80% of Cell Phone Encryption Solutions Insecure 158
An anonymous reader writes "Mobile Magazine writes about a blogger named Notrax who has tested 15 methods of secure encryption for mobile phones; out of those he found only 3 could not be cracked at some level. '12 of them were "worthless." It's easy to take the software at face value when it "tells you" that the call is secured. But how does someone actually go about being sure that it is secured? Notrax did some digging and discovered he could break in to almost all of them in under 30 minutes.'" (Above link is to a slightly older description of Notrax's approach; then, it was 9 out of 10 products that were worthless, instead of 12 out of 15.)
yeah, i can hear you now. (Score:2, Funny)
Re: (Score:1, Funny)
WHAT? SPEAK UP!
Pointless (Score:1)
What's that? (Score:2, Interesting)
What else is new?
Re:What's that? (Score:5, Funny)
Honest men can be found everywhere.
Honest politicians? SETI is still working on that one.
blah blah "don't attack the encryption" (Score:2)
Nothing to see here, move along (Score:5, Insightful)
News flash: if someone installs a trojan on your phone, then encrypting your call is insecure.
No sh*t. Don't let people install trojans on your phone.
Re: (Score:2, Insightful)
I concluded long ago that all electronic communications are by definition insecure. If what you're communicating is really that private, say it in person or use the post office. Other than that, don't be surprised when you find out your private information, isn't.
No such thing as "secure" (Score:3, Insightful)
And what if the room is bugged? Possibly by the very software described in the article. So leaving your cellphone outside [mashable.com] helps, but is still no guarantee [diylife.com].
Your two scenarios of insecure (electronic) and secure (in person) is a false dichotomy. There's no such thing as "secure" or "insecure", just degrees of security. How much communication security do you need? That depends on how badly you want privacy — and how badly somebody else wants to deprive you of it.
The real lesson here is the one Bruce Schn
Re: (Score:2)
Don't let people install trojans on your phone.
If you know it's a Trojan, then by definition it isn't a Trojan.
Re: (Score:1, Funny)
That's the stupidest thing I've heard in a while.
Now that my antivirus found a trojan, it's no longer a trojan?
Re: (Score:2)
Don't let people install trojans?? (Score:1, Redundant)
Even a n
30 minutes (Score:2)
Re: (Score:2)
The solution (Score:2, Funny)
Re: (Score:2)
Isn't it illegal in a lot of places to encrypt your own voice?
Re:The solution (Score:4, Funny)
V fcrnx va ebg 13. Gbgny frphevgl.
My mother's a frphevgl, you insensitive khdfsji!
Re: (Score:2)
O r'lyeh? I know your mother from r'lyeh! Her five eye stems are way too good for her to be a frphevgl!
RTFN (Read the fuckin' Necronomicon) before commenting!
Cthulhu
Re: (Score:2)
Bth zq dut mbg ourflbe jwwf, exqghl bldig.
That's a custom ROT-based algorithm I just made up. Just hard enough for a fun little challenge >:)
Re: (Score:2)
I spiem mn rot 13. Totem sigurmtc.
Lfl errq kf mfib fe mfli EBG 13 jbvccj.
Re: (Score:2)
Terminal fail.
I speak in rot 13. Total security.
Lbh arrq gb jbex ba lbhe EBG 13 fxvyyf.
I Don't Trust Wireless In General (Score:2, Insightful)
Re: (Score:2)
The fact is, built in hardware backdoors and software backdoors allow those in the know to completely walk around the encryption being used. This is where the real issue is.
Re: (Score:1)
WPA2 makes it difficult to crack wireless encryption. But thats not where the weak link is.
The fact is, built in hardware backdoors and software backdoors allow those in the know to completely walk around the encryption being used. This is where the real issue is.
Do they have backdoors that make the range extend beyond 6 feet and the throughput go higher than 1 MB/sec?
Re: (Score:2)
True paranoids check for new wired connections before transmitting data on their network. Always check for spooks lurking on your nets and sneaking in your tinfoil abode.
Re: (Score:2, Insightful)
At the moment, if you have needs that WPA2 doesn't meet, you probably need to worry about Van Eck phreaking too.
The most important question is not whether you are being paranoid, it is whether you are being paranoid enough.
Re: (Score:2)
Re: (Score:1)
Why trust any electronic medium? I felt the same way about POTS at least as far back as 1972. Wire-tapping was probably invented the day after the telephone was.
Re: (Score:3, Informative)
I don't have any security at all on my wireless network but any traffic I want to protect goes through ssh on all the networks I want to use.
Re:I Don't Trust Wireless In General (Score:5, Insightful)
Okay, you're paranoid. And delusional.
The most important fact is that no one actually gives a shit about your phone calls so even if they could listen to every word any time they wanted to, it still wouldn't matter. The sooner you realize you aren't that special, the sooner your paranoia will go away.
Re: (Score:2)
I disagree. That "I'm not special enough to be a target" attitude makes sense if you are worried about targeted listening, but what about large scale data mining? Passing everything through a voice recognition package and then searching for keywords or patterns (not to mention patterns of contact) is not impossible.
Where do you see the delusion? (Score:2)
[you're] delusional. The most important fact is that no one actually gives a shit about your phone calls
Parent never said "they're out to get me." He just said he didn't trust wifi. I don't trust that no one at my CS dept. Will sniff the wireless network (and my slashdot password)---I'm not certain of it. But I use it anyways.
Where do you pick out the delusional thoughts, rather than just fear and mistrust?
Re: (Score:2)
Re: (Score:2)
Or maybe you aren't special, BitZtream, and nobody cares about you? Just because you are a loser, don't judge the rest of us.
Phillip.
I speak in code (Score:4, Funny)
It's so efficient, not even my recipient can make out what I mean.
The Missile from France went down my pants, so I need you to dance and prance
"Are you breaking up with me?"
Re: (Score:2, Informative)
The Missile from France went down my pants, so I need you to dance and prance
Translation: "Dear Susan, My new room mate Jean Claude has shown me aspects of myself that I wasn't aware of before. Please don't pine for me. Go out, have some fun and maybe you meet somebody who can appreciate you in a way I cannot anymore."
Re: (Score:1)
Re: (Score:2)
‘If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him’ — Cardinal Richelieu
Good luck with that!
Sure, if you install the spy software. (Score:5, Funny)
Misleading article (Score:5, Insightful)
This guy didn't break any encryption. He admitted up front he couldn't, except for some vague handwavy stuff about distributed brute force key attacks. Instead, he installed a trojan on the phone that records the phone conversation. He didn't even write the trojan. The awesome software he couldn't crack (the "20%") were "secure" because it was either different hardware his cool program didn't work for, or some older gear the program didn't run on. Phew! I'll make sure to buy those now that I know they're air tight.
Came for a cool story about breaking over the air phone encryption but all I got was a script kiddie installing software and making grand pronouncements to get pageviews.
Re:Misleading article (Score:5, Insightful)
In my opinion this whole this is a marketing scam for one of the products mentioned. The things that make me suspicious:
- "Blogger, hacker and IT security expert Notrax" 's infosecurityguard blog was started in Dec 2009, just before he started his ambitious series of security reviews.
- There are no details of who he is "for his own safety"
- He calls the systems he's failed to break "secure" and highlights them in reassuring green to attract you attention (only admitting in the small print that he means he hasn't broken them yet). This is not the kind of language security researchers use.
- Most of the the products are "details to be published", including respected software such as Zphone/ZRTP. Just one shines out as both "secure" and "review available". That miracle product is PhoneCrypt. Oooh, I must click on that review now -- oh look at that glowing prose.
"SecurStar is the company behind PhoneCrypt." Now I wonder what relation our mysterious, benevolent friend Notrax has to SecurStar.
To me all the smells lead to a fake marketing blog. Nice story /.
Yep... (Score:3, Insightful)
Just 80%? (Score:3, Insightful)
I'm guessing PhoneCrypt (just to pick one from tfa) is breakable if Eve has enough resources to spend, and is willing to spend them.
Re: (Score:2)
Re: (Score:1)
"all crypto is insecure" -- Wrong! OTP works (Score:2)
100% of encryption is insecure, if you throw enough resources into breaking it.
Suppose I'm thinking of a number x between 1 and 10. I choose a uniformly random number y between 1 and 10. I transmit z = (x + y) modulo 10 over the wire, which you get to look at. Let's say I transmit z = 7. Which number x am I thinking of?
No matter what you do, you can do no better than guessing. You might know that 4 is my favourite number, but that's independent of the value of z. Seeing the cipher text provides you with no additional information over what you already know.
It's impractical, becau
Re: (Score:2)
serpent 256? :p
Re: (Score:3, Funny)
It would take more energy to break a current day 256bit symmetric key than there is usable energy in our galaxy. A near perfect 256bit would require you breaking down all of the stars in the universe into pure energy to break one key. Have fun.
but yes, human factor. ignore the key all together.
Re: (Score:2)
It would take more energy to break a current day 256bit symmetric key than there is usable energy in our galaxy. A near perfect 256bit would require you breaking down all of the stars in the universe into pure energy to break one key. Have fun.
You could always get lucky and break the key on your 42nd try.
Re: (Score:2)
Human factor, input device, computer itself. Just grab the key at more convenient part of the process.
Re: (Score:1)
It would take more energy to break a current day 256bit symmetric key than there is usable energy in our galaxy.
With the known algorithms. On a traditional (non-quantum) computer. Don't feel so safe.
Re: (Score:2)
Quantum computers are *at most* ~2xs faster on symmetric keys than traditional computers, at least according to my cousin's teacher who specialized in encryption.
O.K, So half a universe worth of energy with a quantum computer. There, happy?
Public keys are crazy easy to break with quantum algorithms.
known algorithms. There's always the possibility of someone finding a weak link, but it's just a very small chance for anything to happen.
Use one-time pads, with text messages . . . (Score:2)
http://en.wikipedia.org/wiki/One_time_pad
One-time pad encoded messages look like total gibberish.
People eavesdropping on you, will think that you are just sending Twitter messages . . . total gibberish . . .
Re: (Score:3, Interesting)
But how do you securely distribute the pad? Even air transport is not secure these days, unless you have diplomatic immunity against searches.
Re: (Score:1)
For what value of guaranteed? If you get on a plane with a CDR full of data, you should be able to know whether someone accesses it or not.
Re: (Score:2)
But how do you securely distribute the pad?
Numbers stations: http://en.wikipedia.org/wiki/Numbers_stations [wikipedia.org]
Even air transport is not secure these days, unless you have diplomatic immunity against searches.
An exercise for the class: How can you utilize matching copies of the Bible, or an innocuous airport bookstore novel, or even a travel guide . . . as one-time pads.
But you bring up a valid point, the biggest weakness of one-time pads, is that they must be used *correctly*. This shows what happens if you don't:
"Due to a serious blunder on the part of the Soviets, some of this traffic was vulnerable to cryptanalysis. Somebody who was working f
Nice try, Notrax... (Score:2)
What good would 'security' be anyway (Score:3, Interesting)
Some things you might keep private (Score:2)
I'm not dumb enough to say anything I want to keep private over a cel phone anyway.
"Hi, lover. Let's get it on tonight. I love it when you {lick my {balls,pussy}, put whipped cream up my butt and eat it back out while you pour hot wax on my nipples and whip me with your sister watching}."
See also http://bash.org/?246405 [bash.org]
WORST. ARTICLE. EVER (Score:3, Interesting)
I just posted the following comment on this asshole's website:
Your article is totally misleading.
