How Secure can Security be?
Today I came across a series of articles that claims that most solutions that encrypt voice communications on mobile phones are not up to par and can easily be intercepted. My first reaction was that this was a very bold claim and after reading further I kind of lost a little faith in the author’s arguments. That being said, some of his arguments do have merit and his approach was very clever in its simplicity.
Notrax, the hacker in question, approached the challenge not by cracking the voice encryption algorithm itself but by installing a Trojan on the victim’s headset and intercepting the voice as it is being recorded from the cell phone’s microphone before it gets processed / encrypted. Simple and effective. Nearly all of the solutions were vulnerable to this approach. He sees this as a failure on the side of solution providers; this is what I do not agree with. I do not believe that the approach Notrax employed is something that such a solution needs to cater for. It is true that a few solutions detected something fishy going on and stopped the connection; kudos to them, if Notrax praised these solution for their effectiveness I wouldn’t have anything to comment against but shooting down others who didn’t detect the intrusion goes a bit overboard in my opinion.
Notrax claimed that this failing on the solution provider’s part means that their security is useless. He says that this means they don’t do what they advertise, since they claim that your calls will be secure whereas he easily managed to intercept the calls with a simple procedure. However, like I argued in a previous article, there is no such thing as absolutes in security. No solution can protect against every form of attack. Every device / software tries to secure its own little domain and whoever is implementing the security policy needs to not only understand this but build his strategy around this notion. Taking these secure calling solutions for instance, if I employ such a solution I don’t expect to be 100% secure against everything. No matter how well designed or how expensive it may be, do I expect such software to keep me safe from something as trivial as a person close by hearing me talk ( known as shoulder surfing)? Of course not! What I would expect from such a solution is that if someone were to sniff / intercept the encrypted voice transmission he will have no way to reverse it in a timeframe that makes it useable.
Notrax’s approach required physical access to the phone and the ability to deploy software. If an attacker gets physical access to something you want to protect then you’re already in a lot of trouble. No solution will protect you after an event like that. Even those applications that detect something amiss and block the call; what’s to stop an attacker who has physical access to the phone from uninstalling them and instead installing a lookalike application with as many backdoors as the attacker wishes? Nothing!
What I am trying to say is not that Notrax is wrong, he is right; his approach works and is definitely a threat; however, what I don’t agree with is that it’s the vendor’s fault. Physical security of the mobile phone is not their responsibility and his attack was, in my opinion, an attack against the physical security of the device and not the voice encryption solution. This attack vector cannot be protected against via software it can only be avoided if proper physical security is ensured. With physical access to the device one can simply hook a bug to the cell phone microphone itself and have everything transmitted unencrypted on any frequency the attacker wishes. No software solution will detect or block that.
What I want to say here is let’s keep focused on what we’re protecting against and definitely never assume that one solution will cover it all. Security is about identifying the risks, seeing which ones are worth mitigating and then adopting solutions that will mitigate them.
Emmanuel I think that Notrax is just use the wave generated by the announcements of the A5/1 project. They claim in a black hat conference that using some Rainbow Tables was possible to hack into any GSM conversation, and they even have proof of concept and make a demo.
This is the link to the convention agenda.
http://events.ccc.de/congress/2009/Fahrplan/events/3654.en.html
and the link to the project page http://reflextor.com/trac/a51
I totally agree with you about physical security, once it’s lost there are no real countermeasures. You can take the recent hack of a TPM device, which was quite unthinkable. (http://windowsteamblog.com/blogs/windowssecurity/archive/2010/02/10/black-hat-tpm-hack-and-bitlocker.aspx)
Best regards.
Leandro
http://Blogs.prisma.cc/leandro
Emmanuel–I agree that a hack that involves physically compromising a cellphone isn’t a knock on its encryption software, but the encryption algorithms used by both the GSM and 3G networks have been cracked by researchers recently, which has raised concerns about the future security of mobile calls.
German cryptographer Karsten Nohl, who led a group of researchers who announced in December that they’d cracked the encryption code for GSM, which is used by 80 percent of all the world’s cellphones, says that the cipher used to encrypt GSM conversations hasn’t been changed in 21 years. That’s just too long.
Just two weeks after Nohl’s crew cracked GSM’s encryption, a team of cryptographers at Israel’s Weizmann Institute of Science divulged a process for decrypting transmissions sent over newer 3G networks, which is supposed to be more secure than GSM. Since the method requires two hours on a single PC to perform, so it can’t be used to listen in on real time cell phone calls–yet–but it’s only a matter of time.
Hi Leandro and John, Sorry for not replying before I missed these comments I am afraid. Yes I am aware GSM has weaknesses and it’s not just encryption, it’s also vulnerable to a man in the middle attack as well http://whitepapers.techrepublic.com.com/abstract.aspx?docid=155570
These are exactly the kind of attacks the encrypted voice communication solution protect against. Notrax’s approach was clever and an effective attack on the solutions themselves but that’s not what the solution protects against. I am not saying they’re unhackable, everything is ultimately. Encryption doesn’t protect anything by making it impossible to get only unfeasible because of the time requirement after all.
John, two hours or realtime is basically the same; I wouldn’t feel secure if data I wanted to protect was secure for a mere two hours for sure. This means that if one divulges confidential information on a mobile phone he would definitely need an extra layer of security such as further encrypting that call and obviously protecting the physical security of his mobile phone as best as possible.