This article want to clarify and better explain the finding at infosecurityguard.com regaring voice encryption product evaluation.
This article want to tell you a different point of view other than infosecurityguard.com and explaining which are the rational with extensive explaination from security point of view.
Today i read news saying: “PhoneCrypt: Basic Vulnerability Found in 12 out of 15 Voice Encryption Products and went to read the website infosecurityguard .
Initially it appeared to my like a great research activity but then i started reading deeply the read about it.I found that it's not properly a security research but there is are concrete elements that's a marketing campaign well done in order to attract public media and publicize a product.
Imho they was able to cheat journalists and users because the marketing campaign was absolutely well done not to be discovered on 1st read attempt. I personally considered it like a valid one on 1st ready (they cheated me initially!).
But if you go deeply… you will understand that:
- it's a camouflage marketing initiative arranged by SecurStar GmbH and not a independent security research
- they consider a only security context where local device has been compromised (no software can be secured in that case, like saying SSL can be compromised if you have a trojan!)
- they do not consider any basic security and cryptographic security criteria
However a lot of important website reported it:
This article is quite long, if you read it you will understand better what's going on around infosecurityguard.com research and research result.
I want to to tell you why and how (imho) they are wrong.
The research missed to consider Security, Cryptography and Transparency!
Well, all this research sound much like being focused on the marketing goal to say that their PhoneCrypt product is the “super” product best of all the other ones.
Any security expert that would have as duty the “software evaluation” in order to protect the confidentiality of phone calls will evaluate other different characteristics of the product and the technology.
Ja, es ist wahr, dass die meisten das Produkt von SecurStar in ihrer anonymen marketing website beschrieben http://infosecurityguard.com haben einige Schwächen genannt.
Aber die Schwäche relevant sind andere und PhoneCrypt leider, wie die meisten der beschriebenen Produkte leiden unter dieser.
Lassen Sie uns, welche Merkmale grundlegende Kryptographie und Sicherheit Anforderung benötigt werden (die beste Praxis, das Fundament und die Grundlagen!)
a - Sicherheit Trough Obscurity funktioniert nicht
Eine Grundregel in der Kryptographie cames von 1883 von Auguste Kerckhoffs:
In einer gut gestalteten kryptographischen Systems, muss nur der Schlüssel geheim sein; sollte es keine Geheimhaltung des Algorithmus sein.
Moderne Kryptographen haben dieses Prinzip umarmte und rief etwas anderes "Sicherheit durch Verschleierung."
Lesen Sie, was Bruce Schneir, anerkannter Experte und Kryptologen der Welt sagen, über diese Jeder Security-Experte wird Ihnen sagen, das ist wahr. Auch ein Anfänger Student wird Ihnen sagen, das ist wahr. Ganz einfach, weil das der einzige Weg, Kryptographie zu tun ist.
Fast alle Artikel in der Übersicht von SecurStar GmbH, include PhoneCrypt beschrieben, nicht genaue Angaben über ihre kryptografischen Technologien.
Genaue Angaben sind:
- Detaillierte Spezifikation des kryptographischen Algorithmus (das ist nicht nur sagen: "Wir verwenden AES ")
- Detaillierte Spezifikation von kryptographischen Protokoll (das ist nicht nur sagen: "Wir verwenden Diffie Hellman ")
- Detaillierte Beschreibung der Messung der kryptographischen Stärke (das ist nicht nur sagen: "Wir haben 10 Millionen Bit Schlüssellänge ")
Bereitstellung von genauen Angaben bedeutet das umfangreiche Dokumentation mit den theoretischen und praktischen Auswirkungen zu dokumentieren beliebigen Einzelspieler Weg, wie der Algorithmus funktioniert, wie das Protokoll mit genauen Spezifikation arbeitet, um es für Interoperabilitätstests replizieren.
Es bedeutet, dass die wissenschaftliche Gemeinschaft sollte in der Lage sein mit der Technik zu spielen, es zu prüfen, es zu hacken.
Wenn wir wissen nichts über die kryptographischen Systems in Details, wie können wir wissen, welche sind die Schwäche und Stärke Punkte?
Mike Fratto, Autor der Website der Network Computing, machte einen großen Artikel über die "Nein-Sagen zu proprietären kryptographische Systeme" .