You say that you managed to prove those products insecure.
Well, YOU DIDN'T. The intention of all the products you mentioned is to provide encryption
to protect you from someone intercepting your phone call. You didn't test any of this.
You just directly accessed the mic on the cellphone. Well, off course you'll get the audio!!
A little analogous situation to better explain what you did:
I will prove that this high security reinforced door is totally insecure. I'll get in the house through
the window. Oh No! It worked, I'm inside the house and I didn't even touch the door! Those doors
are Insecure!
That's exactly what you did. Those systems encrypt your voice. Your call is secure from interception.
If you knew anything about security, you would know this: Physical access is total access.
You had PHYSICAL access to the phone. Well, off course you where able to "crack" it. Guess what?
You could have manually connected the mic cables to an mp3 recorder for all I cared.
It's like saying "I am going to prove that this OpenBSD-based firewall is insecure, but connecting
to the machines behind the firewall with this directly with this ethernet crossover cable".
So, are you really that naive, or you have financial interests in some phone crypto technology?
Re: (Score:2)
And, as could be expected, it seems your comment got deleted, or was never approved for posting.
Re: (Score:2)
So, are you really that naive, or you have financial interests in some phone^Hy crypto technology?
More likely.
Re: (Score:2)
They guy is a shill.
80% is actually pretty good! (Score:1)
That's a full 10% better than Sturgen's Law predicts.
oh noes! (Score:2)
So somebody could go to a lot of trouble to listen to me talk with one of my geek friends about the iPad or brazing bicycle frames, or audio design or some other totally boring topic that if it was at all interesting would show up on the net somewhere already. Lord help them if they want to listen in to a conversation with my or my wife's parents. I'd be bummed if I went to that much trouble for so little return.
Sheldon
more feasible to break encryption? (Score:3, Interesting)
I'm not sure how much faith I have in this guy as a "security expert" when this is the second paragraph in TFA:
He comes within a whisker of implying that AES-256 will be breakable by distributed computing at some point.
They can't know! (Score:4, Insightful)
If anyone knows what I'm putting on my pizza, I'm FUCKED.
So? (Score:1, Troll)
Okay, so with the right technology in the hands of the hacker, my cell phone has the same security as the old POTS line running into my house.
Pardon me if I don't freak out about it. For years all I've needed was a handset and a knife and I could listen in on peoples phone calls. This is still harder than that.
Sorry if I'm not concerned about something thats not ever been a problem for me or anyone I've ever known even though it has been trivial to do.
Yes yes, its wireless and its easier to hide, but gues
Not worthless at all! (Score:2)
Those products are hyped as a means to prevent your calls from being intercepted by a third party. They do indeed protect the call in transit as promised. The flaw being pointed out is that if the endpoints (the phone) are compromised, you can't guarantee the security of the call. Well duh, there's a no brainer. That's like claiming your VPN software isn't secure if someone surreptitiously slipped a keylogger into your computer.
Did anyone else notice that this seems to be an ad for flexispy?
You know you're old... (Score:2)
Now where did i ... (Score:2)
Re:Backdoors != news (Score:4, Interesting)
I happen to know that there are simple software/hardware hacks/backdoors on 98% of phones in existence. All of these are built in by the manufacturers at our behest - 'our' being NSA, MI6, CIA, ASIO and DSD of Australia.
Don't trust any technology or hardware that you don't have complete and unhindered access to. I'm telling you now, I've seen records pulled up on people for things that the above mentioned agencies should never have had access to - things regular plebs wouldn't have believed possible to monitor. Those fellows will get records down to every time you've gone to the toilet - its that scary.
Re: (Score:2, Interesting)
Don't trust any technology or hardware that you don't have complete and unhindered access to. I'm telling you now, I've seen records pulled up on people for things that the above mentioned agencies should never have had access to - things regular plebs wouldn't have believed possible to monitor. Those fellows will get records down to every time you've gone to the toilet - its that scary.
