Alice McGregor November 7, 2007 3:02 PM

Their website proudly proclaims “no backdoors”… and yet it’s using a very complex closed-source operating system which isn’t even the most recent version. Doing a quick Google for “Windows Mobile 5 security flaw” disproves this theory.

I’ll be a happy camper when my iPhone has IAX2 with encryption (AES128) or SIP/SRTP, a known and fairly well understood system.

Daniel November 7, 2007 3:05 PM

The itechnews article mentions it runs Windows Mobile, but from a cursory look at the specs on the official site I can’t find any reference to it.

If it does indeed run Windows Mobile it would apparently preclude “full source code” availability as mentioned in the specs.

Mark November 7, 2007 3:23 PM

From the EULA on the source code download page:

“You shall not… modify… or create derivative works based upon the Software”

So, at most, the code is available for audit. It is not “open source” in the sense of being able to patch any flaws independent of vendor intervention.

Pair O'Noid November 7, 2007 3:27 PM

Ah yes, I have heard of this Twofish 🙂

If there’s not already a Government chip built in, they will at least know you’re one of the .0017 of the populace encrypting communications, therefore you must be a terrorist. So they will bug your undershirts and the undergarments of anyone with whom you talk.

Fred P November 7, 2007 3:32 PM

From the manual, pg 27:

“In theory it is possible to install Microsoft Smartphone compatible software 3rd party software on your GMSK Cryptophone device.”

Mr. F November 7, 2007 3:47 PM

Behind the company and development of the phone are Andy Müller-Maguhn and Frank Rieger of the Chaos Computer Club (CCC) in Germany. They take encryption and full disclosure very serious.

Peeter Marvet November 7, 2007 4:28 PM

Had a pair of Cryptophones for test last week, what a coincidence 🙂

Delay is ca 1.5-2 sec, but quality quite OK. But what amazed me most was salestalk describing solutions to most of my fears (from auditable code to shipping in tamper-proog packaging).

btw, has downloadable Windows software (yeah, I know…) that can be tried over landline modem connections.

Frank Rieger November 7, 2007 4:31 PM

The CryptoPhone uses Twofish and AES 256 in parallel, both with 256 bit key length, derived from a 4096 bit DH key exchange. SHA 256 is used for the hash. The source is indeed available for review under a special license.

The operating system is a stripped down version of Windows Mobile, where we remove a substantial number of known and potential attack vectors to prevent outside attacks. (Large parts of Windows Mobile are btw. available from MS under their “shared source” license.)

We certainly will bring the CryptoPhone onto other phone platforms, like Linux, as soon as there is a comercially viable phone with a reasonable stable distribution, maintained by people who know about security issues on mobile devices. Unfortunatelly, neither the iPhone nor the various experimental Linux based devices are currently in this state.

RC November 7, 2007 5:01 PM

I think that this type of phone is still susceptible to a man in the middle attack by an opponent with substantial resources.

Zygmunt Lozinski November 7, 2007 5:36 PM

There were good technical presentations of the Cryptophone project at the Fifth HOPE and HOPE Number Six meetings (2004 and 2006). Interesting for the amount of effort required to run a secure phone on a standard hardware platform and operating system.

Recording of Frank Reiger and Barry Wels from 6th Hope here:

dragonfrog November 7, 2007 6:05 PM

I notice that it uses a readout hash against MITM attacks, similar to Phil Zimmerman’s ZFone.

Which is probably the only really secure and usable way of doing authentication of a voice partner, but it becomes an interesting problem on a mobile phone form factor like the model pictured in the link – how to read the screen, speak, and listen, at the same time…

(see – beware of silly professionally-designed website)

Shad November 7, 2007 6:34 PM

A promising possible alternative platform for secure portable devices is the FIC Neo1973 cellphone. Fully documented hardware, truly open-source software, production schedule slipped again.

Floor November 7, 2007 6:41 PM

I can’t find any confirmation of this on any official site (like but I believe Rop Gonggrijp is the founder of the company. He is also one of the people who fought against the dutch voting computers and won. He is a person I would trust with security.

