Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Encryption Security Cellphones Communications Privacy IT

80% of Cell Phone Encryption Solutions Insecure 158

Posted by timothy
from the nsa-working-on-the-rest dept.
An anonymous reader writes "Mobile Magazine writes about a blogger named Notrax who has tested 15 methods of secure encryption for mobile phones; out of those he found only 3 could not be cracked at some level. '12 of them were "worthless." It's easy to take the software at face value when it "tells you" that the call is secured. But how does someone actually go about being sure that it is secured? Notrax did some digging and discovered he could break in to almost all of them in under 30 minutes.'" (Above link is to a slightly older description of Notrax's approach; then, it was 9 out of 10 products that were worthless, instead of 12 out of 15.)
This discussion has been archived. No new comments can be posted.

80% of Cell Phone Encryption Solutions Insecure

Comments Filter:
  • by Anonymous Coward
    yeah, i can hear you now.
    • Re: (Score:1, Funny)

      by Anonymous Coward

      WHAT? SPEAK UP!

  • The way people shout into their phones, you can hear what they say a mile away.
  • What's that? (Score:2, Interesting)

    by Anonymous Coward
    Oh, a lock just keeps an honest man honest?

    What else is new?
  • by johndoe42 (179131) on Thursday January 28, 2010 @06:31PM (#30943440)

    News flash: if someone installs a trojan on your phone, then encrypting your call is insecure.

    No sh*t. Don't let people install trojans on your phone.

    • Re: (Score:2, Insightful)

      I concluded long ago that all electronic communications are by definition insecure. If what you're communicating is really that private, say it in person or use the post office. Other than that, don't be surprised when you find out your private information, isn't.

      • by fm6 (162816)

        And what if the room is bugged? Possibly by the very software described in the article. So leaving your cellphone outside [mashable.com] helps, but is still no guarantee [diylife.com].

        Your two scenarios of insecure (electronic) and secure (in person) is a false dichotomy. There's no such thing as "secure" or "insecure", just degrees of security. How much communication security do you need? That depends on how badly you want privacy — and how badly somebody else wants to deprive you of it.

        The real lesson here is the one Bruce Schn

    • by EdZ (755139)

      Don't let people install trojans on your phone.

      If you know it's a Trojan, then by definition it isn't a Trojan.

      • Re: (Score:1, Funny)

        by Anonymous Coward

        That's the stupidest thing I've heard in a while.

        Now that my antivirus found a trojan, it's no longer a trojan?

    • Not very creative remember the old evil maid [slashdot.org]. Same thing people have been preaching about Linux too. Once the person has root access doesn't matter(or sufficient rights). You have been owned.
    • When dealing with somebody that knows what they are doing, and any major brand smart phone, it takes less than 15 seconds to r00t your phone and start to upload custom software. No 'trojan' required. All that is needed is to know your phones IP address at any point that you are online transferring data (e.g email, web, photo transfers, etc). It only takes 15 seconds, just once, and your phone no longer belongs to you. Security on the current cell phone hardware and OS's are just an after thought.

      Even a n

  • Most of my cell calls are less the 10 minutes long.
  • by ascari (1400977)
    Earlyclay itway isway upway otay ethay userway otay useway omesay otherway ormfay ofway obfuscationway
  • Call me paranoid, but I don't. Even wireless networks with WPA2. Too many ways they can be spoofed, or cracked, or hacked, or man-in-the-middle'd. But that's just me.
    • WPA2 makes it difficult to crack wireless encryption. But thats not where the weak link is.

      The fact is, built in hardware backdoors and software backdoors allow those in the know to completely walk around the encryption being used. This is where the real issue is.
      • WPA2 makes it difficult to crack wireless encryption. But thats not where the weak link is.

        The fact is, built in hardware backdoors and software backdoors allow those in the know to completely walk around the encryption being used. This is where the real issue is.

        Do they have backdoors that make the range extend beyond 6 feet and the throughput go higher than 1 MB/sec?

        • by Narnie (1349029)
          100ft patch cable plugged into the back of the router.
          True paranoids check for new wired connections before transmitting data on their network. Always check for spooks lurking on your nets and sneaking in your tinfoil abode.
    • Re: (Score:2, Insightful)

      by maxume (22995)

      At the moment, if you have needs that WPA2 doesn't meet, you probably need to worry about Van Eck phreaking too.