Corollary: any encryption technology that you need to rely on should be open source and well-understood. The hardware you use it on should be completely open and you should understand how things work on that hardware. Even better if you have compiled that code yourself.
And if you think it's only the cell manufacturers that have sold out, you are sadly, sadly mistaken.
Read the parent. Carefully. He knows what he's talking about.
Re: (Score:3, Insightful)
Corollary: any encryption technology that you need to rely on should be open source and well-understood. The hardware you use it on should be completely open and you should understand how things work on that hardware. Even better if you have compiled that code yourself.
Oh fuck off.
I suppose you wrote the compiler too?
I suppose to used an electron microscope and scanned every fucking bit of your CPU and memory and such?
If you want to be fucking paranoid, be paranoid all the way.
Don't use paranoia FUD to push your FOSS agenda.
While it's true that there's shit they can do, it's also true that there's NOTHING you can do about it. FOSS cloak or not.
Anger issues eh? (Score:2, Interesting)
You are at best uninformed and extremely hostile. Having problems installing linux huh?
Quit getting your information from Fox news and start checking out sites like the BBC and Al-Jazeera...or better yet read "The Shadow Factory" by James Bamford...the writer who broke the story about the existence of the NSA.
He painfully details the COMPLETE monitoring of all domestic and international landline, voip, sms/mms and e-mail communications...and all references are sourced by actual newspaper articles, journals
Re: (Score:2)
If you want to be fucking paranoid, be paranoid all the way.
By being able to read source code, but not have an electron microscope, you force the bad guys to use more expensive and laborious obscurity.
I'm for raising the bar on them---maybe they're not omnipotent.
While it's true that there's shit they can do, it's also true that there's NOTHING you can do about it.
Not with that attitude at least...
Re: (Score:2)
Why is parent insightful?
I suppose you wrote the compiler too?
There are plenty of open source compilers.
I suppose to used an electron microscope and scanned every fucking bit of your CPU and memory and such?
Judging by the reverse engineering of the PS3, it seems there are hobbyists prepared to do this (though there are alternative techniques to electron microscopes).
If you want to be fucking paranoid, be paranoid all the way.
This goes against the whole principle of security. It doesn't need to be perfect, j
Re: (Score:1)
Sure you did kid...
How about you stop making comments on Slashdot and go back to your Intro to Information Tech class.
Re:Backdoors != news (Score:4, Funny)
Re: (Score:2)
Here, let me share the pain [penny-arcade.com]
Re: (Score:2)
Or http://xkcd.com/566/ [xkcd.com].
Re: (Score:1)
Re: (Score:2)
There's definitely a "good enough". If you have locks on the doors with cameras, people can still break in at night because you don't have guard dogs. If you have guard dogs, people can still break in by helicopter and attack the skylights on the roof. If you put the guard dogs inside, people can still wreak havoc by throwing meat to the guard dogs, causing them to run wild and knock down shelves trying to get to it. If you electrify the windows, doors, and skylights, people can still tunnel in with a b
Re:Backdoors != news (Score:5, Insightful)
They wont waste time hacking your phone. They have a legal intercept box in the server room. No need for back doors on the phone.
Re:backbone intercept (Score:2)
All these applications must run on the phones at both ends of the call, so recording it in the middle would be largely of no use if the exchange of keys was secure and the encryption was up to standard (256-bit AES). And The author acknowledged he couldn't break that encryption (and only speculated this was feasible with a distributed computing network.)
Hacking the device is the low hanging fruit was the point. Seams only A backdoor for the NSA/etc, in these applications would change that.
Re: (Score:2)
That seeems nonsensical. Each phone has both input (at the microphone) and output (at the speaker), so it certainly has access to unencrypted access to both sides of the phone call.
The trivial backdoors for the NSA would seem to be in the server rooms, not the phones themselves, and have been for years as demonstrated by the AT&T fiber-optic taps.
