Is a $14,000 phone really the price of privacy? A US$14,000 (£9,706, or A$19,352) Android phone has been launched pitching 'military-grade encryption' at privacy-conscious executives. Little information can be found on the Solarin handset's specific security chops other than it will use "chip-to-chip 256-bit AES encryption" for phone calls. That technology is built by …
This isn't surprising since It's about status. Like having a Ferrari to drive to work in when everyone else in the C-Suite has a Porshe or Mercedes. I'm sure that a lot of clueless and status conscious will get them just because they know that anyone under couldn't afford one.
I wonder how long it it'll take before the first one cracked?
I would think Marshmallow would be much better suited for a phone like this given it enforces dm-verity and so would be able to detect rooting (by detecting changes in /system). And even /system-less rooting is being detected by Android's SafetyNet, which is partially external and so can detect tampering to itself as well.
Just because Android's security is "better" today doesn't mean it is good. Stuff like Stagefright existed for years, odds are good there are other things as bad or worse that have yet to be discovered. Or worse, have been discovered by a few and kept close to the vest for when they really need it (like when trying to hack a CEO who has secrets he thinks are worth buying a $14,000 phone to protect)
What's more, standard mobile encryption is simple to break, even for a random hacker with radio kit, let alone the carriers or spooks. This at least addresses that part of the problem, which even a hypothetical 100% secure Android or iPhone can do absolutely nothing about.
Embedded video on UK website does not allow UK viewers to watch. (well, me at least).
Without both ends of the calls being encrypted this this thing is just a great way to get insecure people to dump money on something that's of no use.
If we had carriers that offered "Secure" services then that would rock.
oh there was one... what was its name? erm... blueberry? blingberry? very popular with the working masses, awesome real qwerty or touchscreen keyboard for proper fast emails, encrypted data comms, even calls with the right software.
I think they were banned in the UAE for not allowing the gov'mint the decryption keys...
what ever happened to those guys...
(you can pry my BB Z30 out of my cold dead hands, my iphone6s is a cheap throwaway piece of consumer rubbish, which I suspect gets beaten up by the blackberry in my pocket judging by the scuffs and scratches on one and not on the other.)
Not to dismiss the work of Bletchley, but to imply that Enigma wasn't strong encryption in its time is a bit specious - it was far, far stronger than what the Allies had available.
It took a decade of continued investment by the Polish, then the British secret services, plus the invention of a new kind of signals intelligence, a new branch of mathematics and an entirely new technology for performing computations just to perform brute-force on Enigma. With better operating procedures, an Enigma system was still economically infeasible to crack until well after the war.
In the end, the biggest aid to the Allies in cracking Enigma was good old military discipline: there were enough stations that sent short, known-plaintext messages ("Station XYZ, 1200, nothing to report") that the cryptanalysts had a greatly-reduced search-space to work with.
Had the Germans been ordered to begin every message with two random words from the day's newspaper (i.e., salting the plaintext), things would have been much harder for the Allies.
I'm not sure Bletchley Park's first big win was decryption, I believe it was working out who was talking to who, can't remember the lead on this, however this was critical operational info available in real time.
Regardless of what was sent in the message, you were able to immediately identify who the Morse code/radio operator was by his/her typing style and subsequently with other intelligence who they were likely to be working for thus building up pictures of movements.
The subsequent cracking of some day messages was of course invaluable.
It is why the nasty Home Secretary is after Meta Data, it can often be as valuable to see who is talking to who as the actual messages when correctly analysed.
Yes, that was the revolution in signals intelligence. The mere fact that A was talking to B more often than normal, and only after talking to C was recognised as being of value to the Intelligence services. Traffic pattern analysis could reveal that "something" was going to happen in a particular place, and that was often enough information to work with - from there, operatives in the area could be put on alert to gather more concrete evidence.
Gordon Welchman was one of the key figures in this area at Bletchley. ElReg did an article on him last year (http://www.theregister.co.uk/2015/09/27/gordan_welchman_bletchley_park_remembers/) and there was also a very good BBC Two documentary on him recently http://www.bbc.co.uk/programmes/b069gxz7
Welchman later worked for the US military, and developed an operational communications system for them that was much more opaque to his own traffic analysis methods. The name of it escapes me, but from the limited info I've read, it seemed to operate as a message bus (or ring) of encrypted traffic, rather than point-to-point: the topology meant that by just watching the traffic, you couldn't know who was talking to whom - every station relayed every ciphertext, but only the recipient had the necessary key to read it.
To enable and end to end encrypted communication, the other user being communicated too must have the same capabilities. Pretty simple that some doughnuts will buy this thinking everyone they communicate with will be done in secret.
Another point, not being open means that backdoors can be implemented into the hardware or software layer.
They must have thought this through already, although the choice of an older Android does not speak well of their being up to date with security fixes for that mobile OS. If you worked in the telephone industry, you will know my friends Ing and Ed. AKA The callING party vs the callED party.
Anyway, here's how it would work; Ing makes a call, the OS figures out at connection time directly, or via a sideband like over the Internet that Ed is either running the comparable call encryption or not. Then, if Ed is not encrypting, it switches it off and hopefully tells you that Ed is NOT encrypting the call, so you can panic, or drive on damn the encryption.
For those of you complaining about the Ed Snow(den) video, I saw it yesterday and it's basically a mini interview with Ed and he demos how to desolder the various components to make a very old Sammy phone go "black." Those would be the two camera CCDs, and for that phone three mics, then you only make voice calls with an external headset. Bob's your uncle.
You know that does squat for the internal tower resolver or the GPS that these days is built into the SoC (meaning they can figure out where you are). As for the microphone, as soon as you connect that external mic, they can record you again. Plus if they REALLY wanted to record you all the time there would be another hidden mic that you couldn't reach without breaking something (again by being built built into some essential chip).
That's the point. If you want to spy on people with money and secrets, then selling a really expensive 'encryption' phone is the perfect way to trawl them in.
This is another fishing trawler for rich idiot's secrets:
https://en.wikipedia.org/wiki/Blackphone
Black phone promised to post the source code years ago - still no sign. Of course.
"co-founder and president Moshe Hogeg, a serial start up creator, and chief executive officer Tal Cohen, a former Forbes journalist and advertising industry man."
Really? Would you buy a phone from these two?
They don't appear to have many successes between them either, based on TFA.
If they actually wanted to build a secure device they would not use a complex operating system like Android (or iOS or Blackberry OS, or Windows phone...) They would instead have a minimal operating system acting as a "smart terminal" with as simple as possible protocols. For a budget for $14k they would also include alternative radio technologies to ease the problem of being tracked. Certainly they would also shield the GSM parts from the rest of the system.
So yes, it would be feasible to build a much more secure device for that kind of money, but there is no indication of added security on that device. In fact it even runs _more_ software than your usual device and has added black box "security chips", which usually mean that they want to leak the key. ("security chips" are useless if you can just get that chip to sign, en- or decrypt any message by changing the code around it during runtime)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
