Slashdot Mirror

← Back to Stories (view on slashdot.org)

80% of Cell Phone Encryption Solutions Insecure

Posted by timothy on from the nsa-working-on-the-rest dept.

An anonymous reader writes "Mobile Magazine writes about a blogger named Notrax who has tested 15 methods of secure encryption for mobile phones; out of those he found only 3 could not be cracked at some level. '12 of them were "worthless." It's easy to take the software at face value when it "tells you" that the call is secured. But how does someone actually go about being sure that it is secured? Notrax did some digging and discovered he could break in to almost all of them in under 30 minutes.'" (Above link is to a slightly older description of Notrax's approach; then, it was 9 out of 10 products that were worthless, instead of 12 out of 15.)

9 of 158 comments (clear)

  1. Nothing to see here, move along by johndoe42 · · Score: 5, Insightful

    News flash: if someone installs a trojan on your phone, then encrypting your call is insecure.

    No sh*t. Don't let people install trojans on your phone.

  2. Sure, if you install the spy software. by InlawBiker · · Score: 4, Funny

    This tactic requires you to install software on the target's phone without their knowledge. That doesn't render the encryption faulty, it's just stealing the voice signal before it gets encrypted. I like this part from the vendor's web site: "$PRODUCT_NAME for iPhone is professional grade spy phone software that takes minutes to install on a jailbroken iPhone, and instantly starts sending data to a secure web account where you can log in and view records..."

  3. Misleading article by badboy_tw2002 · · Score: 5, Insightful

    This guy didn't break any encryption. He admitted up front he couldn't, except for some vague handwavy stuff about distributed brute force key attacks. Instead, he installed a trojan on the phone that records the phone conversation. He didn't even write the trojan. The awesome software he couldn't crack (the "20%") were "secure" because it was either different hardware his cool program didn't work for, or some older gear the program didn't run on. Phew! I'll make sure to buy those now that I know they're air tight.

    Came for a cool story about breaking over the air phone encryption but all I got was a script kiddie installing software and making grand pronouncements to get pageviews.

    1. Re:Misleading article by PybusJ · · Score: 5, Insightful

      In my opinion this whole this is a marketing scam for one of the products mentioned. The things that make me suspicious:

      - "Blogger, hacker and IT security expert Notrax" 's infosecurityguard blog was started in Dec 2009, just before he started his ambitious series of security reviews.

      - There are no details of who he is "for his own safety"

      - He calls the systems he's failed to break "secure" and highlights them in reassuring green to attract you attention (only admitting in the small print that he means he hasn't broken them yet). This is not the kind of language security researchers use.

      - Most of the the products are "details to be published", including respected software such as Zphone/ZRTP. Just one shines out as both "secure" and "review available". That miracle product is PhoneCrypt. Oooh, I must click on that review now -- oh look at that glowing prose.

      "SecurStar is the company behind PhoneCrypt." Now I wonder what relation our mysterious, benevolent friend Notrax has to SecurStar.

      To me all the smells lead to a fake marketing blog. Nice story /.

  4. Re:Backdoors != news by Anonymous Coward · · Score: 4, Interesting

    Absolutely correct.

    I happen to know that there are simple software/hardware hacks/backdoors on 98% of phones in existence. All of these are built in by the manufacturers at our behest - 'our' being NSA, MI6, CIA, ASIO and DSD of Australia.

    Don't trust any technology or hardware that you don't have complete and unhindered access to. I'm telling you now, I've seen records pulled up on people for things that the above mentioned agencies should never have had access to - things regular plebs wouldn't have believed possible to monitor. Those fellows will get records down to every time you've gone to the toilet - its that scary.

  5. Re:The solution by sexconker · · Score: 4, Funny

    V fcrnx va ebg 13. Gbgny frphevgl.

    My mother's a frphevgl, you insensitive khdfsji!

  6. Re:What's that? by MachDelta · · Score: 4, Funny

    Honest men can be found everywhere.

    Honest politicians? SETI is still working on that one.

  7. Re:Backdoors != news by s4ltyd0g · · Score: 4, Insightful

    They wont waste time hacking your phone. They have a legal intercept box in the server room. No need for back doors on the phone.

  8. Re:I Don't Trust Wireless In General by BitZtream · · Score: 4, Insightful

    Okay, you're paranoid. And delusional.

    The most important fact is that no one actually gives a shit about your phone calls so even if they could listen to every word any time they wanted to, it still wouldn't matter. The sooner you realize you aren't that special, the sooner your paranoia will go away.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager