80% of Cell Phone Encryption Solutions Insecure

An anonymous reader writes "Mobile Magazine writes about a blogger named Notrax who has tested 15 methods of secure encryption for mobile phones; out of those he found only 3 could not be cracked at some level. '12 of them were "worthless." It's easy to take the software at face value when it "tells you" that the call is secured. But how does someone actually go about being sure that it is secured? Notrax did some digging and discovered he could break in to almost all of them in under 30 minutes.'" (Above link is to a slightly older description of Notrax's approach; then, it was 9 out of 10 products that were worthless, instead of 12 out of 15.)

yeah, i can hear you now.

yeah, i can hear you now.

What's that?

Oh, a lock just keeps an honest man honest?

What else is new?

Re:What's that?

[MachDelta]

Honest men can be found everywhere.

Honest politicians? SETI is still working on that one.

Nothing to see here, move along

[johndoe42]

News flash: if someone installs a trojan on your phone, then encrypting your call is insecure.

No sh*t. Don't let people install trojans on your phone.

Re:Nothing to see here, move along

[Third+Position]

I concluded long ago that all electronic communications are by definition insecure. If what you're communicating is really that private, say it in person or use the post office. Other than that, don't be surprised when you find out your private information, isn't.

The solution

[ascari]

Earlyclay itway isway upway otay ethay userway otay useway omesay otherway ormfay ofway obfuscationway

Re:The solution

[sexconker]

V fcrnx va ebg 13. Gbgny frphevgl.

My mother's a frphevgl, you insensitive khdfsji!

I Don't Trust Wireless In General

[smpoole7]

Call me paranoid, but I don't. Even wireless networks with WPA2. Too many ways they can be spoofed, or cracked, or hacked, or man-in-the-middle'd. But that's just me.

Re:I Don't Trust Wireless In General

[maxume]

At the moment, if you have needs that WPA2 doesn't meet, you probably need to worry about Van Eck phreaking too.

The most important question is not whether you are being paranoid, it is whether you are being paranoid enough.

Re:I Don't Trust Wireless In General

[MichaelSmith]

I don't have any security at all on my wireless network but any traffic I want to protect goes through ssh on all the networks I want to use.

Re:I Don't Trust Wireless In General

[BitZtream]

Okay, you're paranoid. And delusional.

The most important fact is that no one actually gives a shit about your phone calls so even if they could listen to every word any time they wanted to, it still wouldn't matter. The sooner you realize you aren't that special, the sooner your paranoia will go away.

I speak in code

[Monkeedude1212]

It's so efficient, not even my recipient can make out what I mean.

The Missile from France went down my pants, so I need you to dance and prance
"Are you breaking up with me?"

Re:I speak in code

[ascari]

The Missile from France went down my pants, so I need you to dance and prance

Translation: "Dear Susan, My new room mate Jean Claude has shown me aspects of myself that I wasn't aware of before. Please don't pine for me. Go out, have some fun and maybe you meet somebody who can appreciate you in a way I cannot anymore."

Sure, if you install the spy software.

[InlawBiker]

This tactic requires you to install software on the target's phone without their knowledge. That doesn't render the encryption faulty, it's just stealing the voice signal before it gets encrypted. I like this part from the vendor's web site: "$PRODUCT_NAME for iPhone is professional grade spy phone software that takes minutes to install on a jailbroken iPhone, and instantly starts sending data to a secure web account where you can log in and view records..."

Misleading article

[badboy_tw2002]

This guy didn't break any encryption. He admitted up front he couldn't, except for some vague handwavy stuff about distributed brute force key attacks. Instead, he installed a trojan on the phone that records the phone conversation. He didn't even write the trojan. The awesome software he couldn't crack (the "20%") were "secure" because it was either different hardware his cool program didn't work for, or some older gear the program didn't run on. Phew! I'll make sure to buy those now that I know they're air tight.

Came for a cool story about breaking over the air phone encryption but all I got was a script kiddie installing software and making grand pronouncements to get pageviews.

