentioned. The things that make me suspicious:
  - "Blogger, hacker and IT security expert Notrax" 's infosecurityguard blog was started in Dec 2009, just before he started his ambitious series of security reviews.
  - There are no details of who he is "for his own safety"
  - He calls the systems he's failed to break "secure" and highlights them in reassuring green to attract you attention (only admitting in the small print that he means he hasn't broken them yet). This is not the kind of language security researchers use.
  - Most of the the products are "details to be published", including respected software such as Zphone/ZRTP. Just one shines out as both "secure" and "review available". That miracle product is PhoneCrypt. Oooh, I must click on that review now -- oh look at that glowing prose.
  "SecurStar is the company behind PhoneCrypt." Now I wonder what relation our mysterious, benevolent friend Notrax has to SecurStar.
  To me all the smells lead to a fake marketing blog. Nice story /.
Just 80%? by Weirsbaski · 2010-01-28 11:46 · Score: 2, Insightful

100% of encryption is insecure, if you throw enough resources into breaking it. The real question is how much effort is put into the encryption (both human-hours developing the system, and cpu-cycles doing the math) vs how much effort the attacker can/will put into breaking it.

I'm guessing PhoneCrypt (just to pick one from tfa) is breakable if Eve has enough resources to spend, and is willing to spend them.

--

I am not a sig.
Re:Backdoors != news by sexconker · 2010-01-28 12:48 · Score: 3, Insightful

Corollary: any encryption technology that you need to rely on should be open source and well-understood. The hardware you use it on should be completely open and you should understand how things work on that hardware. Even better if you have compiled that code yourself.
Oh fuck off.
I suppose you wrote the compiler too?
I suppose to used an electron microscope and scanned every fucking bit of your CPU and memory and such?
If you want to be fucking paranoid, be paranoid all the way.
Don't use paranoia FUD to push your FOSS agenda.
While it's true that there's shit they can do, it's also true that there's NOTHING you can do about it. FOSS cloak or not.
Re:Backdoors != news by s4ltyd0g · 2010-01-28 13:16 · Score: 4, Insightful

They wont waste time hacking your phone. They have a legal intercept box in the server room. No need for back doors on the phone.
They can't know! by nate+nice · 2010-01-28 14:05 · Score: 3, Insightful

If anyone knows what I'm putting on my pizza, I'm FUCKED.

--
"If you are a dreamer, a wisher, a liar, A hope-er, a pray-er, a magic bean buyer ..."
Yep... by msauve · 2010-01-28 14:08 · Score: 2, Insightful

and if it weren't for the summary here, you'd have no way of knowing that WTF he was reviewing. His article references "Voice Encryption," but nowhere does it mention that he's talking about software interception of cellular or mobile phones. From his description of Flexispy - "simply tap the microphone and it can be used in a wiretap mode to listen in to an active phone conversation or simply as a remote electronic bug for proximity eavesdropping" one might think that it's a hardware solution which wiretaps into the microphone. It's not. There is no "wiretap."

--
"National Security is the chief cause of national insecurity." - Celine's First Law
No such thing as "secure" by fm6 · 2010-01-28 18:04 · Score: 2, Insightful

And what if the room is bugged? Possibly by the very software described in the article. So leaving your cellphone outside helps, but is still no guarantee.
Your two scenarios of insecure (electronic) and secure (in person) is a false dichotomy. There's no such thing as "secure" or "insecure", just degrees of security. How much communication security do you need? That depends on how badly you want privacy — and how badly somebody else wants to deprive you of it.
The real lesson here is the one Bruce Schneier keeps trying to teach (with little success, it seems): security is a process, not a product. If you're worried about somebody listening in, look for weak points in the channel. Don't try to find a magic 128-bit shield at Radio Shack.