Alex November 8, 2007 2:21 AM

@Floor: Do you know Ron personally? If not why would you then trust him with your security? Based on his reputation? Ai…

Anonymouse November 8, 2007 2:46 AM

@Floor: To my knowledge, Rop Gonggrijp is the founder of the encryption algorithm, not of the company itself.

The phone is an interesting and to my views pretty secure solution of the transport of conversations. However, it might put an emphasis on personal surveilance or hidden microphones on the caller/receiver or his office.

Andrew K November 8, 2007 2:50 AM

Despite it’s encrypted transmission, I wonder if the biggest flaw in the security is that users will still read out their credit card details (to telesales people) in a loud voice while standing on a crowded train…

Aleksejs November 8, 2007 2:53 AM

One would also want some sort of portable audio jammer solution with that… Some form of folding sound reducing card-board box with active audio noise generators on outside 😉

Messerjocke2000 November 8, 2007 7:19 AM

These phones are pretty neat, if somewhat expensive. The Cource code is openly availabe (not free).
They open a data call and tunnel the encrypted voice through it.
In standard mode, the WM5 should be locked down, that is, you can´t install apps on it, which you might not want to anyway.
I talked to the guys at CEBit, and they seemed to know what they were talking about.
Yes, you would need to trust them to really put the code which is open on the phone…

From there on, the phone is sealed in a box until it reaches you.


anon November 8, 2007 8:55 AM

The phone’s specs state that it uses Diffie-Hellmann for key agreement, and that this key is destroyed on hangup. It also states “Readout-hash based key authentication.”

So, let me get this straight… In order to have a secure (MITM-resistant) conversation, you need a second secure channel to verify each others’ hashes on? EVERY TIME you want to make a phone call?

If you already have that channel to verify keys on, why not communicate over that one? Unless I am missing something, this kind of defeats the purpose of the phone.

dragonfrog November 8, 2007 11:18 AM

@ anon

It may seem paradoxical, but you can actually use the non-authenticated tunnel that was established using DH, to authenticate that tunnel.

The trick is that you will typically already have an authentication device in place with the person you’re talking to – you recognize their voice (in a video scenario, also their face). To establish that the person on the other end of the line is actually in possession of the other end of the encrypted tunnel, you each recite a hash based on the DH public key that was just sent. You hear, in the voice of your interlocutor, material that proves that person actually sent the DH public key you negotiated with.

To defeat this, an attacker would have to be able to perfectly imitate the voice of each party to the other, and time their insertion of the faked credentials perfectly so you don’t notice weird cuts on the voice channel.

PGPFone did this way back when, Zfone does it, and now this product does.

The details may vary from one product to another. I don’t know if this product does it, but Zfone actually manages to arranges it so that material from all your previous conversations is cleverly rolled into the hash. The benefit is, each time you do check credentials you get assurance not only that there is no MITM in this conversation, but that there has been no MITM in any previous conversation. That way if you miss checking in one conversation, you can still retroactively check for attacks later.

Floor November 8, 2007 11:22 AM

@Alex: I don’t know him personally, but based on his past work, interviews I’ve seen and emails I’ve read, I believe he knows what he’s talking about. At least enough to open the source so people don’t have to trust him.

@Anonymouse: From : “In 2001, Gonggrijp started work on the Cryptophone, a mobile telephone that can encrypt conversations.”.
And according to the cryptophone site, the phone uses AES 256 and Twofish. Can you specify which algorithm Rop Gonggrijp invented?

Bob November 8, 2007 12:41 PM

I’m assuming both parties need to have one of these phones to have encrypted communication… can someone verify this, or explain to me how it works otherwise?

dragonfrog November 8, 2007 12:44 PM

@ Bob

Well, if nothing else, the fact that they’re publishing the cryptosystem for general use means that in theory any vendor could make a compatible device…

Kadin2048 November 8, 2007 12:53 PM


Yes, I think that is a correct assumption. Both parties need to have one of these phones to have a secure conversation. (I assume it falls back to regular GSM if the other party doesn’t have it.)

