This article want to clarify and better explain the finding at infosecurityguard.com regaring voice encryption product evaluation.
This article want to tell you a different point of view other than infosecurityguard.com and explaining which are the rational with extensive explaination from security point of view.
Today i read news saying: “PhoneCrypt: Basic Vulnerability Found in 12 out of 15 Voice Encryption Products and went to read the website infosecurityguard .
Initially it appeared to my like a great research activity but then i started reading deeply the read about it.I found that it's not properly a security research but there is are concrete elements that's a marketing campaign well done in order to attract public media and publicize a product.
Imho they was able to cheat journalists and users because the marketing campaign was absolutely well done not to be discovered on 1st read attempt. I personally considered it like a valid one on 1st ready (they cheated me initially!).
But if you go deeply… you will understand that:
- it's a camouflage marketing initiative arranged by SecurStar GmbH and not a independent security research
- they consider a only security context where local device has been compromised (no software can be secured in that case, like saying SSL can be compromised if you have a trojan!)
- they do not consider any basic security and cryptographic security criteria
However a lot of important website reported it:
This article is quite long, if you read it you will understand better what's going on around infosecurityguard.com research and research result.
I want to to tell you why and how (imho) they are wrong.
The research missed to consider Security, Cryptography and Transparency!
Well, all this research sound much like being focused on the marketing goal to say that their PhoneCrypt product is the “super” product best of all the other ones.
Any security expert that would have as duty the “software evaluation” in order to protect the confidentiality of phone calls will evaluate other different characteristics of the product and the technology.
Yes, it's true that most of the product described by SecurStar in their anonymous marketing website called http://infosecurityguard.com have some weakness.
But the relevant weakness are others and PhoneCrypt unfortunately, like most of the described products suffer from this.
Let's review which characteristics are needed basic cryptography and security requirement (the best practice, the foundation and the basics!)
a – Security Trough Obscurity does not work
A basic rule in cryptography cames from 1883 by Auguste Kerckhoffs:
In a well-designed cryptographic system, only the key needs to be secret; there should be no secrecy in the algorithm.
Modern cryptographers have embraced this principle, calling anything else “security by obscurity.”
Read what Bruce Schneir, recognized expert and cryptographer in the world say
about this Any security expert will tell you that's true. Even a novice university student will tell you that's true. Simply because that's the only way to do cryptography.
Almost all product described in the review by SecurStar GmbH, include PhoneCrypt, does not provide precise details about their cryptographic technologies.
Precise details are:
- Detailed specification of cryptographic algorithm (that's not just saying “we use AES “)
- Detailed specification of cryptographic protocol (that's not just saying “we use Diffie Hellman ” )
- Detailed specification of measuring the cryptographic strenght (that's not just saying “we have 10000000 bit key size “)
Providing precise details means having extensive documentation with theoretical and practical implications documenting ANY single way of how the algorithm works, how the protocol works with precise specification to replicate it for interoperability testing.
It means that scientific community should be able to play with the technology, audit it, hack it.
If we don't know anything about the cryptographic system in details, how can we know which are the weakness and strength points?
Mike Fratto, Site editor of Network Computing, made a great article on “Saying NO to proprietary cryptographic systems” .
Cerias Purdue University tell this .
b – NON peer reviewed and NON scientifically approved Cryptography does not work
In any case and in any condition you do cryptography you need to be sure that someone else will check, review, analyze, distruct and reconstract from scratch your technology and provide those information free to the public for open discussion.
That's exactly how AES was born and like US National Institute of Standard make crypto does (with public contest with public peer review where only the best evaluated win).
A public discussion with a public contest where the a lot of review by most famous and expert cryptographer in the world, hackers (with their name,surname and face, not like Notrax) provide their contribution, tell what they thinks.
That's called “peer review”.
If a cryptographic technology has an extended and important peer review, distributed in the world coming from universities, private security companies, military institutions, hackers and all coming from different part of the world (from USA to Europe to Russia to South America to Middle east to China) and all of them agree that a specific technology it's secure…
Well, in that case we can consider the technology secure because a lot of entities with good reputation and authority coming from a lot of different place in the world have publicly reviewed, analyzed and confirmed that a technology it's secure.