      The most important question is not whether you are being paranoid, it is whether you are being paranoid enough.

    • by FooAtWFU (699187)
      You think that's bad? Wait until you hear about Van Eck phreaking.
    • Why trust any electronic medium? I felt the same way about POTS at least as far back as 1972. Wire-tapping was probably invented the day after the telephone was.

    • Re: (Score:3, Informative)

      by MichaelSmith (789609)

      I don't have any security at all on my wireless network but any traffic I want to protect goes through ssh on all the networks I want to use.

    • by BitZtream (692029) on Thursday January 28, 2010 @10:48PM (#30945418)

      Okay, you're paranoid. And delusional.

      The most important fact is that no one actually gives a shit about your phone calls so even if they could listen to every word any time they wanted to, it still wouldn't matter. The sooner you realize you aren't that special, the sooner your paranoia will go away.

      • by cblack (4342)

        I disagree. That "I'm not special enough to be a target" attitude makes sense if you are worried about targeted listening, but what about large scale data mining? Passing everything through a voice recognition package and then searching for keywords or patterns (not to mention patterns of contact) is not impossible.

      • [you're] delusional. The most important fact is that no one actually gives a shit about your phone calls

        Parent never said "they're out to get me." He just said he didn't trust wifi. I don't trust that no one at my CS dept. Will sniff the wireless network (and my slashdot password)---I'm not certain of it. But I use it anyways.

        Where do you pick out the delusional thoughts, rather than just fear and mistrust?

      • Ok first of all, you have no idea who he is or what he does. There are far more practical applications and uses for good cell encryption technology than you seem to be giving credit. Businessmen who deal with trade secrets, government officials or contractors, and any number of other sensitive areas of work, for example often people now do some level of banking on their phones. Often there are materials that are marked as "Confidential" and require little to no official compartmentalization, but still requi
      • by horza (87255)

        Or maybe you aren't special, BitZtream, and nobody cares about you? Just because you are a loser, don't judge the rest of us.

        Phillip.

  • by Monkeedude1212 (1560403) on Thursday January 28, 2010 @06:35PM (#30943482) Journal

    It's so efficient, not even my recipient can make out what I mean.

    The Missile from France went down my pants, so I need you to dance and prance
    "Are you breaking up with me?"

    • Re: (Score:2, Informative)

      by ascari (1400977)

      The Missile from France went down my pants, so I need you to dance and prance

      Translation: "Dear Susan, My new room mate Jean Claude has shown me aspects of myself that I wasn't aware of before. Please don't pine for me. Go out, have some fun and maybe you meet somebody who can appreciate you in a way I cannot anymore."

    • by izomiac (815208)
      That's you? Well, what do you expect when your cellphone doesn't even broadcast on the right frequencies [wikipedia.org]...
    • ‘If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him’ — Cardinal Richelieu

      Good luck with that!

  • by InlawBiker (1124825) on Thursday January 28, 2010 @06:38PM (#30943516)
    This tactic requires you to install software on the target's phone without their knowledge. That doesn't render the encryption faulty, it's just stealing the voice signal before it gets encrypted. I like this part from the vendor's web site: "$PRODUCT_NAME for iPhone is professional grade spy phone software that takes minutes to install on a jailbroken iPhone, and instantly starts sending data to a secure web account where you can log in and view records..."
  • Misleading article (Score:5, Insightful)

    by badboy_tw2002 (524611) on Thursday January 28, 2010 @06:40PM (#30943538)

    This guy didn't break any encryption. He admitted up front he couldn't, except for some vague handwavy stuff about distributed brute force key attacks. Instead, he installed a trojan on the phone that records the phone conversation. He didn't even write the trojan. The awesome software he couldn't crack (the "20%") were "secure" because it was either different hardware his cool program didn't work for, or some older gear the program didn't run on. Phew! I'll make sure to buy those now that I know they're air tight.

    Came for a cool story about breaking over the air phone encryption but all I got was a script kiddie installing software and making grand pronouncements to get pageviews.