It sounds like they are interested (judging from above comment) on rolling out interoperable versions for other infrastructures, perhaps including VoIP; that would make them much more flexible.

dude November 8, 2007 1:26 PM

Making the source code available for review is nice, but it accomplishes nothing unless I can verify that it is what I am actually running on my phone… by compiling and installing it myself, for example. And, as someone already pointed out, the fact that this code runs on a closed operating system spoils the party anyway. So, it’s a good idea that just doesn’t go quite far enough.

miw November 8, 2007 2:41 PM

A secured phone like this is a clear sign that its being used for interesting conversations. This makes it a prime target for switch attacks (either the firmware or the entire device). I’d put more trust in lots of pre-paid cards each with their unique number and using coded words.

Jamie November 8, 2007 3:34 PM

I found this bit on the Scenarios page amusing:

… ” comes from a region where traditionally the division between government and business interests is not very sharp” …

I immediately though of the Bush Administration and Hollywood / big oil / etc…

Matej November 9, 2007 2:15 AM

Hum, what about the price? I didn’t see the price on their website, even if you click on the “ordering” section…

Messerjocke2000 November 9, 2007 2:30 AM

I got a got a qoute from them by sending them an e-mail.
If i remember correctly, it was something like 1000EUR, icluding shipping to germany…

Not THAT expensive, i think.


FromGermanyWithLove November 9, 2007 2:56 AM

Not only they have backdoors inside the operating system but also are plenty of virus/trojan:

and plenty of vulnerabilities/exploits:

I agree that the only secure mobile operating system for sensitive communication is Symbian OS because it’s a Trusted Operating System and execution of software require authorization and validation by Nokia and Symbian.

There are a couple of products out there for Symbian OS:
– PrivateGSM:
Swiss product
– Gold-Lock:
Israelian product

Still, i won’t trust in any case a Windows Mobile based device for my own secure communications.

GovernmentsFear November 9, 2007 3:01 AM

I would be aware that companies that sell mainly to governments cannot be trusted.

Just think about this situation.
You are Cryptophone, Crypto AG, Cellcrypt, Snapcom and other companies that mainly sells to governments (politician, military, public safety) customers. Then they are also open to the private sectors but the profits from this sectors are marginal.

Suppose that you get 5mln EUR of revenue from governments and 300k EUR from private sectors.

What you will do if the governments, with it’s own very big contractual power, ask you to place a backdoor inside the software release that you sell to private sectors?

Are you willing to loose more than 90% of your revenue and go in bankrupt because you don’t want to place a backdoor?




The only solutions are private sectors based and opensource based companies.

Alex November 9, 2007 5:10 AM

The Digg link appears to be crap; here’s the actual story @ SecuriTeam.

Note that they appear to have been hacked;

el*Loco, on November 4th, 2007 at 7:44 pm Said:

Maybe someone at securiteam wants to have a look at the HTML source of this article, and then remove the links and secure the wordpress installation?
Juha-Matti, on November 5th, 2007 at 11:29 am Said:

The administrator is aware and these links have been removed earlier today.”

Looking at the “list”, it appears to be nonsense; does anyone really think the ham radio netblock is TEH NSA? Or this one:

China Internet Network Information Center
Beijing CN – – [] []

Yeah, the Chinese NIC would really let the NSA in:-)

Or this one?

Bharti Airtel Ltd.
New Delhi, INDIA – – – – – [] [] [] []

In fact the list includes ALL ChinaTel and ChinaNetcom’s networks; clearly, whoever compiled it just dumped the IANA allocations and the operators of Cryptome are insufficiently clueful to critically assess Internetworking issues.

Andy November 9, 2007 6:26 AM

As an aside, if you’re going to use this, be sure that you have a liberal data plan with your cellular phone service provider. It uses “circuit-switched data calls”, meaning it won’t use minutes, it’ll use kbytes.

