Slashdot Mirror
80% of Cell Phone Encryption Solutions Insecure
An anonymous reader writes "Mobile Magazine writes about a blogger named Notrax who has tested 15 methods of secure encryption for mobile phones; out of those he found only 3 could not be cracked at some level. '12 of them were "worthless." It's easy to take the software at face value when it "tells you" that the call is secured. But how does someone actually go about being sure that it is secured? Notrax did some digging and discovered he could break in to almost all of them in under 30 minutes.'" (Above link is to a slightly older description of Notrax's approach; then, it was 9 out of 10 products that were worthless, instead of 12 out of 15.)
yeah, i can hear you now.
The way people shout into their phones, you can hear what they say a mile away.
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
Oh, a lock just keeps an honest man honest?
What else is new?
News flash: if someone installs a trojan on your phone, then encrypting your call is insecure.
No sh*t. Don't let people install trojans on your phone.
Most of my cell calls are less the 10 minutes long.
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
Earlyclay itway isway upway otay ethay userway otay useway omesay otherway ormfay ofway obfuscationway
Call me paranoid, but I don't. Even wireless networks with WPA2. Too many ways they can be spoofed, or cracked, or hacked, or man-in-the-middle'd. But that's just me.
Cogito, igitur comedam pizza.
It's so efficient, not even my recipient can make out what I mean.
The Missile from France went down my pants, so I need you to dance and prance
"Are you breaking up with me?"
This tactic requires you to install software on the target's phone without their knowledge. That doesn't render the encryption faulty, it's just stealing the voice signal before it gets encrypted. I like this part from the vendor's web site: "$PRODUCT_NAME for iPhone is professional grade spy phone software that takes minutes to install on a jailbroken iPhone, and instantly starts sending data to a secure web account where you can log in and view records..."
This guy didn't break any encryption. He admitted up front he couldn't, except for some vague handwavy stuff about distributed brute force key attacks. Instead, he installed a trojan on the phone that records the phone conversation. He didn't even write the trojan. The awesome software he couldn't crack (the "20%") were "secure" because it was either different hardware his cool program didn't work for, or some older gear the program didn't run on. Phew! I'll make sure to buy those now that I know they're air tight.
Came for a cool story about breaking over the air phone encryption but all I got was a script kiddie installing software and making grand pronouncements to get pageviews.
100% of encryption is insecure, if you throw enough resources into breaking it. The real question is how much effort is put into the encryption (both human-hours developing the system, and cpu-cycles doing the math) vs how much effort the attacker can/will put into breaking it.
I'm guessing PhoneCrypt (just to pick one from tfa) is breakable if Eve has enough resources to spend, and is willing to spend them.
I am not a sig.
Absolutely correct.
I happen to know that there are simple software/hardware hacks/backdoors on 98% of phones in existence. All of these are built in by the manufacturers at our behest - 'our' being NSA, MI6, CIA, ASIO and DSD of Australia.
Don't trust any technology or hardware that you don't have complete and unhindered access to. I'm telling you now, I've seen records pulled up on people for things that the above mentioned agencies should never have had access to - things regular plebs wouldn't have believed possible to monitor. Those fellows will get records down to every time you've gone to the toilet - its that scary.
http://en.wikipedia.org/wiki/One_time_pad
One-time pad encoded messages look like total gibberish.
People eavesdropping on you, will think that you are just sending Twitter messages . . . total gibberish . . .
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
He might be able to trick someone into throwing a huge amount of money his direction because he proved something everyone knew already, using techniques that really don't prove all that much more than you can get a trojan on a phone, but most folks aren't buying it. The majority of software solutions for mobile devices tend towards being focused on blocking the "casual" hacker, for example, the friend who picks up your phone when you leave it out somewhere, or the phone you left in the coffee shop that the stranger who finds it might have something interesting on it (or might be good for some calls). That takes into account the typical use-case scenarios for a mobile device. Of course that stuff isn't going to block a trojan, because that comes down to the OS running on that phone having enough built in security to make it difficult for it to gain root access, or a virus scanner that runs on that phone (which is painfully hard on your battery life, and most people avoid that solution altogether) that keeps itself properly updated at all times.
So what if some geek listens in on my phone calls as they're recorded by big brother. I'm not dumb enough to say anything I want to keep private over a cel phone anyway. And I'm not even a drug dealer.
