80% of Cell Phone Encryption Solutions Insecure

An anonymous reader writes "Mobile Magazine writes about a blogger named Notrax who has tested 15 methods of secure encryption for mobile phones; out of those he found only 3 could not be cracked at some level. '12 of them were "worthless." It's easy to take the software at face value when it "tells you" that the call is secured. But how does someone actually go about being sure that it is secured? Notrax did some digging and discovered he could break in to almost all of them in under 30 minutes.'" (Above link is to a slightly older description of Notrax's approach; then, it was 9 out of 10 products that were worthless, instead of 12 out of 15.)

What's that?

[Anonymous Coward]

Oh, a lock just keeps an honest man honest?

What else is new?

Re:Backdoors != news

[Anonymous Coward]

Absolutely correct.

I happen to know that there are simple software/hardware hacks/backdoors on 98% of phones in existence. All of these are built in by the manufacturers at our behest - 'our' being NSA, MI6, CIA, ASIO and DSD of Australia.

Don't trust any technology or hardware that you don't have complete and unhindered access to. I'm telling you now, I've seen records pulled up on people for things that the above mentioned agencies should never have had access to - things regular plebs wouldn't have believed possible to monitor. Those fellows will get records down to every time you've gone to the toilet - its that scary.

What good would 'security' be anyway

[dontmakemethink]

So what if some geek listens in on my phone calls as they're recorded by big brother. I'm not dumb enough to say anything I want to keep private over a cel phone anyway. And I'm not even a drug dealer.

Re:Backdoors != news

[morgan_greywolf]

Don't trust any technology or hardware that you don't have complete and unhindered access to. I'm telling you now, I've seen records pulled up on people for things that the above mentioned agencies should never have had access to - things regular plebs wouldn't have believed possible to monitor. Those fellows will get records down to every time you've gone to the toilet - its that scary.

Corollary: any encryption technology that you need to rely on should be open source and well-understood. The hardware you use it on should be completely open and you should understand how things work on that hardware. Even better if you have compiled that code yourself.

And if you think it's only the cell manufacturers that have sold out, you are sadly, sadly mistaken.

Read the parent. Carefully. He knows what he's talking about.

Re:Use one-time pads, with text messages . . .

[MichaelSmith]

But how do you securely distribute the pad? Even air transport is not secure these days, unless you have diplomatic immunity against searches.

WORST. ARTICLE. EVER

[GNUALMAFUERTE]

I just posted the following comment on this asshole's website:

Your article is totally misleading.

You say that you managed to prove those products insecure.

Well, YOU DIDN'T. The intention of all the products you mentioned is to provide encryption
to protect you from someone intercepting your phone call. You didn't test any of this.
You just directly accessed the mic on the cellphone. Well, off course you'll get the audio!!

A little analogous situation to better explain what you did:

I will prove that this high security reinforced door is totally insecure. I'll get in the house through
the window. Oh No! It worked, I'm inside the house and I didn't even touch the door! Those doors
are Insecure!

That's exactly what you did. Those systems encrypt your voice. Your call is secure from interception.
If you knew anything about security, you would know this: Physical access is total access.

You had PHYSICAL access to the phone. Well, off course you where able to "crack" it. Guess what?
You could have manually connected the mic cables to an mp3 recorder for all I cared.

It's like saying "I am going to prove that this OpenBSD-based firewall is insecure, but connecting
to the machines behind the firewall with this directly with this ethernet crossover cable".

So, are you really that naive, or you have financial interests in some phone crypto technology?

Re:Backdoors != news

[Anonymous Coward]

Untrue. There most certainly is things you can do about it. Open hardware and open software do give an assurance. An open compiler is important too. BUT, these things are largely useless unless you have an open community that is scrutinizing them. It is far too big a workload to do anything but a small project without this community support.

You will find that your hardcore hacking circles do all this on their own. They have open hardware and their own software - right down to the kernel. One thing I've learnt very quickly is that if you're using an OS that you know the name of, then its highly likely to not be safe/secure - that goes for Linux to a large extent too.

Interesting anecdote: cyber warfare is a lot bigger than people realize. When I say this, I mean, "cold war" style stuff has been going on for decades. Mathematical geniuses, engineering geniuses and brilliant hackers are almost a trade for these agencies. I've seen people from Israel, Iran, England, Australia, Canada, Germany and China all working in the one place on incredibly sensitive cyber-espionage for the one country - these people take the highest bidder. It isn't about loyalty to a country, its about getting the smartest on-board for the big boys games. True, there is a lot of suspicion and monitoring going on, and thats why its such a dangerous game.

We've been hearing about cyber-attacks in the news, but thats just the blundering, fumbling governments getting involved. The real stuff never gets reported.

more feasible to break encryption?

[Eil]

I'm not sure how much faith I have in this guy as a "security expert" when this is the second paragraph in TFA:

Well I knew I would not likely be able to break any encryption algorithms such as 256-bit AES which seemed to be the standard among the vendors. Although based on some research studies, distributed computing is making it more feasible to break encryption.

He comes within a whisker of implying that AES-256 will be breakable by distributed computing at some point.

Anger issues eh?

[ComeTheDay]

You are at best uninformed and extremely hostile. Having problems installing linux huh?

Quit getting your information from Fox news and start checking out sites like the BBC and Al-Jazeera...or better yet read "The Shadow Factory" by James Bamford...the writer who broke the story about the existence of the NSA.

He painfully details the COMPLETE monitoring of all domestic and international landline, voip, sms/mms and e-mail communications...and all references are sourced by actual newspaper articles, journals or conference talks.

I know what you're going to say next...that you have nothing to hide. While I'm sure the feds could care less that you bought nunchakus over the web, once this monitoring capability trickles down to the state and local level this will be a valid concern.

Say you're a lawyer...forget about client-confidentality. Running for AG? Well the current attorney general will spy on you and get dirt on your affairs, pot consumption or whatever else he can use to KEEP HIMSELF IN POWER.

Local police will be free to use the same systems to keep cities in check, etc.

Due to the complexities of current laws (CA are you listening?) the average citizen commits several felonies a year without realizing it.

Your arguments are horseshit...