Frank Rieger November 11, 2007 4:22 PM

@FromGermanyWithLove, @Security CTO:

As I wrote above, we remove quite a number of components fromt the Windows Mobile OS to exclude attack vectors. The result is of course a reduction of features available to the user, so we built the component removal into a Security Manager, that allows the user to choose between potentially risky OS functions and better security.

MMS is removed by default in all security levels, as it is a horrifiying protocoll that allows an attacker to send 100K of binary through a set of really badly written parsers onto the phone. Also removed by default is SIM Toolkit, which is older but equally nasty. In the upper Security Manager levels, the IP stack is deactivated. We did this btw. long before it became public that MMS can be broken, as we conduct our own audits (if necessary on the binary) of critical components of the OS and rather remove a feature that we feel bad about then risk it being exploited.

As for the purported security of Symbian: what exactly makes you believe that the code signature mechanism really works and even if we assume for a moment that it works perfectly, that the vendor won’t happily sign a piece of code provided to him by the NSA?

And for the security of Linux based devices: the mobile distributions we have seen so far are not at the same state of security as your desktop distribution of choice is. I agree that in theory an open source OS is more trustworthy and we will port CryptoPhone over, as soon as there are viable options. Unfortunatelly, there is no open source OS phone today that would result in a commercially viable product.

@GovernmentsFear: We have declined a number of substantial government contracts in the past because these governments wanted a back door to listen to their own people. We lost quite some potential business because of that. But we rather sleep well keeping up with our “no back doors for anyone”-policy then have some other government banging at our door wanting access to that back door. If you think about it for a moment, having really no back door is the only sensible policy for quite a number of reasons.

@Andy: Circuit Switched Data calls are billed by the minute. Essentially it is a digital modem call (v.110 or v.32). GPRS/EDGE/UMTS is billed by the kilobyte, but we don´t use that (yet).

Tom Williams November 11, 2007 11:25 PM

@ Frank Rieger:

If your product uses CSD a la , how does it perform with inter-continental calls, where each party to the call is in a different country?

In some countries, providers don’t enable CSD anymore at all, or they do it only on post-paid services, not pre-paid thus removing a layer of anonymity.

I have tested similar products that use CSD for encrypted calls and found that even if I find a telco that provisions CSD on a prepaid SIM card (and the list of these telcos is shrinking), I had horrible latency and quality issues with international calls.

Wouldn’t it be better to use IP communication instead of CSD ?

Tom Williams November 11, 2007 11:26 PM

@ Frank Rieger:

If your product uses CSD a la , how does it perform with inter-continental calls, where each party to the call is in a different country?

In some countries, providers don’t enable CSD anymore at all, or they do it only on post-paid services, not pre-paid thus removing a layer of anonymity.

I have tested similar products that use CSD for encrypted calls and found that even if I find a telco that provisions CSD on a prepaid SIM card (and the list of these telcos is shrinking), I had horrible latency and quality issues with international calls.

Wouldn’t it be better to use IP communication instead of CSD ?

Robert August 6, 2008 7:34 AM

I tried both “SecureGSM and Cryptech encrypted mobile phone with CSD channels in lots of countries. Never tried Cryptophone (too expensive). Cryptech and SecureGSM both work but in some countries the line configuration must be tuned because of international roaming.

I even tried a IP communication solution for mobile device – Babylon – but the delay is way too long (> 3 seconds) with GPRS and a bit better with UMTS. UMTS is not available everywhere, so this is not a good alternative to CSD data channel.

Jed Incley September 13, 2008 2:38 PM

Our company purchased 300 units of PhoneCrypt 8 months ago:
I have to say that we are very happy with the product quality and the support we got from SecurStar.
Before purchasing PhoneCrypt we extensively tested many other products: Gold-Lock, CryptoPhone, SecureGSM, and Cryptech; we found that PhoneCrpyt offered the best line stability, voice quality and the lowest delay. In addition it encrypts SMS messages and has a build in secure conversation recorder. The other mentioned products worked more less ok as long as you dont need them in a professional enviroment. As for the GSMK product we discovered the source-codes they claim are disclosed, are definitely not the ones of the commercial version (not even slightly), even worst, the product is ridiculosly expensive for no good reason.