War as we knew it was obsolete
Nothing could beat complete denial
- Emily Haines
Don't trust any technology or hardware that you don't have complete and unhindered access to. I'm telling you now, I've seen records pulled up on people for things that the above mentioned agencies should never have had access to - things regular plebs wouldn't have believed possible to monitor. Those fellows will get records down to every time you've gone to the toilet - its that scary.
Corollary: any encryption technology that you need to rely on should be open source and well-understood. The hardware you use it on should be completely open and you should understand how things work on that hardware. Even better if you have compiled that code yourself.
And if you think it's only the cell manufacturers that have sold out, you are sadly, sadly mistaken.
Read the parent. Carefully. He knows what he's talking about.
My blog
Corollary: any encryption technology that you need to rely on should be open source and well-understood. The hardware you use it on should be completely open and you should understand how things work on that hardware. Even better if you have compiled that code yourself.
Oh fuck off.
I suppose you wrote the compiler too?
I suppose to used an electron microscope and scanned every fucking bit of your CPU and memory and such?
If you want to be fucking paranoid, be paranoid all the way.
Don't use paranoia FUD to push your FOSS agenda.
While it's true that there's shit they can do, it's also true that there's NOTHING you can do about it. FOSS cloak or not.
I just posted the following comment on this asshole's website:
Your article is totally misleading.
You say that you managed to prove those products insecure.
Well, YOU DIDN'T. The intention of all the products you mentioned is to provide encryption
to protect you from someone intercepting your phone call. You didn't test any of this.
You just directly accessed the mic on the cellphone. Well, off course you'll get the audio!!
A little analogous situation to better explain what you did:
I will prove that this high security reinforced door is totally insecure. I'll get in the house through
the window. Oh No! It worked, I'm inside the house and I didn't even touch the door! Those doors
are Insecure!
That's exactly what you did. Those systems encrypt your voice. Your call is secure from interception.
If you knew anything about security, you would know this: Physical access is total access.
You had PHYSICAL access to the phone. Well, off course you where able to "crack" it. Guess what?
You could have manually connected the mic cables to an mp3 recorder for all I cared.
It's like saying "I am going to prove that this OpenBSD-based firewall is insecure, but connecting
to the machines behind the firewall with this directly with this ethernet crossover cable".
So, are you really that naive, or you have financial interests in some phone crypto technology?
WTF am I doing replying to an AC at 5 A.M on a Friday night?
That's a full 10% better than Sturgen's Law predicts.
We hope your rules and wisdom choke you / Now we are one in everlasting peace
So somebody could go to a lot of trouble to listen to me talk with one of my geek friends about the iPad or brazing bicycle frames, or audio design or some other totally boring topic that if it was at all interesting would show up on the net somewhere already. Lord help them if they want to listen in to a conversation with my or my wife's parents. I'd be bummed if I went to that much trouble for so little return.
Sheldon
They wont waste time hacking your phone. They have a legal intercept box in the server room. No need for back doors on the phone.
Blah blah don't attack the encryption; attack how it's used! blah.
The World Wide Web is dying. Soon, we shall have only the Internet.
I'm not sure how much faith I have in this guy as a "security expert" when this is the second paragraph in TFA:
He comes within a whisker of implying that AES-256 will be breakable by distributed computing at some point.
If anyone knows what I'm putting on my pizza, I'm FUCKED.
"If you are a dreamer, a wisher, a liar, A hope-er, a pray-er, a magic bean buyer
...Those fellows will get records down to every time you've gone to the toilet - its that scary.
Boy, just when you thought that they didn't give a shit...Apparently, they DO give a shit, especially about your shit. Maybe even everyone's shit.
And apparently, if you give a shit about your shit, well that's just a sick fetish. But when the Government starts wanting to know about your shit, well, that my friends is warfighting for the sake of anti-terrorism. Weapons of Ass Destruction indeed.
OK, OK, done with this shit for now...
and if it weren't for the summary here, you'd have no way of knowing that WTF he was reviewing. His article references "Voice Encryption," but nowhere does it mention that he's talking about software interception of cellular or mobile phones. From his description of Flexispy - "simply tap the microphone and it can be used in a wiretap mode to listen in to an active phone conversation or simply as a remote electronic bug for proximity eavesdropping" one might think that it's a hardware solution which wiretaps into the microphone. It's not. There is no "wiretap."
"National Security is the chief cause of national insecurity." - Celine's First Law
Read the parent. Carefully. He knows what he's talking about.
Well, he ought to. The infamous AC probably has more posts here than all of us combined.
> I've seen people from Israel, Iran, England, Australia, Canada, Germany and China all working in the one place on incredibly sensitive cyber espionage for the one country
Sure you did kid...
How about you stop making comments on Slashdot and go back to your Intro to Information Tech class.
Yeah, I've seen that too, but I can't remember the name of the movie.
greed@All_Evils:~#
Doubt it. Too many people would know about it; not only too many phone company employees, but others; do you think no one has reverse-engineered a phone?
Many phones can take firmware updates over the air, and that can be used to put backdoors in the phones; I believe Verizon has said it has done so at the behest of the FBI in at least one case. But putting a backdoor in every phone out there is just asking for the backdoor to be discovered.
All these applications must run on the phones at both ends of the call, so recording it in the middle would be largely of no use if the exchange of keys was secure and the encryption was up to standard (256-bit AES). And The author acknowledged he couldn't break that encryption (and only speculated this was feasible with a distributed computing network.)
Hacking the device is the low hanging fruit was the point. Seams only A backdoor for the NSA/etc, in these applications would change that.
You are at best uninformed and extremely hostile. Having problems installing linux huh?
Quit getting your information from Fox news and start checking out sites like the BBC and Al-Jazeera...or better yet read "The Shadow Factory" by James Bamford...the writer who broke the story about the existence of the NSA.
He painfully details the COMPLETE monitoring of all domestic and international landline, voip, sms/mms and e-mail communications...and all references are sourced by actual newspaper articles, journals or conference talks.
I know what you're going to say next...that you have nothing to hide. While I'm sure the feds could care less that you bought nunchakus over the web, once this monitoring capability trickles down to the state and local level this will be a valid concern.
Say you're a lawyer...forget about client-confidentality. Running for AG? Well the current attorney general will spy on you and get dirt on your affairs, pot consumption or whatever else he can use to KEEP HIMSELF IN POWER.
Local police will be free to use the same systems to keep cities in check, etc.
Due to the complexities of current laws (CA are you listening?) the average citizen commits several felonies a year without realizing it.
Your arguments are horseshit...
That seeems nonsensical. Each phone has both input (at the microphone) and output (at the speaker), so it certainly has access to unencrypted access to both sides of the phone call.
The trivial backdoors for the NSA would seem to be in the server rooms, not the phones themselves, and have been for years as demonstrated by the AT&T fiber-optic taps.
And what if the room is bugged? Possibly by the very software described in the article. So leaving your cellphone outside helps, but is still no guarantee.
Your two scenarios of insecure (electronic) and secure (in person) is a false dichotomy. There's no such thing as "secure" or "insecure", just degrees of security. How much communication security do you need? That depends on how badly you want privacy — and how badly somebody else wants to deprive you of it.
The real lesson here is the one Bruce Schneier keeps trying to teach (with little success, it seems): security is a process, not a product. If you're worried about somebody listening in, look for weak points in the channel. Don't try to find a magic 128-bit shield at Radio Shack.
Those products are hyped as a means to prevent your calls from being intercepted by a third party. They do indeed protect the call in transit as promised. The flaw being pointed out is that if the endpoints (the phone) are compromised, you can't guarantee the security of the call. Well duh, there's a no brainer. That's like claiming your VPN software isn't secure if someone surreptitiously slipped a keylogger into your computer.
Did anyone else notice that this seems to be an ad for flexispy?
as for monitoring your toilet activity with your cell phone - I think I found the solution which should be relatively easy - I do not take my phone there.
I happen to know that there are simple software/hardware hacks/backdoors on 98% of braaaaaiiiiiinnnnss in existence. All of these are built in by ALIENS! at our behest - 'our' being Xenu, Cthulhu, His Holy Noodliness, and Chuck Norris.
Don't trust any technology or hardware that you don't have complete and unhindered access to. I'm telling you now, I've seen records pulled up on people for things that the above mentioned deities should never have had access to - things regular plebs wouldn't have believed possible to monitor. Yes, they can watch you pee when you have your phone in your pocket! Those fellows will get records down to every time you've gone to the toilet - its that scary (Hmmm.. He seemed he pre-empted that particular joke.)
An anonymous post full of conspiracy-theory style rambling with no evidence, citation, not even an example of the tech used (in a very basic form) and it's been modded up. Want to know how they know when you've gone to the toilet? Your Smart Meter records you've used exactly the same amount of water in one go as it takes to fill the cistern.
Mod parent down until he can give me an example of this all-singing, all-dancing hack for 98% of phones in existence which exists on my device and not some kit installed at the switch.