CERIAS Purdue University sagen dies .
b - NON peer reviewed und nicht wissenschaftlich anerkannten Kryptographie funktioniert nicht
In jedem Fall und in jedem Zustand Sie tun Kryptographie Sie müssen sicher sein, dass jemand anderes überprüfen, bewerten, analysieren und distruct reconstract von Grund auf Ihrer Technologie und bieten solche Informationen kostenlos für die Öffentlichkeit für eine offene Diskussion.
Das ist genau, wie AES geboren wurde und wie US-amerikanischen National Institute of Standard-Krypto machen tut (mit öffentlichen Wettbewerb mit öffentlichen Peer-Review, wo nur die besten ausgewertet win).
Eine öffentliche Diskussion mit einem öffentlichen Wettbewerb, bei dem die eine Menge Kritik von den bekanntesten und Experte Kryptologen der Welt, bieten Hackern (mit ihren Namen, Vornamen und Gesicht, nicht wie Notrax) ihren Beitrag, zu sagen, was sie denkt.
Das nennt man "peer review".
Wenn ein kryptographischer Technologie hat einen erweiterten und wichtige Peer-Review, in der Welt kommen aus Universitäten, private Sicherheitsdienste, militärischen Einrichtungen, Hackern und allen, die aus verschiedenen Teilen der Welt verteilt (aus den USA nach Europa über Russland bis nach Südamerika in den Nahen Osten nach China) und alle von ihnen einig, dass eine bestimmte Technologie es sicher ist ...
Nun, in diesem Fall können wir betrachten die Technologie sicher, weil eine Menge von Entitäten mit gutem Ruf und Autorität aus vielen anderen Ort in der Welt haben öffentlich bewertet, analysiert und bestätigt, dass eine Technologie, es ist sicher.
Wie ein privates Unternehmen können sogar denken, zu erfinden auf seine eigene ein sicheres Kommunikationsprotokoll ist, wenn es wissenschaftlich festgestellt hat, dass es nicht möglich ist, es in einem "proprietären und geschlossenen Weg" zu tun?
IBM Ihnen sagen, dass es für die Peer-Review-Kryptographie ist erforderlich .
Bruce Schneier Ihnen sagen , dass "Good Kryptographen dass nichts ersetzt umfangreichen Peer-Review und jahrelanger Analyse kennen."
Philip Zimmermann wird Ihnen sagen, der Snake Oil hüten , wo die Geschichte ist: "Jeder Software-Ingenieur hält sich eine entcoder, die zur Verbreitung von wirklich schlechten Krypto-Software geführt hat."
c - Closed Source Kryptographie funktioniert nicht
Wie Sie jede Art von "ernst" und mit Know "guten Ruf" kryptographische Technologie in opensource implementiert.
Es sind in der Regel mehrere Umsetzung der gleichen Verschlüsselungsalgorithmus und kryptografische Protokoll in der Lage sein, den ganzen Weg funktioniert es bewerten und zertifizieren die Interoperabilität.
Angenommen, ein Standard mit präzisen und erweiterte Angaben zum "wie es funktioniert" verwenden, der sich heute in "peer reviewed" von der wissenschaftlichen Gemeinschaft, aber das wurde von Grund auf von einem nicht so smart Programmierer und die Umsetzung neu implementiert, es ist viel Bugs .
Nun, wenn die Umsetzung ist "opensource" bedeutet dies, dass sie überprüft werden können, verbessert, getestet, geprüft und der Endbenutzer certaintly in ihm haben eigene hatte ein Stück Technik ", die sicher funktioniert."
Google Release opensource Krypto-Toolkit
Mozilla Release opensource Krypto-Toolkit
Bruce Schneier Ihnen sagen, dass Kryptographie muss opensource .
Eine weitere kryptographische Sicht
Ich will niemanden überzeugen, sondern einfach Fakten im Zusammenhang mit Wissenschaft, im Zusammenhang mit Kryptographie und Sicherheit, um die Wirkung von Fehlinformation durch Unternehmen, deren Sicherheit nur geht, ist, etwas zu verkaufen und nicht um etwas, das die Welt zu tun, getan zu reduzieren besser.
Wenn Sie sichere Produkte zu tun, wenn sie nicht nach getan die richtige Ansatz Menschen könnten sterben.
Es ist absolut unverantwortlich, so etwas nicht zu verwenden, um Best-Practice-Krypto-Zeug zu tun.