How a private company can even think to invent on it's own a secure communication protocol when it's scientifically stated that it's not possible to do it in a “proprietary and closed way” ?
IBM tell you that peer review it's required for cryptography .
Bruce Schneier tell you that “Good cryptographers know that nothing substitutes for extensive peer review and years of analysis.”
Philip Zimmermann will tell you to beware of Snake Oil where the story is: “Every software engineer fancies himself a cryptographer, which has led to the proliferation of really bad crypto software.”
c – Closed source cryptography does not work
As you know any kind of “serious” and with “good reputation” cryptographic technology is implemented in opensource.
There are usually multiple implementation of the same cryptographic algorithm and cryptographic protocol to be able to review all the way it works and certify the interoperability.
Supposing to use a standard with precise and extended details on “how it works”, that has been “peer reviewed” by the scientific community BUT that has been re-implemented from scratch by a not so smart programmer and the implementation it's plenty of bugs.
Well, if the implementation is “opensource” this means that it can be reviewed, improved, tested, audited and the end user will certaintly have in it's own had a piece of technology “that works safely” .
Google release opensource crypto toolkit
Mozilla release opensource crypto toolkit
Bruce Schneier tell you that Cryptography must be opensource .
Another cryptographic point of view
I don't want to convince anyone but just provide facts related to science, related to cryptography and security in order to reduce the effect of misinformation done by security companies whose only goes is to sell you something and not to do something that make the world a better.
When you do secure products, if they are not done following the proper approach people could die.
It's absolutely something irresponsible not to use best practice to do crypto stuff.
To summarize let's review the infosecurityguard.com review from a security best pratice point of view.
| Product name | Security Trough Obscurity | Public peer review | Open Source | Compromise locally? |
| Caspertec | Obscurity | No public review | Closed | Da |
| CellCrypt | Obscurity
| No public review
| Closed
| Da |
| Cryptophone | Transparency | Limited public review | Public | Da |
| Gold-Lock | Obscurity
| No public review
| Closed
| Da |
| Illix | Obscurity
| No public review
| Closed
| Da |
| No1.BC | Obscurity | No public review
| Closed
| Da |
| PhoneCrypt | Obscurity
| No public review
| Closed
| Da |
| Rode&Swarz | Obscurity
| No public review
| Closed
| Da |
| Secure-Voice | Obscurity
| No public review
| Closed
| Da |
| SecuSmart | Obscurity
| No public review
| Closed
| Da |
| SecVoice | Obscurity
| No public review
| Closed
| Da |
| SegureGSM | Obscurity
| No public review
| Closed
| Da |
| SnapCell | Obscurity
| No public review
| Closed
| Da |
| Tripleton | Obscurity
| No public review
| Closed
| Da |
| Zfone | Transparency | Public review
| Open | Da |
| ZRTP | Transparency | Public review
| Open | Da |
*Green means that it match basic requirement for a cryptographic secure system
* Red / Broken means that it does not match basic requirement for a cryptographic secure system
That's my analysis using a evaluation method based on cryptographic and security parameters not including the local compromise context that i consider useless.
However, to be clear, those are only basic parameters to be used when considering a voice encryption product (just to avoid being in a situation that appears like i am promoting other products). So it may absolutely possible that a product with good crypto ( transparency, peer reviewed and opensource) is absolutely a not secure product because of whatever reason (badly written, not usable causing user not to use it and use cleartext calls, politically compromised, etc, etc).
I think i will prepare a broader criteria for voice crypto technologies and voice crypto products, so it would be much easier and much practical to have a full transparent set of criterias to evaluate it.
But those are really the basis of security to be matched for a good voice encryption system!
Read some useful past slides on security protocols used in voice encryption systems (2nd part).
Now read below some more practical doubt about their research.
The security concept of the review is misleading: any hacked device can be always intercepted!
I think that the guys completely missed the point: ANY KIND OF SOFTWARE RUNNING ON A COMPROMISED OPERATING SYSTEM CAN BE INTERCEPTED
Now they are pointing out that also Zfone from Philip Zimmermann is broken (a pc software), just because they install a trojan on a PC like in a mobile phone?