    • by PybusJ (30549) on Thursday January 28, 2010 @07:17PM (#30943914)

      In my opinion this whole this is a marketing scam for one of the products mentioned. The things that make me suspicious:

      - "Blogger, hacker and IT security expert Notrax" 's infosecurityguard blog was started in Dec 2009, just before he started his ambitious series of security reviews.

      - There are no details of who he is "for his own safety"

      - He calls the systems he's failed to break "secure" and highlights them in reassuring green to attract you attention (only admitting in the small print that he means he hasn't broken them yet). This is not the kind of language security researchers use.

      - Most of the the products are "details to be published", including respected software such as Zphone/ZRTP. Just one shines out as both "secure" and "review available". That miracle product is PhoneCrypt. Oooh, I must click on that review now -- oh look at that glowing prose.

      "SecurStar is the company behind PhoneCrypt." Now I wonder what relation our mysterious, benevolent friend Notrax has to SecurStar.

      To me all the smells lead to a fake marketing blog. Nice story /.

    • Yep... (Score:3, Insightful)

      by msauve (701917)
      and if it weren't for the summary here, you'd have no way of knowing that WTF he was reviewing. His article references "Voice Encryption," but nowhere does it mention that he's talking about software interception of cellular or mobile phones. From his description of Flexispy - "simply tap the microphone and it can be used in a wiretap mode to listen in to an active phone conversation or simply as a remote electronic bug for proximity eavesdropping" one might think that it's a hardware solution which wiretap
  • Just 80%? (Score:3, Insightful)

    by Weirsbaski (585954) on Thursday January 28, 2010 @06:46PM (#30943574)
    100% of encryption is insecure, if you throw enough resources into breaking it. The real question is how much effort is put into the encryption (both human-hours developing the system, and cpu-cycles doing the math) vs how much effort the attacker can/will put into breaking it.

    I'm guessing PhoneCrypt (just to pick one from tfa) is breakable if Eve has enough resources to spend, and is willing to spend them.
    • Honestly, its alot easier to break the person, than it is the encryption... People are weak, just go all Jack Bauer on them, they will talk.
    • by genik76 (1193359)
      One-time pads [wikipedia.org] are absolutely secure.
    • 100% of encryption is insecure, if you throw enough resources into breaking it.

      Suppose I'm thinking of a number x between 1 and 10. I choose a uniformly random number y between 1 and 10. I transmit z = (x + y) modulo 10 over the wire, which you get to look at. Let's say I transmit z = 7. Which number x am I thinking of?

      No matter what you do, you can do no better than guessing. You might know that 4 is my favourite number, but that's independent of the value of z. Seeing the cipher text provides you with no additional information over what you already know.

      It's impractical, becau

  • http://en.wikipedia.org/wiki/One_time_pad

    One-time pad encoded messages look like total gibberish.

    People eavesdropping on you, will think that you are just sending Twitter messages . . . total gibberish . . .

    • Re: (Score:3, Interesting)

      by MichaelSmith (789609)

      But how do you securely distribute the pad? Even air transport is not secure these days, unless you have diplomatic immunity against searches.

      • by maxume (22995)

        For what value of guaranteed? If you get on a plane with a CDR full of data, you should be able to know whether someone accesses it or not.

      • But how do you securely distribute the pad?

        Numbers stations: http://en.wikipedia.org/wiki/Numbers_stations [wikipedia.org]

        Even air transport is not secure these days, unless you have diplomatic immunity against searches.

        An exercise for the class: How can you utilize matching copies of the Bible, or an innocuous airport bookstore novel, or even a travel guide . . . as one-time pads.

        But you bring up a valid point, the biggest weakness of one-time pads, is that they must be used *correctly*. This shows what happens if you don't:

        "Due to a serious blunder on the part of the Soviets, some of this traffic was vulnerable to cryptanalysis. Somebody who was working f

  • He might be able to trick someone into throwing a huge amount of money his direction because he proved something everyone knew already, using techniques that really don't prove all that much more than you can get a trojan on a phone, but most folks aren't buying it. The majority of software solutions for mobile devices tend towards being focused on blocking the "casual" hacker, for example, the friend who picks up your phone when you leave it out somewhere, or the phone you left in the coffee shop that the
  • by dontmakemethink (1186169) on Thursday January 28, 2010 @07:23PM (#30943978)
    So what if some geek listens in on my phone calls as they're recorded by big brother. I'm not dumb enough to say anything I want to keep private over a cel phone anyway. And I'm not even a drug dealer.
  • WORST. ARTICLE. EVER (Score:3, Interesting)

    by GNUALMAFUERTE (697061) <almafuerte@@@gmail...com> on Thursday January 28, 2010 @08:01PM (#30944288)

    I just posted the following comment on this asshole's website:

    Your article is totally misleading.

    You say that you managed to prove those products insecure.

    Well, YOU DIDN'T. The intention of all the products you mentioned is to provide encryption
    to protect you from someone intercepting your phone call. You didn't test any of this.
    You just directly accessed the mic on the cellphone. Well, off course you'll get the audio!!

    A little analogous situation to better explain what you did:

    I will prove that this high security reinforced door is totally insecure. I'll get in the house through
    the window. Oh No! It worked, I'm inside the house and I didn't even touch the door! Those doors
    are Insecure!

    That's exactly what you did. Those systems encrypt your voice. Your call is secure from interception.
    If you knew anything about security, you would know this: Physical access is total access.

    You had PHYSICAL access to the phone. Well, off course you where able to "crack" it. Guess what?
    You could have manually connected the mic cables to an mp3 recorder for all I cared.

    It's like saying "I am going to prove that this OpenBSD-based firewall is insecure, but connecting
    to the machines behind the firewall with this directly with this ethernet crossover cable".

    So, are you really that naive, or you have financial interests in some phone crypto technology?

    • by vadim_t (324782)

      And, as could be expected, it seems your comment got deleted, or was never approved for posting.

    • So, are you really that naive, or you have financial interests in some phone^Hy crypto technology?

      More likely.

  • That's a full 10% better than Sturgen's Law predicts.

  • So somebody could go to a lot of trouble to listen to me talk with one of my geek friends about the iPad or brazing bicycle frames, or audio design or some other totally boring topic that if it was at all interesting would show up on the net somewhere already. Lord help them if they want to listen in to a conversation with my or my wife's parents. I'd be bummed if I went to that much trouble for so little return.

    Sheldon

  • by Eil (82413) on Thursday January 28, 2010 @08:30PM (#30944556) Homepage Journal

    I'm not sure how much faith I have in this guy as a "security expert" when this is the second paragraph in TFA:

    Well I knew I would not likely be able to break any encryption algorithms such as 256-bit AES which seemed to be the standard among the vendors. Although based on some research studies, distributed computing is making it more feasible to break encryption.

    He comes within a whisker of implying that AES-256 will be breakable by distributed computing at some point.

  • They can't know! (Score:4, Insightful)

    by nate nice (672391) on Thursday January 28, 2010 @09:05PM (#30944808) Journal

    If anyone knows what I'm putting on my pizza, I'm FUCKED.

  • So? (Score:1, Troll)

    by BitZtream (692029)

    Okay, so with the right technology in the hands of the hacker, my cell phone has the same security as the old POTS line running into my house.

    Pardon me if I don't freak out about it. For years all I've needed was a handset and a knife and I could listen in on peoples phone calls. This is still harder than that.

    Sorry if I'm not concerned about something thats not ever been a problem for me or anyone I've ever known even though it has been trivial to do.

    Yes yes, its wireless and its easier to hide, but gues

  • Those products are hyped as a means to prevent your calls from being intercepted by a third party. They do indeed protect the call in transit as promised. The flaw being pointed out is that if the endpoints (the phone) are compromised, you can't guarantee the security of the call. Well duh, there's a no brainer. That's like claiming your VPN software isn't secure if someone surreptitiously slipped a keylogger into your computer.

    Did anyone else notice that this seems to be an ad for flexispy?

  • ...when you think phone encryption and recall devices approximately the size of an ATM.
  • put that old source code for PGP-Phone...

Our policy is, when in doubt, do the right thing. -- Roy L. Ash, ex-president, Litton Industries

Working...