Flaws In ZRTPCPP Library, Used In Secure Phone Apps

Gunkerty Jeb writes "A security researcher has uncovered a number of serious vulnerabilities in one of the core security components of several secure telephony applications, including the Silent Circle system developed by PGP creator Phil Zimmermann. The vulnerabilities in the GNU ZRTPCPP library already have been addressed in a new version of the library and Silent Circle has implemented a fix, as well. ZRTPCPP is a library that implements the ZRTP protocol that Zimmermann and others developed to establish secure sessions over a pre-existing connection. Silent Circle, which sells a cryptographically secure mobile phone application, and several other products implement the ZRTPCPP library, and Mark Dowd of Azimuth Security has identified several vulnerabilities in the library that could give an attacker the ability to get remote code execution. Dowd said that the bugs can be exploited by remote, unauthenticated users."

Drats, foiled again...

[msauve]

Now the NSA will have to go to Plan B.

Re:why bother?

[gl4ss]

Nothing on an Android or iPhone device is ever secure; it's too easy for the NSA or other organizations to install Trojan horses. And installing a crypto app from the market is like painting a red bulls eye on your phone.

well.. that's why everyone should install a crypto app from the market then..

Re:Remote code exploit in Crypto

[aaaaaaargh!]

Languages like Ada/Spark and Haskell: Yes. The languages you mention: not really.

Implementation bugs, not protocol bugs

[billstewart]

Yes, I'm ignoring your joke; sorry :-)

Fortunately, while these bugs are annoying and may break a number of different programs, they're bugs in the implementation code, not bugs in the communication or crypto protocols themselves. That makes them much more fixable. (Perhaps harder to detect in the field, but fixable.)