Depends on your hardware (Score:1)
It seems to me that the vast majority of vendor-supplied cellular phones which are capable of doing encrypted VoIP also implement firmware update Over-the-Air [wikipedia.org], and I wouldn't be surprised if even those models/vendors which ordinarily notify their customers about such updates (or even ask for confirmation) have a special backdoor which skips that for "updating" the phone for the three-letter agencies/law enforcement.
If you worry about this kind of stuff, you take your phone battery out when you don't need to
Re: (Score:2)
This is about companies that sell encryption software, where 2 phones are pre-setup with additional software to be secure when talking to each other (not about standard phone calls.) Essentially we could re-write this article for ssh simply saying Open-SSH isn't secure because it doesn't detect trojans installed on the PC.
The server room isn't "trivial" because all of the data is encrypted at that point, requires significant computing resources to first crack the stream, and that can be done in real time,
Re: (Score:2)
meant to say "that can't be done in real time, even by the NSA" for the AES-256 [wikipedia.org] used by these phones. Of course that's only true if the venders didn't put in a backdoor for governments.
Re: (Score:2)
Read the parent. Carefully. He knows what he's talking about.
Well, he ought to. The infamous AC probably has more posts here than all of us combined.
Re: (Score:2)
...Those fellows will get records down to every time you've gone to the toilet - its that scary.
Boy, just when you thought that they didn't give a shit...Apparently, they DO give a shit, especially about your shit. Maybe even everyone's shit.
And apparently, if you give a shit about your shit, well that's just a sick fetish. But when the Government starts wanting to know about your shit, well, that my friends is warfighting for the sake of anti-terrorism. Weapons of Ass Destruction indeed.
OK, OK, done with this shit for now...
Re: (Score:2)
Doubt it. Too many people would know about it; not only too many phone company employees, but others; do you think no one has reverse-engineered a phone?
Many phones can take firmware updates over the air, and that can be used to put backdoors in the phones; I believe Verizon has said it ha
Re: (Score:2)
Re: (Score:2)
Don't trust any technology or hardware that you don't have complete and unhindered access to. I'm telling you now, I've seen records pulled up on people for things that the above mentioned deities should never have had access to - things regular plebs wouldn't have believe
Re: (Score:2)
Easiest solution: don't own a cell phone.
For years (and years) I got by without having a digital tether. Nothing's substantially changed that would require one. Now, if I were a doctor, or an IT administrator, I could understand it. But for the other 99% of cellphone users--the ones endlessly prattling on about when they'll be home for dinner? what should I pick up from the store? where are you now? what are you doing? did you have a good time last night?--all of those conversations can just fucking wait
Re: (Score:2)
> I happen to work as a security firmware developer for a major phone manufacturer
Perhaps you can answer me a question:
If a phone is turned OFF (as in hitting the big button on top) can it still be called and used against you as a roving bug? What about location tracking?
Define "OFF" (Score:2)
I think AC firmware dev answered your question well, but there's more to consider: Phones have varying definitions of "OFF" these days.
There's:
- Standby mode with cell modem still on (unsafe, duh)
- The increasingly rare "cell modem off, phone (and possibly other wireless features) on" (safe)
- True "Flight mode" where all wireless connectivity is off (safe)
- The increasingly common "all wireless off except cellular which is in emergency call only mode" (unsafe, and on many new phones the only way to power do
Re: (Score:2)
Thanks for the listing. The what you called 'fake shutdown' is actually what got me asking. Had it turned off...so I thought...but the next morning the alarm started squeaking, leaving me somewhat bewildered. For all intents and purposes it did look as if OFF, when perhaps all it did was shut down the display.
Re: (Score:2)
On phones like the N900 that actually shut down the OS when put into "fake shutdown," it can only be assumed that some sort of lower-level OS is causing it to boot back up and then display the alarm, similar to the "power on by modem" or "scheduled power-on" settings in a PC's BIOS.