Finally had enough. Come see us over at https://soylentnews.org/
You've repressed the memory because it was too painful to re-live.
Here, let me share the pain
Finally had enough. Come see us over at https://soylentnews.org/
[you're] delusional. The most important fact is that no one actually gives a shit about your phone calls
Parent never said "they're out to get me." He just said he didn't trust wifi. I don't trust that no one at my CS dept. Will sniff the wireless network (and my slashdot password)---I'm not certain of it. But I use it anyways.
Where do you pick out the delusional thoughts, rather than just fear and mistrust?
100% of encryption is insecure, if you throw enough resources into breaking it.
Suppose I'm thinking of a number x between 1 and 10. I choose a uniformly random number y between 1 and 10. I transmit z = (x + y) modulo 10 over the wire, which you get to look at. Let's say I transmit z = 7. Which number x am I thinking of?
No matter what you do, you can do no better than guessing. You might know that 4 is my favourite number, but that's independent of the value of z. Seeing the cipher text provides you with no additional information over what you already know.
It's impractical, because the person decrypting needs to know the y I chose, so I have to send that too, in some way. You can do quantum key distribution if you have the infrastructure for it (which you don't), or you can give them a 1TB drive full of pre-chosen y-values if you meet with them in person (which you don't if they're ebay/visa/${e-shop}).
Not all crypto can be broken. Only well over 99% of it :)
</pedantic>
I'm not dumb enough to say anything I want to keep private over a cel phone anyway.
"Hi, lover. Let's get it on tonight. I love it when you {lick my {balls,pussy}, put whipped cream up my butt and eat it back out while you pour hot wax on my nipples and whip me with your sister watching}."
See also http://bash.org/?246405
If you want to be fucking paranoid, be paranoid all the way.
By being able to read source code, but not have an electron microscope, you force the bad guys to use more expensive and laborious obscurity.
I'm for raising the bar on them---maybe they're not omnipotent.
While it's true that there's shit they can do, it's also true that there's NOTHING you can do about it.
Not with that attitude at least...
> I happen to work as a security firmware developer for a major phone manufacturer
Perhaps you can answer me a question:
If a phone is turned OFF (as in hitting the big button on top) can it still be called and used against you as a roving bug? What about location tracking?
Why is parent insightful?
I suppose you wrote the compiler too?
There are plenty of open source compilers.
I suppose to used an electron microscope and scanned every fucking bit of your CPU and memory and such?
Judging by the reverse engineering of the PS3, it seems there are hobbyists prepared to do this (though there are alternative techniques to electron microscopes).
If you want to be fucking paranoid, be paranoid all the way.
This goes against the whole principle of security. It doesn't need to be perfect, just harder to get around than the contents are worth. If grandparent poster uses peer reviewed OS, the security services may be able to read his communications if they target him. If sexconker thinks it's impossible so may as well give up, every 2-bit hacker will be able to install trojans on his system and he'll suffer the consequences before anybody else.
Phillip.
Property for sale in Nice, France
...when you think phone encryption and recall devices approximately the size of an ATM.
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
Easiest solution: don't own a cell phone.
For years (and years) I got by without having a digital tether. Nothing's substantially changed that would require one. Now, if I were a doctor, or an IT administrator, I could understand it. But for the other 99% of cellphone users--the ones endlessly prattling on about when they'll be home for dinner? what should I pick up from the store? where are you now? what are you doing? did you have a good time last night?--all of those conversations can just fucking wait.
Apologies for the rant. I still haven't had my coffee.
I think AC firmware dev answered your question well, but there's more to consider: Phones have varying definitions of "OFF" these days.
There's:
- Standby mode with cell modem still on (unsafe, duh)
- The increasingly rare "cell modem off, phone (and possibly other wireless features) on" (safe)
- True "Flight mode" where all wireless connectivity is off (safe)
- The increasingly common "all wireless off except cellular which is in emergency call only mode" (unsafe, and on many new phones the only way to power down the cell modem is to remove the battery)
- Fake "Flight mode" which is the same as the above (unsafe)
- The increasingly rare "true shutdown" where the phone is off and absolutely won't power up again without user intervention.
- "Fake shutdown AKA playing dead" where the phone appears to be totally off but will spring to life, possibly enabling the cell modem, if there's an alarm scheduled or you plug it into a charger / PC. Common on Nokias, including the N900.
- And the only always-safe mode (assuming the phone hasn't been hard-bugged), "battery removed."
