80% of Cell Phone Encryption Solutions Insecure 158
An anonymous reader writes "Mobile Magazine writes about a blogger named Notrax who has tested 15 methods of secure encryption for mobile phones; out of those he found only 3 could not be cracked at some level. '12 of them were "worthless." It's easy to take the software at face value when it "tells you" that the call is secured. But how does someone actually go about being sure that it is secured? Notrax did some digging and discovered he could break in to almost all of them in under 30 minutes.'" (Above link is to a slightly older description of Notrax's approach; then, it was 9 out of 10 products that were worthless, instead of 12 out of 15.)
Nothing to see here, move along (Score:5, Insightful)
News flash: if someone installs a trojan on your phone, then encrypting your call is insecure.
No sh*t. Don't let people install trojans on your phone.
I Don't Trust Wireless In General (Score:2, Insightful)
Misleading article (Score:5, Insightful)
This guy didn't break any encryption. He admitted up front he couldn't, except for some vague handwavy stuff about distributed brute force key attacks. Instead, he installed a trojan on the phone that records the phone conversation. He didn't even write the trojan. The awesome software he couldn't crack (the "20%") were "secure" because it was either different hardware his cool program didn't work for, or some older gear the program didn't run on. Phew! I'll make sure to buy those now that I know they're air tight.
Came for a cool story about breaking over the air phone encryption but all I got was a script kiddie installing software and making grand pronouncements to get pageviews.
Just 80%? (Score:3, Insightful)
I'm guessing PhoneCrypt (just to pick one from tfa) is breakable if Eve has enough resources to spend, and is willing to spend them.
Re:Nothing to see here, move along (Score:2, Insightful)
I concluded long ago that all electronic communications are by definition insecure. If what you're communicating is really that private, say it in person or use the post office. Other than that, don't be surprised when you find out your private information, isn't.
Re:I Don't Trust Wireless In General (Score:2, Insightful)
At the moment, if you have needs that WPA2 doesn't meet, you probably need to worry about Van Eck phreaking too.
The most important question is not whether you are being paranoid, it is whether you are being paranoid enough.
Re:Misleading article (Score:5, Insightful)
In my opinion this whole this is a marketing scam for one of the products mentioned. The things that make me suspicious:
- "Blogger, hacker and IT security expert Notrax" 's infosecurityguard blog was started in Dec 2009, just before he started his ambitious series of security reviews.
- There are no details of who he is "for his own safety"
- He calls the systems he's failed to break "secure" and highlights them in reassuring green to attract you attention (only admitting in the small print that he means he hasn't broken them yet). This is not the kind of language security researchers use.
- Most of the the products are "details to be published", including respected software such as Zphone/ZRTP. Just one shines out as both "secure" and "review available". That miracle product is PhoneCrypt. Oooh, I must click on that review now -- oh look at that glowing prose.
"SecurStar is the company behind PhoneCrypt." Now I wonder what relation our mysterious, benevolent friend Notrax has to SecurStar.
To me all the smells lead to a fake marketing blog. Nice story /.
Re:Backdoors != news (Score:3, Insightful)
Corollary: any encryption technology that you need to rely on should be open source and well-understood. The hardware you use it on should be completely open and you should understand how things work on that hardware. Even better if you have compiled that code yourself.
Oh fuck off.
I suppose you wrote the compiler too?
I suppose to used an electron microscope and scanned every fucking bit of your CPU and memory and such?
If you want to be fucking paranoid, be paranoid all the way.
Don't use paranoia FUD to push your FOSS agenda.
While it's true that there's shit they can do, it's also true that there's NOTHING you can do about it. FOSS cloak or not.
Re:Backdoors != news (Score:5, Insightful)
They wont waste time hacking your phone. They have a legal intercept box in the server room. No need for back doors on the phone.
They can't know! (Score:4, Insightful)
If anyone knows what I'm putting on my pizza, I'm FUCKED.
Yep... (Score:3, Insightful)
Re:I Don't Trust Wireless In General (Score:5, Insightful)
Okay, you're paranoid. And delusional.
The most important fact is that no one actually gives a shit about your phone calls so even if they could listen to every word any time they wanted to, it still wouldn't matter. The sooner you realize you aren't that special, the sooner your paranoia will go away.
No such thing as "secure" (Score:3, Insightful)
And what if the room is bugged? Possibly by the very software described in the article. So leaving your cellphone outside [mashable.com] helps, but is still no guarantee [diylife.com].
Your two scenarios of insecure (electronic) and secure (in person) is a false dichotomy. There's no such thing as "secure" or "insecure", just degrees of security. How much communication security do you need? That depends on how badly you want privacy — and how badly somebody else wants to deprive you of it.
The real lesson here is the one Bruce Schneier keeps trying to teach (with little success, it seems): security is a process, not a product. If you're worried about somebody listening in, look for weak points in the channel. Don't try to find a magic 128-bit shield at Radio Shack.