Schneier on Security

I read about it on iTech News:

http://www.itechnews.net/2007/02/15/gsmk-cryptophone-g10i-secure-phone/

Also apparently uses AES256.

Other features: Microsoft Windows Mobile 5 OS, 2.2-inch screen, a 1.3 Megapixel camera, integrated media player, USB, Bluetooth, and a microSD card slot.

All I know. Don't know if it was what you were looking for. Hope it helps.

Their website proudly proclaims "no backdoors"… and yet it's using a very complex closed-source operating system which isn't even the most recent version. Doing a quick Google for "Windows Mobile 5 security flaw" disproves this theory.

I'll be a happy camper when my iPhone has IAX2 with encryption (AES128) or SIP/SRTP, a known and fairly well understood system.

The itechnews article mentions it runs Windows Mobile, but from a cursory look at the specs on the official site I can't find any reference to it.

If it does indeed run Windows Mobile it would apparently preclude "full source code" availability as mentioned in the specs.

From the EULA on the source code download page:

"You shall not... modify... or create derivative works based upon the Software"

So, at most, the code is available for audit. It is not "open source" in the sense of being able to patch any flaws independent of vendor intervention.

Ah yes, I have heard of this Twofish :)

If there's not already a Government chip built in, they will at least know you're one of the .0017 of the populace encrypting communications, therefore you must be a terrorist. So they will bug your undershirts and the undergarments of anyone with whom you talk.

From the manual, pg 27:

"In theory it is possible to install Microsoft Smartphone compatible software 3rd party software on your GMSK Cryptophone device."

Behind the company and development of the phone are Andy Müller-Maguhn and Frank Rieger of the Chaos Computer Club (CCC) in Germany. They take encryption and full disclosure very serious.

According to the register of corporations, the members of the company are Andreas Müller-Maguhn, Björn Rupp, and Frank Rieger. I leave it to the audience to find out more about their background.

And regarding to the use of Windows CE, please check out the FAQ at http://www.cryptophone.com/qa/technical/index.html#vier

The device pictured looks like the HTC Star Trek or Cingular 3125.

They don't claim "open source". They say, "full source code available for independent review."

Had a pair of Cryptophones for test last week, what a coincidence :-)

Delay is ca 1.5-2 sec, but quality quite OK. But what amazed me most was salestalk describing solutions to most of my fears (from auditable code to shipping in tamper-proog packaging).

btw, http://cryptophone.com/support/downloads/index.html has downloadable Windows software (yeah, I know...) that can be tried over landline modem connections.

Take a look at:
http://www.hopenumbersix.net/speakers.html

"The CryptoPhone Project"

A lecture/speech about the CryptoPhone is available for download.
http://www.hopenumbersix.net/mp3/16/cryptophone.mp3

http://www.cryptophone.de/background/encryption/

No MAC, I note - given that the designers otherwise seem to know what they're doing, perhaps the output has to be exactly the same length as the input.

I note some familiar German names in the references :-)

The CryptoPhone uses Twofish and AES 256 in parallel, both with 256 bit key length, derived from a 4096 bit DH key exchange. SHA 256 is used for the hash. The source is indeed available for review under a special license.

The operating system is a stripped down version of Windows Mobile, where we remove a substantial number of known and potential attack vectors to prevent outside attacks. (Large parts of Windows Mobile are btw. available from MS under their "shared source" license.)

We certainly will bring the CryptoPhone onto other phone platforms, like Linux, as soon as there is a comercially viable phone with a reasonable stable distribution, maintained by people who know about security issues on mobile devices. Unfortunatelly, neither the iPhone nor the various experimental Linux based devices are currently in this state.

Andreas Müller-Maguhn, is a member of the "Chaos Computer Club", www.ccc.de.
(A german hacker club) and I think the product is called Cryptophone, because of this guy:

http://en.wikipedia.org/wiki/Tron_%28hacker%29

I think that this type of phone is still susceptible to a man in the middle attack by an opponent with substantial resources.

There were good technical presentations of the Cryptophone project at the Fifth HOPE and HOPE Number Six meetings (2004 and 2006). Interesting for the amount of effort required to run a secure phone on a standard hardware platform and operating system.

Recording of Frank Reiger and Barry Wels from 6th Hope here: http://www.hopenumbersix.net/mp3/16/cryptophone.mp3

I notice that it uses a readout hash against MITM attacks, similar to Phil Zimmerman's ZFone.

Which is probably the only really secure and usable way of doing authentication of a voice partner, but it becomes an interesting problem on a mobile phone form factor like the model pictured in the link - how to read the screen, speak, and listen, at the same time...