"When information is power, privacy is freedom" - Jah-Wren Ryel
put that old source code for PGP-Phone...
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
It seems to me that the vast majority of vendor-supplied cellular phones which are capable of doing encrypted VoIP also implement firmware update Over-the-Air, and I wouldn't be surprised if even those models/vendors which ordinarily notify their customers about such updates (or even ask for confirmation) have a special backdoor which skips that for "updating" the phone for the three-letter agencies/law enforcement.
If you worry about this kind of stuff, you take your phone battery out when you don't need to use it (turning the phone off is reported to be insufficient). Or you use a really really old phone which you know can't be updated over the air (but that still doesn't stop the cellular provider from knowing where you are).
This is about companies that sell encryption software, where 2 phones are pre-setup with additional software to be secure when talking to each other (not about standard phone calls.) Essentially we could re-write this article for ssh simply saying Open-SSH isn't secure because it doesn't detect trojans installed on the PC.
The server room isn't "trivial" because all of the data is encrypted at that point, requires significant computing resources to first crack the stream, and that can be done in real time, even by the NSA. Yes, the phone un-encrypts the audio out stream and also encrypts the audio in, that is why the weak point is at the phone, not the server room. Same with SSH, logging the data at the server room is very difficult to un-encrypt, much easier to just install a back door on the PC.
meant to say "that can't be done in real time, even by the NSA" for the AES-256 used by these phones. Of course that's only true if the venders didn't put in a backdoor for governments.
Some security is better than none at all....FALSE....as some security lends a false sense of security. There is no such thing as "good enough" in security. Take physical security systems for example, if you make sure all the doors are locked but don't bother with security guards or cameras, yes it'll work...until someone swipes a key or kicks in a door after hours...computer security is no different, complex passwords aren't worth a damn if they are being transmitted in cleartext. (naturally, the reverse is true as well, the most secure crypto system in the world is useless if your users use "12345" as a password)
so your response is to bend over that desk and try to enjoy the ride because theres "nothing you can do about it"...no thank you. Also, using peer reviewed crypto systems IS the smart thing to do, look up Kerckhoff's principle (link for the lazy: http://en.wikipedia.org/wiki/Kerckhoffs'_principle)
My response is the FOSS crew needs to sit down and shut up - this problem isn't one they can solve or even claim to solve.
My tactic is to not depend on electronics to keep my shit secret.
Using peer-reviewed crypto? Is it a peer-reviewed CPU? Peer-reviewed memory? Motherboard? Company? Datacenter? Peer-reviewed peers?
It doesn't matter how strong your crypto is - it all gets decrypted somewhere.
Using peer-reviewed anything doesn't help anything, ever. If you shouldn't trust person X (whether or not you do), then you shouldn't trust person X's peers (whether or not you do).
Peer-review is a cancer forced upon us by academia. It's self-serving bullshit that ensures the entrenched get to pat each other on the back and destroy anyone who disagrees with their ideals.
Independent, objective review is infinitely superior.
Or http://xkcd.com/566/.
Check out my sci-fi/humor trilogy at PatriotsBooks.
There's definitely a "good enough". If you have locks on the doors with cameras, people can still break in at night because you don't have guard dogs. If you have guard dogs, people can still break in by helicopter and attack the skylights on the roof. If you put the guard dogs inside, people can still wreak havoc by throwing meat to the guard dogs, causing them to run wild and knock down shelves trying to get to it. If you electrify the windows, doors, and skylights, people can still tunnel in with a boring machine. And so on.
So there's definitely a point at which you can rightfully conclude that the cost of securing something exceeds its value. At that point, normally you stop. In this case, we can conclude that the cell companies believe that the value of the encrypted voice data is near zero. What we have here is a disagreement over that assertion.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Excellent point! It is just like sex. Why only have sex with my high school sweetheart when she might have had sex before. That's why I just go right out and screw whores without a condom. It's the same thing! She isn't going to fool me with her "safe sex" agenda!
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
So by independent objective review do you mean allowing other crypto-analysts to look at your algorithm and find ways to break it and thus weed out flawed designs? That's peer review. Trusting a black box crypto system is foolish, obscurity is NOT security; Microsoft's and Apple's security records are ample testaments to that.
I know self-replies are considered bad form here but fsck it. You are also aware that many if not all of the crypto-systems you use daily online are publicly known right? SSH, SSL, AES, RSA, PGP, _ALL_ of those are publicly known. All of them have been subjected to independent objective (aka peer) review. All of them have been found to be very secure.