Re:Misleading article

[PybusJ]

In my opinion this whole this is a marketing scam for one of the products mentioned. The things that make me suspicious:

- "Blogger, hacker and IT security expert Notrax" 's infosecurityguard blog was started in Dec 2009, just before he started his ambitious series of security reviews.

- There are no details of who he is "for his own safety"

- He calls the systems he's failed to break "secure" and highlights them in reassuring green to attract you attention (only admitting in the small print that he means he hasn't broken them yet). This is not the kind of language security researchers use.

- Most of the the products are "details to be published", including respected software such as Zphone/ZRTP. Just one shines out as both "secure" and "review available". That miracle product is PhoneCrypt. Oooh, I must click on that review now -- oh look at that glowing prose.

"SecurStar is the company behind PhoneCrypt." Now I wonder what relation our mysterious, benevolent friend Notrax has to SecurStar.

To me all the smells lead to a fake marketing blog. Nice story /.

Just 80%?

[Weirsbaski]

100% of encryption is insecure, if you throw enough resources into breaking it. The real question is how much effort is put into the encryption (both human-hours developing the system, and cpu-cycles doing the math) vs how much effort the attacker can/will put into breaking it.

I'm guessing PhoneCrypt (just to pick one from tfa) is breakable if Eve has enough resources to spend, and is willing to spend them.

Re:Just 80%?

[Bengie]

It would take more energy to break a current day 256bit symmetric key than there is usable energy in our galaxy. A near perfect 256bit would require you breaking down all of the stars in the universe into pure energy to break one key. Have fun.

but yes, human factor. ignore the key all together.

Re:Backdoors != news

Absolutely correct.

I happen to know that there are simple software/hardware hacks/backdoors on 98% of phones in existence. All of these are built in by the manufacturers at our behest - 'our' being NSA, MI6, CIA, ASIO and DSD of Australia.

Don't trust any technology or hardware that you don't have complete and unhindered access to. I'm telling you now, I've seen records pulled up on people for things that the above mentioned agencies should never have had access to - things regular plebs wouldn't have believed possible to monitor. Those fellows will get records down to every time you've gone to the toilet - its that scary.

What good would 'security' be anyway

[dontmakemethink]

So what if some geek listens in on my phone calls as they're recorded by big brother. I'm not dumb enough to say anything I want to keep private over a cel phone anyway. And I'm not even a drug dealer.

Re:Backdoors != news

[morgan_greywolf]

Don't trust any technology or hardware that you don't have complete and unhindered access to. I'm telling you now, I've seen records pulled up on people for things that the above mentioned agencies should never have had access to - things regular plebs wouldn't have believed possible to monitor. Those fellows will get records down to every time you've gone to the toilet - its that scary.

Corollary: any encryption technology that you need to rely on should be open source and well-understood. The hardware you use it on should be completely open and you should understand how things work on that hardware. Even better if you have compiled that code yourself.

And if you think it's only the cell manufacturers that have sold out, you are sadly, sadly mistaken.

Read the parent. Carefully. He knows what he's talking about.

Re:Use one-time pads, with text messages . . .

[MichaelSmith]

But how do you securely distribute the pad? Even air transport is not secure these days, unless you have diplomatic immunity against searches.

Re:Backdoors != news

[sexconker]

Corollary: any encryption technology that you need to rely on should be open source and well-understood. The hardware you use it on should be completely open and you should understand how things work on that hardware. Even better if you have compiled that code yourself.

Oh fuck off.
I suppose you wrote the compiler too?
I suppose to used an electron microscope and scanned every fucking bit of your CPU and memory and such?

If you want to be fucking paranoid, be paranoid all the way.
Don't use paranoia FUD to push your FOSS agenda.

While it's true that there's shit they can do, it's also true that there's NOTHING you can do about it. FOSS cloak or not.

WORST. ARTICLE. EVER

[GNUALMAFUERTE]

I just posted the following comment on this asshole's website:

Your article is totally misleading.