Any security software rely on the fact that the underlying operating system is somehow trusted and preserve the integrity of the environment where the software run.
- If you have a disk encryption system but your PC if infected by a trojan, the computer is already compromised.
- If you have a voice encryption system but your PC is infected by a trojan, the computer is already compromised.
- If you have a voice encryption system but your mobile phone is infected by a trojan, the mobile phone is already compromised.
No matter which software you are running, in such case the security of your operating environment is compromised and in one way or another way all the information integrity and confidentiality is compromised.
Like i explained above how to intercept PhoneCrypt.
The only things that can protect you from this threat is running in a closed operating system with Trust Computing capability, implementing it properly.
For sure on any “Open” operating system such us Windows, Windows Mobile, Linux, iPhone or Android there's no chance to really protect a software.
On difficult operating system such as Symbian OS or RimOS maybe the running software can be protected (at least partially)
That's the reason for which the security concept that guys are leveraging to carry on their marketing campaign has no clue.
It's just because they control the environment, they know Flexispy software and so they adjusted their software not to be interceptable when Flexispy is installed.
If you develop a trojan with the other techniques i described above you will 100% intercept PhoneCrypt.
On that subject also Dustin Tamme l, Security researcher of BreakPoint Systems , pointed on on VoIP Security Alliance mailing lists that the security analysis is based on wrong concepts .
The PhoneCrypt can be intercepted: it's just that they don't wanted to tell you!
PhoneCrypt can be intercepted with “on device spyware”.
Why?
Because Windows Mobile is an unsecure operating environment and PhoneCrypt runs on Windows Mobile.
Windows Mobile does not use Trusted Computing and so any software can do anything.
The platform choice for a secure telephony system is important.
Cum?
I quickly discussed with some knowledgeable windows mobile hackers about 2 different way to intercept PhoneCrypt with an on-device spyware (given the unsecure Windows Mobile Platform).
a) Inject a malicious DLL into the software and intercept from within the Phonecrypt itself.
In Windows Mobile any software can be subject to DLL code injection.
Ce, un atacator poate face este de a injecta în software-ul PhoneCrypt (sau orice software care rulează pe telefon), prindere funcţiile audio conexe care acţionează ca un "proxy funcţie" între PhoneCrypt şi API-ul real pentru a înregistra / reda audio.
Este o chestiune de "prindere", doar 2 funcţii, una care şi înregistrare audio care o joc.
Asta e simplu, orice programator va va spune să facă acest lucru.
Ei au pur şi simplu a decis că e mai bine să nu facă nici o notificare cu privire la acest lucru.
b) Crearea unui nou driver audio, care acţionează pur şi simplu ca un proxy de real şi de interceptare PhoneCrypt
În Windows Mobile puteţi crea noi drivere audio si filtre noi audio.
Ce, un atacator poate face este de a încărca un driver audio nou, care nu face nimic altceva decât trecerea funcţie reală driverul audio la / de la RealOne. Între timp, în tot ceea ce intercepta înregistrate şi a jucat tot :-)
Ei au pur şi simplu a decis că e mai bine să nu facă nici o notificare pentru acest mod de a intercepta convorbiri telefonice pe PhoneCrypt.
Acestea sunt doar 2 idei rapide, mai poate fi, probabil, face.
Suna mai mult ca o activitate de marketing - nu o cercetare de securitate.
Am să vă spun. Am analizat problema foarte mare atenţie şi pe cele mai multe aspecte. Toate aceste lucruri legate de analiza de criptare voce sună pentru mine ca o campanie de marketing de SecurStar GmbH a vinde PhoneCrypt şi să câştige reputaţie. O campanie bine articulat şi bine pregătiţi pentru a atrage mass-media spune, într-un mod indirect inseala mass-media, care PhoneCrypt este doar un sigur. Puteţi vedea comunicatele de presă ale SecurStar şi de "securitate Notrax cercetător spune că PhoneCrypt este singurul produs sigur" . SecurStar PhoneCrypt este singurul produs hacker anonim "Notrax", considera sigure de "solutii software".
Doar "versiunea software-ului", în concurenţă cu:
- SnapCell - nimeni nu o poate cumpăra. O companie de securitate care nu a avut nici o pagină web mai. Compania nu există aproape mai. Are suna ciudat că numai aceste produse sunt considerate sigure de alte împreună cu PhoneCrypt.
De asemenea, ... sa verifice tipul de conţinut multimedia în comentarii cu diferite disponibile de aur-Lock, Cellcrypt şi Phonecrypt , în scopul de a înţelege cât de mult cei de marketing presate pentru a face revizuirea PhoneCrypt cele mai atractive:
| Cerere | Imagini de aplicare | Video cu demonstraţia de interceptare | Reţea de demonstraţie |
| PhoneCrypt | 5 | 0 | 1 | |
| CellCrypt | 0 | 2 | 0 |
| GoldLock | 1 | 2 | 0 |
Este clar că PhoneCrypt este revizuită prezintă mai multe caracteristici în mod explicit prezentate majore de securitate şi descrierea caracteristicilor produsului decât celălalt.
Diferenţa prea mare între ele, ar trebui să bănuim că este un Sfaturi de marketing?
Dar, din nou, de alte lucruri ciudate analiza modul în care a fost făcut ...
Dacă a fost "o analiză imparţială şi neutră" ar trebui să vedem lucrurile bune şi rele pe toate produsele potrivite?
Ok, a se vedea tabelul de mai jos în ceea ce priveşte avizul indicate în fiecare punctul de clienţi diferite disponibile de aur-Lock, CellCrypt şi Phonecrypt (sunt disponibile numai), pentru a vedea dacă sunt pozitive sau negative.
| Cerere | Numărul de punctele | Punctele pozitive | Punctele negative | Punctele neutre |
| PhoneCrypt | 9 | 9 | 0 | 0 |
| CellCrypt | 12 | 0 | 10 | 2 |
| GoldLock | 9 | 0 | 8 | 1 |
| Punctul de revizuire | Opinia exprimată |
| De la site-ul lor | Feedback-ul pozitiv de marketing |
| Apple iPhone | Feedback-ul pozitiv de marketing |
| Disk Encryption sau criptare voce | Feedback-ul pozitiv de marketing |
| PBX de compatibilitate? Într-adevăr | Feedback-ul pozitiv de marketing |
| Cracking <10. Nu. | Feedback-ul pozitiv de marketing |
| Bune de gândire! | Feedback-ul pozitiv de marketing |
| Un pic de reţea de acţiune | Feedback-ul pozitiv de marketing |
| UI | Feedback-ul pozitiv de marketing |
| Bun gust | Feedback-ul pozitiv de marketing |
| Punctul de revizuire | Opinia exprimată |
| De la site-ul lor | Feedback-ul negativ de marketing |
| Licenţiat de Ministerul israelian al Denfese | Feedback-ul negativ de marketing |
| Compania Real sau partea hobby Ora | Feedback-ul negativ de marketing |
| 16.000 biţi autentificare | Feedback-ul negativ de marketing |
| DH 256 | Feedback-ul negativ de marketing |
| Downad & Instalare! | Neutru feedback-ul de marketing |
| Cracking o <10 | Feedback-ul negativ de marketing |
| Marketing BS101 | Feedback-ul negativ de marketing |
| Misto video de chestii | Feedback-ul negativ de marketing |
| Punctul de revizuire | Opinia exprimată |
| De la site-ul lor | Neutru feedback-ul de marketing |
| Un pic de fond despre cellcrypt | Feedback-ul negativ de marketing |
| Maestru de Marketing | Feedback-ul negativ de marketing |
| Secure Apelare vocală | Feedback-ul negativ de marketing |
| Cine cumpără marfa lor, | Feedback-ul negativ de marketing |
| Downad & Instalare! | Neutru feedback-ul de marketing |
| Demo mea de mediu | Feedback-ul negativ de marketing |
| Au uitat un cod | Feedback-ul negativ de marketing |
| Cracking o <5 | Feedback-ul negativ de marketing |
| Cameră de monitorizare w / ClickAPEL | Feedback-ul negativ de marketing |
| Cellcrypt caracteristici unice .. | Feedback-ul negativ de marketing |
| Plain Old interceptarea | Feedback-ul negativ de marketing |
| Cele Haters acolo | Feedback-ul negativ de marketing |
Acum este clar că, din punctul lor de vedere cu privire la PhoneCrypt nu există nici un singur punct de rău în timp ce altele sunt întotdeauna descrise într-un mod negativ.