(see http://zfoneproject.com/ - beware of silly professionally-designed website)

A promising possible alternative platform for secure portable devices is the FIC Neo1973 cellphone. Fully documented hardware, truly open-source software, production schedule slipped again.

I can't find any confirmation of this on any official site (like cryptophone.de) but I believe Rop Gonggrijp is the founder of the company. He is also one of the people who fought against the dutch voting computers and won. He is a person I would trust with security.

@Floor: Do you know Ron personally? If not why would you then trust him with your security? Based on his reputation? Ai...

The dutch government just ordered 27 of them.

@Floor: To my knowledge, Rop Gonggrijp is the founder of the encryption algorithm, not of the company itself.

The phone is an interesting and to my views pretty secure solution of the transport of conversations. However, it might put an emphasis on personal surveilance or hidden microphones on the caller/receiver or his office.

Despite it's encrypted transmission, I wonder if the biggest flaw in the security is that users will *still* read out their credit card details (to telesales people) in a loud voice while standing on a crowded train...

One would also want some sort of portable audio jammer solution with that... Some form of folding sound reducing card-board box with active audio noise generators on outside ;)

http://www.dilbert.com/comics/boyonastick/archive/images/boyonastick2002222271107.gif

Bruce, didn't you already mention this yourself in Crypto-Gram 2003-12-15?
http://www.schneier.com/crypto-gram-0312.html#3

These phones are pretty neat, if somewhat expensive. The Cource code is openly availabe (not free).
They open a data call and tunnel the encrypted voice through it.
In standard mode, the WM5 should be locked down, that is, you can´t install apps on it, which you might not want to anyway.
I talked to the guys at CEBit, and they seemed to know what they were talking about.
Yes, you would need to trust them to really put the code which is open on the phone...

From there on, the phone is sealed in a box until it reaches you.

MJ2K

The phone's specs state that it uses Diffie-Hellmann for key agreement, and that this key is destroyed on hangup. It also states "Readout-hash based key authentication."

So, let me get this straight... In order to have a secure (MITM-resistant) conversation, you need a second *secure* channel to verify each others' hashes on? EVERY TIME you want to make a phone call?

If you already have that channel to verify keys on, why not communicate over that one? Unless I am missing something, this kind of defeats the purpose of the phone.

@ anon

It may seem paradoxical, but you can actually use the non-authenticated tunnel that was established using DH, to authenticate that tunnel.

The trick is that you will typically already have an authentication device in place with the person you're talking to - you recognize their voice (in a video scenario, also their face). To establish that the person on the other end of the line is actually in possession of the other end of the encrypted tunnel, you each recite a hash based on the DH public key that was just sent. You hear, in the voice of your interlocutor, material that proves that person actually sent the DH public key you negotiated with.

To defeat this, an attacker would have to be able to perfectly imitate the voice of each party to the other, and time their insertion of the faked credentials perfectly so you don't notice weird cuts on the voice channel.

PGPFone did this way back when, Zfone does it, and now this product does.

The details may vary from one product to another. I don't know if this product does it, but Zfone actually manages to arranges it so that material from all your previous conversations is cleverly rolled into the hash. The benefit is, each time you do check credentials you get assurance not only that there is no MITM in this conversation, but that there has been no MITM in any previous conversation. That way if you miss checking in one conversation, you can still retroactively check for attacks later.

@Alex: I don't know him personally, but based on his past work, interviews I've seen and emails I've read, I believe he knows what he's talking about. At least enough to open the source so people don't have to trust him.

@Anonymouse: From http://en.wikipedia.org/wiki/Rop_Gonggrijp : "In 2001, Gonggrijp started work on the Cryptophone, a mobile telephone that can encrypt conversations.".
And according to the cryptophone site, the phone uses AES 256 and Twofish. Can you specify which algorithm Rop Gonggrijp invented?

I'm assuming both parties need to have one of these phones to have encrypted communication... can someone verify this, or explain to me how it works otherwise?

@ Bob

Well, if nothing else, the fact that they're publishing the cryptosystem for general use means that in theory any vendor could make a compatible device...

@Bob:

Yes, I think that is a correct assumption. Both parties need to have one of these phones to have a secure conversation. (I assume it falls back to regular GSM if the other party doesn't have it.)

It sounds like they are interested (judging from above comment) on rolling out interoperable versions for other infrastructures, perhaps including VoIP; that would make them much more flexible.

@Frank Rieger,

Thanks for setting things straight.