Zusammenfassend lasst uns die infosecurityguard.com Bewertung aus sicherheitspolitischer besten pratice Sicht.
| Produktname | Sicherheit Trough Obscurity | Öffentliche Peer Review | Open Source | Kompromiss lokal? |
| Caspertec | Obscurity | No public review | Closed | Ja |
| CellCrypt | Obscurity
| No public review
| Closed
| Ja |
| Cryptophone | Transparency | Limited public review | Öffentliche | Ja |
| Gold-Lock | Obscurity
| No public review
| Closed
| Ja |
| Illix | Obscurity
| No public review
| Closed
| Ja |
| No1.BC | Obscurity | No public review
| Closed
| Ja |
| PhoneCrypt | Obscurity
| No public review
| Closed
| Ja |
| Rode&Swarz | Obscurity
| No public review
| Closed
| Ja |
| Secure-Voice | Obscurity
| No public review
| Closed
| Ja |
| Secusmart | Obscurity
| No public review
| Closed
| Ja |
| SecVoice | Obscurity
| No public review
| Closed
| Ja |
| SegureGSM | Obscurity
| No public review
| Closed
| Ja |
| SnapCell | Obscurity
| No public review
| Closed
| Ja |
| Tripleton | Obscurity
| No public review
| Closed
| Ja |
| Zfone | Transparency | Public review
| Open | Ja |
| ZRTP | Transparency | Public review
| Open | Ja |
*Green means that it match basic requirement for a cryptographic secure system
* Red / Broken means that it does not match basic requirement for a cryptographic secure system
That's my analysis using a evaluation method based on cryptographic and security parameters not including the local compromise context that i consider useless.
However, to be clear, those are only basic parameters to be used when considering a voice encryption product (just to avoid being in a situation that appears like i am promoting other products). So it may absolutely possible that a product with good crypto ( transparency, peer reviewed and opensource) is absolutely a not secure product because of whatever reason (badly written, not usable causing user not to use it and use cleartext calls, politically compromised, etc, etc).
I think i will prepare a broader criteria for voice crypto technologies and voice crypto products, so it would be much easier and much practical to have a full transparent set of criterias to evaluate it.
But those are really the basis of security to be matched for a good voice encryption system!
Read some useful past slides on security protocols used in voice encryption systems (2nd part).
Now read below some more practical doubt about their research.
The security concept of the review is misleading: any hacked device can be always intercepted!
I think that the guys completely missed the point: ANY KIND OF SOFTWARE RUNNING ON A COMPROMISED OPERATING SYSTEM CAN BE INTERCEPTED
Now they are pointing out that also Zfone from Philip Zimmermann is broken (a pc software), just because they install a trojan on a PC like in a mobile phone?
Any security software rely on the fact that the underlying operating system is somehow trusted and preserve the integrity of the environment where the software run.
- If you have a disk encryption system but your PC if infected by a trojan, the computer is already compromised.
- If you have a voice encryption system but your PC is infected by a trojan, the computer is already compromised.
- If you have a voice encryption system but your mobile phone is infected by a trojan, the mobile phone is already compromised.
No matter which software you are running, in such case the security of your operating environment is compromised and in one way or another way all the information integrity and confidentiality is compromised.
Like i explained above how to intercept PhoneCrypt.
The only things that can protect you from this threat is running in a closed operating system with Trust Computing capability, implementing it properly.
For sure on any “Open” operating system such us Windows, Windows Mobile, Linux, iPhone or Android there's no chance to really protect a software.
On difficult operating system such as Symbian OS or RimOS maybe the running software can be protected (at least partially)
That's the reason for which the security concept that guys are leveraging to carry on their marketing campaign has no clue.
It's just because they control the environment, they know Flexispy software and so they adjusted their software not to be interceptable when Flexispy is installed.
If you develop a trojan with the other techniques i described above you will 100% intercept PhoneCrypt.
On that subject also Dustin Tamme l, Security researcher of BreakPoint Systems , pointed on on VoIP Security Alliance mailing lists that the security analysis is based on wrong concepts .
The PhoneCrypt can be intercepted: it's just that they don't wanted to tell you!
PhoneCrypt can be intercepted with “on device spyware”.
Warum?
Because Windows Mobile is an unsecure operating environment and PhoneCrypt runs on Windows Mobile.
Windows Mobile does not use Trusted Computing and so any software can do anything.
The platform choice for a secure telephony system is important.
How?
I quickly discussed with some knowledgeable windows mobile hackers about 2 different way to intercept PhoneCrypt with an on-device spyware (given the unsecure Windows Mobile Platform).
a) Inject a malicious DLL into the software and intercept from within the Phonecrypt itself.
In Windows Mobile any software can be subject to DLL code injection.