Nici un singur punct bun. Ciudat?
Toate aceste consideraţii, împreună cu cele urmatoarele să ma gândesc că e foarte probabil, o analiză de marketing şi nu o revizuire independentă.
Alte comercializare încercare similară de la SecurStar
SecurStar GmbH este cunoscut pentru a fi utilizate în activitatea de marketing trecut pârghie acest tip de "speculaţii tehnice", abuzând de informaţii parţiale şi fals lucruri neconfirmate de hacking pentru a face de comercializare / mass-media.
IMHO un amestec rar de nedreptate în pârghie dificil pentru oameni să înţeleagă cu adevărat complexitatea de securitate şi criptografie.
Ei au deja utilizate în activităţile de marketing trecut ca unul despre crearea unui troian pentru Windows Mobile şi spunând că software-ul lor este sigur de troian care ei au scris.
Citiţi despre trucurile lor de marketing ale anului 2007
Ei au dezvoltat un troian (RexSpy) pentru Windows Mobile, a făcut o demonstraţie de capacitatea de troian şi mai târziu a spus că a inclus "Anti-troian", capacitatea lor PhoneCrypt software.They nu a lansat informatii cu privire la acest troian, nu chiar a demonstrat că există .
Cercetătorul Collin Mulliner a spus că în momentul în care sună ca un Sfaturi de marketing (de asemenea, pentru că el nu a reuşit să obţină de la SecurStar CEO Hafner orice informaţii despre acest troian):
“This makes you wonder if this is just a marketing thing.”
Now, let's try to make some logical reassignment.
It's part of the way they do marketing, an very unfriendly and unpolite approach with customers, journalist and users trying to provide wrong security concepts for a market advantage. Being sure that who read don't have all the skills to do in depth security evaluation and find the truth behind their marketing trips.
Who is the hacker notrax?
It sounds like a camouflage of a fake identity required to have an “independent hacker” that make an “independent review” that is more strong on reputation building.
Read about his bio:
¾ Human, ¼ Android (Well that would be cool at least.) I am just an enthusiast of pretty much anything that talks binary and if it has a RS232 port even better. During the day I masquerade as an engineer working on some pretty cool projects at times, but mostly I do the fun stuff at night. I have been thinking of starting an official blog for about 4.5 years to share some of the things I come across, can't figure out, or just cross my mind. Due to my day job and my nighttime meddling, I will update this when I can. I hope some find it useful, if you don't, well you don't.
There are no information about this guy on google.
Almost any hacker that get public have articles online, post in mailing archive and/or forum or some result of their activity.
For notrax, nothing is available.
Additionally let's look at the domain…
The domain infosecurityguard.com is privacy protected by domainsbyproxy to prevent understanding who is the owner.
The domain has been created 2 months ago on 01-Dec-09 on godaddy.com registrar.
What's also very interesting to notice that this “unknown hacker with no trace on google about him that appeared on December 2009 on the net” is referred on SecurStar GmbH Press Release as a “An IT security expert”.
Maybe they “know personally” who's this anonymous notrax? :)
Am i following my own conspiracy thinking or maybe there's some reasonable doubt that everything was arrange in that funny way just for a marketing activity?
Social consideration
If you are a security company you job have also a social aspects, you should also work to make the world a better place (sure to make business but “not being evil”). You cannot cheat the skills of the end users in evaluating security making fake misleading information.
You should do awareness on end users, to make them more conscious of security issues, giving them the tools to understand and decide themselves.
Hope you had fun reading this article and you made your own consideration about this.
Fabio Pietrosanti (naif)
ps Those are my personal professional opinion, let's speak about technology and security, not marketing.
pps i am not that smart in web writing, so sorry for how the text is formatted and how the flow of the article is unstructured!
