Friday, May 14, 2010

Voice Encryption


Voice Encryption, almost more than 65% of worlds population uses mobile phone and mobile phone business is in multi million dollars.   We use mobile phone to even book online tickets using Credit card number, personal details and so many occasions we tend to have one or few of these details as our password just to keep it simple. As a general user we assume our telephone conversations are secure and no one else hearing out conversation other than the person we are speaking to.Law enforcement agencies can tap your call but they wont do it unless it is very necessary .
But the reality is any one with basic technical skills and financially motivated.
Statistics show Government agencies on average conduct 50,000 legal wiretaps per year (legal= those where a court order is required), (Let’s not forget Echelon http://tinyurl.com/yetrajm ) another 150,000 phones are illegally tapped by private detectives, spouses and boyfriends and girlfriends trying to catch a potential cheater.  Another estimate shows up to 100,000 phones are wiretapped by companies and private industry in some form of industrial espionage. It is happening and it is a big business.
It's indeed becomes essential for us to know the ways to secure at least understand the risk of the potential exploit. I saw this article with  technical explanation containing how secure the voice encryption products are..  According to infosecurityguard.com
I knew if I was able to compromise the security I just had to decide if it was as, less or more effective than breaking the encryption and which method was the most efficient. Unfortunately for almost all of  solutions they failed and I was able to simply compromise their security, intercept a phone call in real-time bypassing the entire encryption. The really surprising element was, how extremely simple it is.
All of the products have basic system requirements (i.e. OS, data connection etc) Well, they also all depend on the spoken voice being fed into the microphone.  This is the basic concept of some of the commercial wiretapping tools available on the market, so I thought I would take the same approach.
At what point does the software begin to encrypt the voice input and audio output ? So lets capture it before that happens.   This way I do not have to bother or worry about what encryption algorithms or key exchanges are being used, it really becomes a non issue.
To read more about the technical voice encryptions click here
Lack of voice encryption opens world of attack opportunities with readily available wiretapping utility, costing as little as $100, as well as his own ‘homemade’ Trojan, Notrax was able to bypass the encryption and eavesdrop by capturing conversations from the microphone and speaker in real time. By suppressing any rings, notifications or call logs, these attacks go completely undetected. And while Trojans can be installed manually by someone with access to the phone, they could equally be delivered via email, SMS or a mobile application.
List of Software solutions available with their tested status
The list of tested solutions includes:
  • Caspertec (Software) - Intercepted / insecure
  • CellCrypt (Software) - Intercepted / insecure
  • Cryptophone (Hardware) - Intercepted / insecure
  • Gold-Lock (Software) - Intercepted / insecure
  • Illix (Software) - Intercepted / insecure
  • No1.BC (Hardware SD-Card) - Intercepted / insecure
  • PhoneCrypt (Software) - Secure
  • Rode&Swarz (Hardware Bluetooth) - Secure
  • Secure-Voice (Software) - Intercepted / insecure
  • SecuSmart (Hardware SD-Card) - Intercepted / insecure
  • SecVoice (Software) - Intercepted / insecure
  • SegureGSM (Software) - Intercepted / insicure
  • SnapCell (Hardware) - Secure
  • Tripleton (Hardware) - Still Under Review
  • Zfone (Software) - Intercepted / insecure
  • ZRTP (Software) - Intercepted / insicure.
Phone Crypt,  and Rode&Swarz are two products considered secure and i can find product reviews on
PhoneCrypt
Phone Crypt is an innovative solution based in military grade encryption (RSA 4096 bits and AES 256 bits), the same technology used by FBI and CIA, which effectively protects your landline, mobile and PBX phones from access of intruders. IT also protects against trojan horse.

PhoneCrypt Features

• RSA 4096 bit & AES 256 bit Encryption;
• Diffie-Helman (DH) Key Exchange;
• MD5 & SHA512 Hash for voice integrity;
• Protection Agents detects, alerts and defends against attacks;
• Excelent voice quality;
• Easy to use and intuitive interface for users - the user doesn't need knowledge in security or technology;
• Voice encryption, immediate and automatic message, without any need of interaction from the user;
• The software uses internet connectivity through 3G, UMTS, HSPA, W-CDMA, EDGE, GPRS and WiFi to data transmission;
• Completely safe –  no secure data it is saved in the device at any time;
• No user intervention is required in security procedures;
• Less requirement use for processor (less than150 MHz);
• Works in devices with Windows Mobile systems without modify or inhibit any other function;
• Encrypt communication in landline and mobile phones;
• Advanced detector of phone calls;
• Superior voice quality (QOS).
To get an detail technical insight of phonecrypt, click here
I urge you to read the interesting article/demo from infosecurityguard.com to gain more understanding on voice encryption products.
Some recent news development about Cell Phone Security: