ZRTP weakness – iPhone, Red Phone, Silent Circle and all providers using ZRTP
- Is Signal a secure and secret way to communicate via voice calls?
- Attacking Crypto Phones: Weaknesses in ZRTPCPP
- The ZRTP “Disclosure flag
Government bypass of encryption or iphone
Researchers Find Flaws That Means Anyone Can Listen To Your Cell Phone Calls
Security flaws discovered by German researchers could allow hackers to listen in on private phone calls and intercept text messages en masse,the Washington Post reports.
The weaknesses in the global cellular network are to be reported at a hacker conference in Hamburg this month, by Tobias Engel, founder of Sternraute, and Karsten Nohl, chief scientist for Security Research Labs.
The Post reports that these experts believe that SS7, the global network that allows cellular carriers worldwide to route calls and messages to each other, have â€œserious vulnerabilities that undermine the privacy of the worldâ€™s billions of cellular customers.â€ Researchers in Germany have discovered that hackers with an in-depth knowledge of SS7â€™s different features would be able to exploit certain functions to listen to private calls and intercept text messages.
One way that hackers could intercept calls would be to exploit cellular carriers forwarding function â€” which allows a user to have his calls directed to another number â€” by redirecting â€œcalls to themselves, for listening or recording, and then onward to the intended recipient of a call. Once that system was in place, the hackers could eavesdrop on all incoming and outgoing calls indefinitely, from anywhere in the world.â€
Despite mobile carriers working to secure data, the Post reports that the weaknesses in SS7 have left millions vulnerable:
“These vulnerabilities continue to exist even as cellular carriers invest billions of dollars to upgrade to advanced 3G technology aimed, in part, at securing communications against unauthorized eavesdropping. But even as individual carriers harden their systems, they still must communicate with each other over SS7, leaving them open to any of thousands of companies worldwide with access to the network. That means that a single carrier in Congo or Kazakhstan, for example, could be used to hack into cellular networks in the United States, Europe or anywhere else.
Itâ€™s unclear how much, if any, data has been intercepted due to these vulnerabilities, but as Engel told the Post, â€œI doubt we are the first ones in the world who realize how open the SS7 network is.â€
Who’s catching your cellphone conversations?
“Information about where we are and where we go over the course of time can reveal sensitive information about our lives,”he says. “Whether we visit a psychologist, go to an AA meeting, stop off at a liquor store after work, who we spend time with: That information should be private.”
With the right equipment, people can hijack your cellphone, listen to your calls and read your texts, alarming privacy rights advocates and tech experts alike.
We know the eavesdropping is happening, but we don’t know much about who’s doing the listening. The police and other law enforcement agencies do it, but they have been restricted by the FBI from telling us about it. Beyond the police, the listeners could be the U.S. government, corporate spies or even foreign intelligence agencies.
The devices, known as IMSI catchers or by a brand name, Stingray, used to be expensive, bulky and hard to purchase. Now they can be bought online for as little as $1,800 and can be as small as a briefcase.
IMSI catchers trick cellphones into thinking they’re connected, as normal, to a network like Verizon or AT&T. But the devices hijack the phone’s signal, and in some cases, intercept the contents of calls and texts. The IMSI catchers take advantage of a vulnerability built into the system. Phones using 3G or 4G technology can authenticate cell towers, but phones on older 2G systems cannot tell between real and fake towers.
An IMSI catcher blocks the smarter 3G and 4G signals, forcing phones in the area to switch to the unsecured 2G service â€” something that phones also do routinely in more rural areas, where 2G service is widespread. The IMSI catcher then poses as a tower and “catches” signals.
IMSI catchers â€” the letters stand for International Mobile Subscriber Identity, a code unique to each phone â€” have gotten little media attention. But in August, Popular Science published a map showing the locations of a large number of IMSI catchers, or interceptors, spread throughout the U.S.
Now, there’s an arm’s race on between the technology used to intercept cellphone calls and the technology used to detect that technology.
The map was made by a company that sells a device, called a GSMK CryptoPhone, that can detect the interceptors â€” known as an IMSI catcher-catcher. ESD America says that it and its customers have used the CryptoPhone to find some 500 of the fake cell towers.
“Interceptor use in the U.S. is much higher than people had anticipated,” ESD CEO Les Goldsmith told Popular Science. “One of our customers took a road trip from Florida to North Carolina and he found 8 different interceptors on that trip.”
The CryptoPhone, which sells for $3,500, is built onto a Samsung Galaxy SIII phone.
In September, another CryptoPhone marketing executive drove around Washington, D.C., looking for signs of IMSI catchers. He said he found 18 in less than two days.
The map of those locations is unnerving. “It looks,” writes Ashkan Soltani of The Washington Post, “like a primer on the geography of Washington power, with the surveillance devices reportedly near the White House, the Capitol, foreign embassies and the cluster of federal contractors near Dulles International Airport.”
Granted, these executives will profit from sales of the CryptoPhone. Some security experts are skeptical that the CryptoPhone can pinpoint with accuracy the location of the IMSI catchers.
But there’s enough evidence to alarm others, including the Federal Communications Commission, which set up a task force in August “to combat the illicit and unauthorized use of IMSI catchers.” Set up in response to congressional questioning, the task force will study the extent of IMSI catcher use by criminal gangs and foreign intelligence services.Pell, of the Army Cyber Institute, says the real issue is the cell system’s underlying vulnerability. She sees it as a threat to national cybersecurity.
“Whatever effective monopoly the U.S. government once had over the use of IMSI catchers is now gone,” Pell writes in Wired. Fixing that flaw would hinder some law enforcement efforts, but that cost is outweighed by the benefit of knowing no foreign elements are listening in on government officials’ conversations, she says.
We know more about police using Stingrays â€” often from the trail of objections by privacy rights advocates â€” but we still don’t know much.
The FBI, Secret Service, National Security Agency and at least nine other national agencies use IMSI catchers, according to the American Civil Liberties Union.
Some 46 local agencies in 18 states use the technology â€” but because most acquire Stingrays secretly, that number “dramatically underrepresents the actual use of stingrays by law enforcement agencies,” the ACLU says.Local police acquire Stingrays secretly, an FBI requirement. Before using the technology, police departments must sign nondisclosure agreements promising not to release Stingray details to the public, according to documents obtained in September by the website MuckRock under a Freedom of Information Act request.
The Florida-based Harris Corp., maker of the Stingray, notifies the FBI and FCC when police request the technology, and the FBI then requires the nondisclosure agreement. The arrangement is a condition of Harris’ FCC equipment authorization, explains Nathan Wessler, an attorney with the ACLU.
That secrecy â€” along with grants from the Department of Homeland Security â€” has allowed police to get and use Stingrays without local approval or oversight, he says. When the ACLU sued the Tucson, Ariz., police for Stingray records, an FBI agent invoked the FBI nondisclosure agreement as a reason to keep the information secret, Wessler says.
When police use them against potential suspects, they can sweep up information from the cellphones of dozens or even hundreds of bystanders. They do these sweeps without warrants and without telling the public how much information they keep or for how long, Wessler says.
“I do think the average person should be concerned about this,” he says.