What an attacker can do is to inject into the PhoneCrypt software (or any software running on the phone), hooking the Audio related functions acting as a “function proxy” between the PhoneCrypt and the real API to record/play audio.
It's a matter of “hooking” only 2 functions, the one that record and the one that play audio.
That's simple, any programmer will tell you to do so.
They simply decided that's better not to make any notice about this.
b) Create a new audio driver that simply act as a proxy to the real one and intercept PhoneCrypt
In Windows Mobile you can create new Audio Drivers and new Audio Filters.
What an attacker can do is to load a new audio driver that does not do anything else than passing the real audio driver function TO/FROM the realone. In the meantime intercept everything recorded and everything played :-)
They simply decided that's better not to make any notice to that way of intercepting phone call on PhoneCrypt .
Those are just 2 quick ideas, more can be probably done.
Sounds much like a marketing activity – Not a security research.
I have to tell you. I analyzed the issue very carefully and on most aspects. All this things about the voice encryption analisys sounds to me like a marketing campaign of SecurStar GmbH to sell PhoneCrypt and gain reputation. A well articulated and well prepared campaign to attract the media saying, in an indirect way cheating the media, that PhoneCrypt is the only one secure. You see the press releases of SecurStar and of the “Security researcher Notrax telling that PhoneCrypt is the only secure product” . SecurStar PhoneCrypt is the only product the anonymous hacker “Notrax” consider secure of the “software solutions”.
The only “software version” in competition with:
–
SnapCell – No one can buy it. A security company that does not even had anymore a webpage. The company does not almost exist anymore.
Does it sounds strange that only those other products are considered secure along with PhoneCrypt .
Also… let's check the kind of multimedia content in the different reviews available of Gold-Lock, Cellcrypt and Phonecrypt in order to understand how much the marketing guys pressed to make the PhoneCrypt review the most attractive:
| Application | Screenshots of application | Video with demonstration of interception | Network demonstration |
| PhoneCrypt | 5 | 0 | 1 | |
| CellCrypt | 0 | 2 | 0 |
| GoldLock | 1 | 2 | 0 |
It's clear that PhoneCrypt is reviewed showing more features explicitly shown and major security features product description than the other.
Too much difference between them, should we suspect it's a marketing tips?
But again other strange things analyzing the way it was done…
If it was “an impartial and neutral review” we should see good and bad things on all the products right?
Ok, see the table below regarding the opinion indicated in each paragraph of the different reviews available of Gold-Lock, CellCrypt and Phonecrypt (are the only available) to see if are positive or negative.
| Application | Number of paragraphs | Positive paragraphs | Negative paragraphs | Neutral paragraphs |
| PhoneCrypt | 9 | 9 | 0 | 0 |
| CellCrypt | 12 | 0 | 10 | 2 |
| GoldLock | 9 | 0 | 8 | 1 |
Detailed paragraphs opinion analysis of Phonecrypt | Paragraph of review | Opinion expressed |
| From their website | Positive Marketing feedback |
| Apple iPhone | Positive Marketing feedback |
| Disk Encryption or voice Encryption | Positive Marketing feedback |
| PBX Compatibility? Wirklich | Positive Marketing feedback |
| Cracking <10. Nicht. | Positive Marketing feedback |
| Good thinking! | Positive Marketing feedback |
| A little network action | Positive Marketing feedback |
| UI | Positive Marketing feedback |
| Good Taste | Positive Marketing feedback |
| Paragraph of review | Opinion expressed |
| From their website | Negative Marketing feedback |
| Licensed by The israeli Ministry of Denfese | Negative Marketing feedback |
| Real Company or Part Time hobby | Negative Marketing feedback |
| 16.000 bit authentication | Negative Marketing feedback |
| DH 256 | Negative Marketing feedback |
| Downad & Installation! | Neutral Marketing feedback |
| Cracking it <10 | Negative Marketing feedback |
| Marketing BS101 | Negative Marketing feedback |
| Cool video stuff | Negative Marketing feedback |
Detailed paragraphs opinion analysis of
CellCrypt | Paragraph of review | Opinion expressed |
| From their website | Neutral Marketing feedback |
| A little background about cellcrypt | Negative Marketing feedback |
| Master of Marketing | Negative Marketing feedback |
| Secure Voice calling | Negative Marketing feedback |
| Who's buying their wares | Negative Marketing feedback |
| Downad & Installation! | Neutral Marketing feedback |
| My Demo environment | Negative Marketing feedback |
| Did they forget some code | Negative Marketing feedback |
| Cracking it <5 | Negative Marketing feedback |
| Room Monitoring w/ FlexiSpy | Negative Marketing feedback |
| Cellcrypt unique features.. | Negative Marketing feedback |
| Plain old interception | Negative Marketing feedback |
| The Haters out there | Negative Marketing feedback |
Now it's clear that from their point of view on PhoneCrypt there is no single bad point while the other are always described in a negative way.