Clive Robinson November 21, 2008 4:11 AM

@ Ingy,

“Does anyone know if there are products which offer encryption during normal voice call? Is that theoretically possible?”

All GSM phones have encryption built in at the network link level (ie handset to base and back) but would you want to use it (it has the reputation of being cryptographicaly week).

There are a number of mobile phones around that use Crypto Cards to provide end to end encryption. However this means that both ends of the total comms channel require Crypto Cards and capability. This means either talking only mobile to mobile, or mobile to telecom gateway that acts as a mobile.

There is also the question of if the network operator will allow the encrypted traffic on their network due to business desision / legal requirment / technical blocking.

There are a number of Crypto Phones and Gateways that have not just Telco Approval but Crypto Approval from the likes of the UK Comms-Elctronics Security Group (CESG) which are part of the public face of the Government Comms HQ (GCHQ). Other European equivalent Gov ComSec organisations have likewise given their approvals as well.

I have posted to this blog before with details of one independent organisation that has produced both the phones and the gateways at moderat(ish) prices.

They have a reasonably good high level page explaining what’s involved at,

They use the Netkey Card to do the Crypto bits, this card is available independently and there was a group looking at providing Linux drivers for it. So combining that with an ISDN card and an Asterix box would make a gateway providing somebody has written an appropriate Asterix module (no I don’t know if anybody has but it would be an excelant project to put on a CV 😉

Also Try googling [CESG ITSEC phone mobile] to get an uptodate view of what’s out there from the likes of Thales etc.

Lisa November 29, 2008 5:50 AM

PhoneCrypt Prestige (hardware solution that is connected to the headset) is a solution that works on the voice channel rather then the CSD channel. It works with Cellphones, Landlines, VoIP, and any compbination of it. We use it to make calls between cellphones and VOIP lines, also cell with ISDN. Sound quality is very good and it works excellent even for intercontinental calls.

Clive Robinson November 29, 2008 12:21 PM

@ Lisa,

Do you know anything technical about PhoneCrypt Prestige?

The SecureStar site does not show it as a product in it’s English pages (or it may be blocked on IP based on perceived national crypto regs).

Google only has press releases in German.

Worryingly one says it only has 10billion keys (say 33bits) and none given an indication of what method of audio2audio conversion is used (hopefully not some version of audio inversion or other analoge system).

Also at around 1200USD per device it strikes me as a tads expensive.

Erivaldo July 29, 2009 1:40 AM

We are using 4 PhoneCrypt Prestige sonce 3 months now and it really works good. On two ends we use cellphones, on one end VOIP, on the last end we use regular landlines. The solution is cool as we have aften no CSD or 3G channels available and this Prestige simply works everywhere. The encryption is 256 bit.

S June 9, 2013 1:55 PM

I’ve just been assessing their current offerings which, they say, uses a build of Android with ‘granular security’.

I simply E-mailed the guy and said if it runs apps that can enter supervisor mode, I bet you $1 that I can write an app to break it.

I also suggested a large number of seemly overlooked attack vectors and ways to secure them (flash memory has a controller with it’s own small CPU – not impossible to send people a FREE MicroSD. There site isn’t even HTTPS!

I’m looking for security because of industrial espionage (we just had some data stolen, likely by mobile intercept that could lose us millions!).

There are a lot of legitimate reasons to desire secure communications (some people may argue that the simple right to privacy is enough reason).

Basically, I don’t trust ANY of these vendors of ‘secure mobile phones’. Unless they can convince me that I couldn’t just break their system (and I’m not a hacker- I’m an ex-coder) then how the heck am I supposed to trust the setup against someone who might have been paid $100000 to steal certain commercial data? For that money – people will put in a LOT of effort.

Nick P December 12, 2013 10:54 PM

@ TGuemues

Quite a claim. Also a competitor. I’ve read the Cryptophone papers and even debated Frank Rieger here about what subversion proofs they could or couldn’t make. That these capable crypto folks encrypt only a counter and never voice is a thought that didn’t enter my mind. That’s a pretty wild accusation.