Making the source code available for review is nice, but it accomplishes nothing unless I can verify that it is what I am actually running on my phone... by compiling and installing it myself, for example. And, as someone already pointed out, the fact that this code runs on a closed operating system spoils the party anyway. So, it's a good idea that just doesn't go quite far enough.

A secured phone like this is a clear sign that its being used for interesting conversations. This makes it a prime target for switch attacks (either the firmware or the entire device). I'd put more trust in lots of pre-paid cards each with their unique number and using coded words.

I found this bit on the Scenarios page amusing:

... " comes from a region where traditionally the division between government and business interests is not very sharp" ...

I immediately though of the Bush Administration and Hollywood / big oil / etc...

Ah how soon do we forget,

http://www.schneier.com/blog/archives/2006/03/the_analog_hole.html

So how will this help?

Hum, what about the price? I didn't see the price on their website, even if you click on the "ordering" section...

@Matej
I got a got a qoute from them by sending them an e-mail.
If i remember correctly, it was something like 1000EUR, icluding shipping to germany...

Not THAT expensive, i think.

Messerjocke2000

Trust windows mobile devices.

They are unsecure by default and with built-in backdoors from NSA:
http://www.digg.com/security/NSA_has_access_to_Windows_Mobile_smartphones

I would only use Linux or Symbian based devices that better protect you from the USA privacy invasion.

Not only they have backdoors inside the operating system but also are plenty of virus/trojan:
http://www.geekzone.co.nz/content.asp?contentid=3137

and plenty of vulnerabilities/exploits:
http://bgcooper.com/2007/03/05/windows-mobile-mms-exploit/

I agree that the only secure mobile operating system for sensitive communication is Symbian OS because it's a Trusted Operating System and execution of software require authorization and validation by Nokia and Symbian.

There are a couple of products out there for Symbian OS:
- PrivateGSM: http://www.privategsm.com
Swiss product
- Gold-Lock: http://www.gold-lock.net
Israelian product

Still, i won't trust in any case a Windows Mobile based device for my own secure communications.

I would be aware that companies that sell mainly to governments cannot be trusted.

Just think about this situation.
You are Cryptophone, Crypto AG, Cellcrypt, Snapcom and other companies that mainly sells to governments (politician, military, public safety) customers. Then they are also open to the private sectors but the profits from this sectors are marginal.

Suppose that you get 5mln EUR of revenue from governments and 300k EUR from private sectors.

What you will do if the governments, with it's own very big contractual power, ask you to place a backdoor inside the software release that you sell to private sectors?

Are you willing to loose more than 90% of your revenue and go in bankrupt because you don't want to place a backdoor?

Be aware guys, DONT TRUST PRODUCTS AND COMPANIES THAT SELL TO GOVERNMENTS.

THEY HAVE CONFLICT OF INTEREST.

NO TRUST TO THAT COMPANIES.

The only solutions are private sectors based and opensource based companies.

The Digg link appears to be crap; here's the actual story @ SecuriTeam.

Note that they appear to have been hacked; "#
el*Loco, on November 4th, 2007 at 7:44 pm Said:

Maybe someone at securiteam wants to have a look at the HTML source of this article, and then remove the links and secure the wordpress installation?
#
Juha-Matti, on November 5th, 2007 at 11:29 am Said:

The administrator is aware and these links have been removed earlier today."

Looking at the "list", it appears to be nonsense; does anyone really think the ham radio netblock is TEH NSA? Or this one:

China Internet Network Information Center
Beijing CN
211.94.0.0 - 211.103.255.255
211.155.128.0 – 211.163.255.255
dns1.cnuninet.net [211.94.33.193]
dns2.cnuninet.net [211.94.33.194]

Yeah, the Chinese NIC would really let the NSA in:-)

Or this one?

Bharti Airtel Ltd.
New Delhi, INDIA
61.95.128.0 - 61.95.255.255
61.246.0.0 – 61.247.255.255
117.96.0.0 - 117.99.255.255
122.160.0.0 - 122.175.255.255
203.145.128.0 - 203.145.191.255
dnsdel.mantraonline.com [202.56.230.5]
aaadel.mantraonline.com [202.56.230.6]
dnsblr.mantraonline.com [202.56.250.5]
dnsbom.mantraonline.com [202.56.240.5]

In fact the list includes ALL ChinaTel and ChinaNetcom's networks; clearly, whoever compiled it just dumped the IANA allocations and the operators of Cryptome are insufficiently clueful to critically assess Internetworking issues.

As an aside, if you're going to use this, be sure that you have a liberal data plan with your cellular phone service provider. It uses "circuit-switched data calls", meaning it won't use minutes, it'll use kbytes.

@FromGermanyWithLove, @Security CTO:

As I wrote above, we remove quite a number of components fromt the Windows Mobile OS to exclude attack vectors. The result is of course a reduction of features available to the user, so we built the component removal into a Security Manager, that allows the user to choose between potentially risky OS functions and better security.

MMS is removed by default in all security levels, as it is a horrifiying protocoll that allows an attacker to send 100K of binary through a set of really badly written parsers onto the phone. Also removed by default is SIM Toolkit, which is older but equally nasty. In the upper Security Manager levels, the IP stack is deactivated. We did this btw. long before it became public that MMS can be broken, as we conduct our own audits (if necessary on the binary) of critical components of the OS and rather remove a feature that we feel bad about then risk it being exploited.

As for the purported security of Symbian: what exactly makes you believe that the code signature mechanism really works and even if we assume for a moment that it works perfectly, that the vendor won't happily sign a piece of code provided to him by the NSA?

And for the security of Linux based devices: the mobile distributions we have seen so far are not at the same state of security as your desktop distribution of choice is. I agree that in theory an open source OS is more trustworthy and we will port CryptoPhone over, as soon as there are viable options. Unfortunatelly, there is no open source OS phone today that would result in a commercially viable product.

@GovernmentsFear: We have declined a number of substantial government contracts in the past because these governments wanted a back door to listen to their own people. We lost quite some potential business because of that. But we rather sleep well keeping up with our "no back doors for anyone"-policy then have some other government banging at our door wanting access to that back door. If you think about it for a moment, having really no back door is the only sensible policy for quite a number of reasons.

@Andy: Circuit Switched Data calls are billed by the minute. Essentially it is a digital modem call (v.110 or v.32). GPRS/EDGE/UMTS is billed by the kilobyte, but we don´t use that (yet).

@ Frank Rieger:

If your product uses CSD a la http://www.securegsm.com/ , how does it perform with inter-continental calls, where each party to the call is in a different country?

In some countries, providers don't enable CSD anymore at all, or they do it only on post-paid services, not pre-paid thus removing a layer of anonymity.

I have tested similar products that use CSD for encrypted calls and found that even if I find a telco that provisions CSD on a prepaid SIM card (and the list of these telcos is shrinking), I had horrible latency and quality issues with international calls.

Wouldn't it be better to use IP communication instead of CSD ?

@ Frank Rieger:

If your product uses CSD a la http://www.securegsm.com/ , how does it perform with inter-continental calls, where each party to the call is in a different country?

In some countries, providers don't enable CSD anymore at all, or they do it only on post-paid services, not pre-paid thus removing a layer of anonymity.

I have tested similar products that use CSD for encrypted calls and found that even if I find a telco that provisions CSD on a prepaid SIM card (and the list of these telcos is shrinking), I had horrible latency and quality issues with international calls.

Wouldn't it be better to use IP communication instead of CSD ?

I tried both "SecureGSM and Cryptech encrypted mobile phone with CSD channels in lots of countries. Never tried Cryptophone (too expensive). Cryptech and SecureGSM both work but in some countries the line configuration must be tuned because of international roaming.

I even tried a IP communication solution for mobile device - Babylon - but the delay is way too long (> 3 seconds) with GPRS and a bit better with UMTS. UMTS is not available everywhere, so this is not a good alternative to CSD data channel.

I bought Caspertech encrypted phone (named "Cryptech") and it works well, even when you call from abroad. Recently, they added some very useful features such as GPS/GSM location and remote wiping: http://www.caspertech.com/tech.php

I bought Caspertech encrypted phone (named "Cryptech") and it works well, even when you call from abroad. Recently, they added some very useful features such as GPS/GSM location and remote wiping: http://www.caspertech.com/tech.php

Our company purchased 300 units of PhoneCrypt 8 months ago: http://www.securstar.com/products_phonecrypt.php
I have to say that we are very happy with the product quality and the support we got from SecurStar.
Before purchasing PhoneCrypt we extensively tested many other products: Gold-Lock, CryptoPhone, SecureGSM, and Cryptech; we found that PhoneCrpyt offered the best line stability, voice quality and the lowest delay. In addition it encrypts SMS messages and has a build in secure conversation recorder. The other mentioned products worked more less ok as long as you dont need them in a professional enviroment. As for the GSMK product we discovered the source-codes they claim are disclosed, are definitely not the ones of the commercial version (not even slightly), even worst, the product is ridiculosly expensive for no good reason.

Cryptech has problems with international calls (especially if intercontinental), http://www.phonecrypt.com worked much better. They now announced a version that works on the voice channel.