You say that you managed to prove those products insecure.

Well, YOU DIDN'T. The intention of all the products you mentioned is to provide encryption
to protect you from someone intercepting your phone call. You didn't test any of this.
You just directly accessed the mic on the cellphone. Well, off course you'll get the audio!!

A little analogous situation to better explain what you did:

I will prove that this high security reinforced door is totally insecure. I'll get in the house through
the window. Oh No! It worked, I'm inside the house and I didn't even touch the door! Those doors
are Insecure!

That's exactly what you did. Those systems encrypt your voice. Your call is secure from interception.
If you knew anything about security, you would know this: Physical access is total access.

You had PHYSICAL access to the phone. Well, off course you where able to "crack" it. Guess what?
You could have manually connected the mic cables to an mp3 recorder for all I cared.

It's like saying "I am going to prove that this OpenBSD-based firewall is insecure, but connecting
to the machines behind the firewall with this directly with this ethernet crossover cable".

So, are you really that naive, or you have financial interests in some phone crypto technology?

Re:Backdoors != news

[s4ltyd0g]

They wont waste time hacking your phone. They have a legal intercept box in the server room. No need for back doors on the phone.

more feasible to break encryption?

[Eil]

I'm not sure how much faith I have in this guy as a "security expert" when this is the second paragraph in TFA:

Well I knew I would not likely be able to break any encryption algorithms such as 256-bit AES which seemed to be the standard among the vendors. Although based on some research studies, distributed computing is making it more feasible to break encryption.

He comes within a whisker of implying that AES-256 will be breakable by distributed computing at some point.

They can't know!

[nate+nice]

If anyone knows what I'm putting on my pizza, I'm FUCKED.

Yep...

[msauve]

and if it weren't for the summary here, you'd have no way of knowing that WTF he was reviewing. His article references "Voice Encryption," but nowhere does it mention that he's talking about software interception of cellular or mobile phones. From his description of Flexispy - "simply tap the microphone and it can be used in a wiretap mode to listen in to an active phone conversation or simply as a remote electronic bug for proximity eavesdropping" one might think that it's a hardware solution which wiretaps into the microphone. It's not. There is no "wiretap."

Re:Backdoors != news

[Narnie]

Yeah, I've seen that too, but I can't remember the name of the movie.

Anger issues eh?

[ComeTheDay]

You are at best uninformed and extremely hostile. Having problems installing linux huh?

Quit getting your information from Fox news and start checking out sites like the BBC and Al-Jazeera...or better yet read "The Shadow Factory" by James Bamford...the writer who broke the story about the existence of the NSA.

He painfully details the COMPLETE monitoring of all domestic and international landline, voip, sms/mms and e-mail communications...and all references are sourced by actual newspaper articles, journals or conference talks.

I know what you're going to say next...that you have nothing to hide. While I'm sure the feds could care less that you bought nunchakus over the web, once this monitoring capability trickles down to the state and local level this will be a valid concern.

Say you're a lawyer...forget about client-confidentality. Running for AG? Well the current attorney general will spy on you and get dirt on your affairs, pot consumption or whatever else he can use to KEEP HIMSELF IN POWER.

Local police will be free to use the same systems to keep cities in check, etc.

Due to the complexities of current laws (CA are you listening?) the average citizen commits several felonies a year without realizing it.

Your arguments are horseshit...

No such thing as "secure"

[fm6]

And what if the room is bugged? Possibly by the very software described in the article. So leaving your cellphone outside helps, but is still no guarantee.

Your two scenarios of insecure (electronic) and secure (in person) is a false dichotomy. There's no such thing as "secure" or "insecure", just degrees of security. How much communication security do you need? That depends on how badly you want privacy — and how badly somebody else wants to deprive you of it.

The real lesson here is the one Bruce Schneier keeps trying to teach (with little success, it seems): security is a process, not a product. If you're worried about somebody listening in, look for weak points in the channel. Don't try to find a magic 128-bit shield at Radio Shack.