Here’s a link to Cryptophone source code for those who don’t want to give the main site your contact information:

Quite complex for me as I haven’t used this language in a while. It seems structured well enough, though, and I’m sure a proficient user will be able to do these things:

  1. Identify where they pull audio from the phone. (I did.)
  2. Identify where it gets compressed. (I did.)
  3. Identify the encryption process. (I did.)
  4. See how encryption is applied to the voice. (I was too lazy to.)

So, anyone with concerns about this guy’s claims has the ability to accept or reject them based on evidence.

Pat February 28, 2014 10:20 PM


That supposed “debunking” is complete and utter bullshit. It encrypts the counter just like every other cipher in counter mode. Please understand how the various modes of operation for ciphers work before trying to debunk what you don’t even understand. What Cryptophone is doing is using a very slightly modified combination of AES and Twofish in the counter mode of operation.

For the record, counter mode works by taking a counter value (which is of course predictable) combined with a nonce (which has the same function as an IV) which is of course not secret. This predictable stream is then encrypted directly with a cipher, creating a stream of data which is unpredictable without the correct key. This is XORed with the plaintext, resulting in ciphertext. To decrypt the stream, the same process is done, and the encrypted counter+nonce is XORed with the ciphertext, recreating the original plaintext.

TGuemues March 6, 2014 3:21 AM

@ Pat

Read again what is stated on those 3 claims. All are true statements. See:

You know and say yourself that it encrypts the counter. Did anybody argue that you can not use counter mode ? The above link clearly states “The voice protection may work well for your needs.”

Let’s say you have a confidential file. You must encrypt it. What would you prefer ? Take (as example) AES in counter mode to create a bunch of pseudo random byte sequence and then XOR your file on it ? Or would you encrypt the file itself directly as it’s supposed to be? Which one do you prefer? Encrypting a counter (1,2,3…n) or your file itself ? I prefer correct encryption of my data.

Step 1:
In your case you have encrypted and protected only a number sequence. Nothing more.
In my case i have encrypted and protected the data.

Step 2:
Now you take your resulting pseudo random byte sequence from step 1 and patch it from OUTSIDE with your confidential data. That’s lame. A cheap solution. A poor grade.
Me however, am done already in step 1. If i want to lower myself to your level by also having a step 2, then i could take my encrypted result and patch another (a 2nd plain file) and patch it with XOR onto it. You can not do likewise, as you would end up losing all your data.

They tell misleading argument that the voice is encrypted after the XOR operation. There is a term for that and it’s called scrambling. Voice data is scrambled at the end. That is not encryption of the voice data. You lie if you put scrambling and encryption on same level. They’re different. Hardcore way is like a Decibit Cryptophone does it, encrypting the data itself, without need for cheap solutions.

Besides, you must be complete out of your mind to defend a phone that costs 4000 USD per piece. Needs 2 of them to function. You might be related to that phone and making profits from it or did you write the datasheet yourself ? Yes they can fool simple knowledged people to literally buy it’s utter nonsense sales arguments.

Besides to have a “crypto”-phone based on an insecure consumer phone hardware, only having replaced the software… is not secure. You need a secure smartcard chip, like credit cards have or those used with set top boxes etc to generate & store keys and do cryptographic operations.

So, what else do you have to bash on me ?

TGuemues May 3, 2014 4:27 PM

I realized, society has dumbed down so far, to no longer being able to understand simple text, be it in printed book form, or as a pdf, or a website. So i translated it to current common language -> a video; narrated, graphical illustrated and text included!

Watch the video. Invent, code, do all the shown in this video yourself first, on your own, alone, then bash on me. Can you ? I know for certain, nobody can.

About GSM based “dumb-phone” solutions, which are simple software hacks, you already have been dethroned, you just don’t realize it yet.

BTW, Mr. Schneier, i did own and read your book “Applied Cryptography” couple decades ago. That’s why i allowed myself, begging your pardon, to express myself in your web space.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.