Many voice encryption systems easily crackable
A vast majority of voice encryption products are seriously flawed, according to controversial tests by an anonymous hacker. Using the commercially available FlexiSpy wiretapping utility and a 'homemade' Trojan, Notrax (the anonymous hacker's nickname) claims to have defeated 11 out of 15 voice encryption technologies in tests. …
Just wondering - what is a "landmine phone", and aren't they banned in the UK? ;-)
I'm not sure I even want to know how you'd use one. I certainly wouldn't want to be anywhere near it.
This isn't about cracking encryption at all. This is about a script kiddy installing a trojan on a bunch of phones that allowed him to intercept the voice signal, on the phone, (and this bit is important) _before_ it was encrypted. The only reason that any of the phones "passed" the test is that the "hacker" wasn't able to install his trojan on them.
This _might_ be newsworthy if there were a reasonable infection vector for the trojan, but as it is it's no better than scaremongering.
You seriously need to lift your game when reporting this kind of stuff. It's getting like the Daily Mail around here.
is that a fat fingered landline phone? Or a phone you bury in the garden and it rings you when the cat walks over it?
Yes yes it's been fixed now but oh look at you all so funny with your clever.
Sigh.
"so funny with your clever."
Is this terrible english or is it just me? Should it have had the word 'jokes' on the end mayhaps?
No. I was playing with language. It's what you can do when you're good.
My favorite response to grammer and speling nazis is the following phrase which is guarenteed to make people cranky:
'ey kun spel reel gud. huked ahn fonix wurks fer meh.' Every word is mis-speled, yet if you read it out loud using standard english ( American or the Queen's own) it comes out right.
(and yes, I intentionally mis-speled the various forms of the word 'spell'. intentional mis-spelling is hard!)
I read the blog but this “security review” is surprisingly misleading and also its origins look highly suspicious to me.
The blog claims to review "voice encryption" products and that they were cracked, but its obvious that it does not show that, it just installs a trojan on a device that listens to the microphone. Big deal, any security pro knows that once you have root access on a device you can subvert any OS.
This terrific new trojan could be thwarted by novel technology such as, say, a PIN code on the device.
My suspicions about the origins are raised not only by the anonymity and age of the blog but because I saw that Phonecrypt are peddling this, even going as far as issuing a press release, which I think is strange for a security company as the blog is so obviously misleading.
I think that this is a set up. Did some digging on who these guys are and found out that the person behind the PhoneCrypt is Wilfried Hafner aka "Luzifer" who served 3 years in a German jail for theft and fraud. So no surprise he is hiding behind a fake blog.
We all know that a trojan can take control over a device, but it doesn’t necessarily mean that it can crack any encryption.
Rubbish blog, if you ask me. But I saw this on slashdot, which sums it up nicely:
http://yro.slashdot.org/story/10/01/28/2317254/80-of-Cell-Phone-Encryption-Solutions-Insecure?art_pos=8
"I just posted the following comment on this asshole's website:
Your article is totally misleading.
You say that you managed to prove those products insecure.
Well, YOU DIDN'T. The intention of all the products you mentioned is to provide encryption?to protect you from someone intercepting your phone call. You didn't test any of this.?You just directly accessed the mic on the cellphone. Well, off course you'll get the audio!!
A little analogous situation to better explain what you did:
I will prove that this high security reinforced door is totally insecure. I'll get in the house through?the window. Oh No! It worked, I'm inside the house and I didn't even touch the door! Those doors?are Insecure!
That's exactly what you did. Those systems encrypt your voice. Your call is secure from interception.?If you knew anything about security, you would know this: Physical access is total access.
You had PHYSICAL access to the phone. Well, off course you where able to "crack" it. Guess what??You could have manually connected the mic cables to an mp3 recorder for all I cared.
It's like saying "I am going to prove that this OpenBSD-based firewall is insecure, but connecting?to the machines behind the firewall with this directly with this ethernet crossover cable".
So, are you really that naive, or you have financial interests in some phone crypto technology?"
Paris cause even her can use a PIN code.
Read the phonecrypt review on their website...
It's not a security testing but more a marketing review.
Read "between the lines", has not been written by a serious tester with the same "approach" used for other products.
But it used a "marketing oriented" language.
Be careful about the reliability of those reviews!
Shooting the messenger(s) and then playing the "literate smart arse*" card after being pulled up for bad spelling? How's that panning out?
You'd have given a better account of yourself had you bit your tongue... still, don't let that detract you from having the last word.
Hi,
i wanted to report my analysis about that research (quite long).
http://infosecurity.ch/20100130/about-the-voice-encryption-analysis-phonecrypt-can-be-intercepted-serious-security-evaluation-criteria/
Please read it
Fabio Pietrosanti
Sign up, sign up for The Register's weekly IT security newsletter - click here