No single good point. Seltsam?
All those considerations along with the next ones really let me think that's very probably a marketing review and not an independent review.
Other similar marketing attempt from SecurStar
SecurStar GmbH is known to have used in past marketing activity leveraging this kind of “technical speculations”, abusing of partial information and fake unconfirmed hacking stuff to make marketing/media coverage.
Imho a rare mix of unfairness in leveraging the difficult for people to really understand the complexity of security and cryptography.
They already used in past Marketing activities like the one about creating a trojan for Windows Mobile and saying that their software is secure from the trojan that they wrote.
Read about their marketing tricks of 2007
They developed a Trojan (RexSpy) for Windows Mobile, made a demonstration capability of the trojan and later on told that they included “Anti-Trojan” capability to their PhoneCrypt software.They never released informations on that trojan, not even proved that it exists.
The researcher Collin Mulliner told at that time that it sounds like a marketing tips (also because he was not able to get from SecurStar CEO Hafner any information about that trojan):
“This makes you wonder if this is just a marketing thing.”
Now, let's try to make some logical reassignment.
It's part of the way they do marketing, an very unfriendly and unpolite approach with customers, journalist and users trying to provide wrong security concepts for a market advantage. Being sure that who read don't have all the skills to do in depth security evaluation and find the truth behind their marketing trips.
Who is the hacker notrax?
It sounds like a camouflage of a fake identity required to have an “independent hacker” that make an “independent review” that is more strong on reputation building.
Read about his bio:
¾ Human, ¼ Android (Well that would be cool at least.) I am just an enthusiast of pretty much anything that talks binary and if it has a RS232 port even better. During the day I masquerade as an engineer working on some pretty cool projects at times, but mostly I do the fun stuff at night. I have been thinking of starting an official blog for about 4.5 years to share some of the things I come across, can't figure out, or just cross my mind. Due to my day job and my nighttime meddling, I will update this when I can. I hope some find it useful, if you don't, well you don't.
There are no information about this guy on google.
Almost any hacker that get public have articles online, post in mailing archive and/or forum or some result of their activity.
For notrax, nothing is available.
Zusätzlich wollen wir unter der Domain aussehen ...
Die Domain ist infosecurityguard.com Privatsphäre durch domainsbyproxy geschützt Verständnis, wer der Eigentümer ist zu verhindern.
Die Domain wurde vor 2 Monaten auf 01-Dez-09 auf godaddy.com Registrar erstellt.
Was ist auch sehr interessant zu bemerken, dass diese "unbekannte Hacker ohne eine Spur auf Google über ihn, der auf Dezember 2009 über das Netz erschien" bezeichnet wird SecurStar GmbH Pressemitteilung als "ein IT-Security-Experte".
Vielleicht haben sie "persönlich kennen" wer ist das anonyme Notrax? :)
Bin ich nach meinem eigenen Denken Verschwörung oder vielleicht gibt es einige berechtigte Zweifel, dass alles in diesem lustigen Art und Weise nur für einen Marketing-Aktivitäten zu arrangieren?
Social Berücksichtigung
Wenn Sie ein Security-Unternehmen sind Sie Job haben auch eine soziale Aspekte, sollten Sie auch arbeiten, um die Welt zu einem besseren Ort (sicher, Geschäft zu machen, sondern "nicht böse"). Sie können nicht betrügen die Fähigkeiten der Endanwender bei der Bewertung der Sicherheit machen gefälschte irreführende Informationen.
Sie sollen für Endkunden zu tun, um sie bewusst Sicherheitsprobleme, indem sie ihnen die Werkzeuge, um zu verstehen und selbst entscheiden.
Hoffe, Sie hatten Spaß beim Lesen dieses Artikels und Sie haben Ihre eigene Überlegung zu diesem.
Fabio Pietrosanti (naif)
ps Wer meine persönliche professionelle Meinung sind, lasst uns über Technik und Sicherheit, nicht Marketing sprechen.
pps ich bin nicht so schlau in web schreiben, so leid, wie der Text formatiert ist und wie die Strömung des Artikels unstrukturierten ist!
