JackPair Encrypted Phone Add-On

JackPair is a clever device encrypts your voice between your headset and the audio jack. The crypto looks competent, and the design looks well-thought-out. I'd use it.

Posted on September 3, 2014 at 6:53 AM • 110 Comments

Comments

keinerSeptember 3, 2014 9:26 AM

I was pretty much convinced, until I scrolled to the bottom...

MADE IN USA--- How to trust that any more?

David in TorontoSeptember 3, 2014 9:56 AM

So my first thoughts were strong bluetooth or other wireless encryption. Then I saw the wires.

So unless I'm missing something it seems to me that the 6 feet of headset cable plainly in my sight is the least of my worries when my phone or workstation is so much more accessible, complex, and in general a much tastier target.

Am I wrong?

David in TorontoSeptember 3, 2014 9:58 AM

Oops .... just saw it cell to cell. It protects the middle of the transmission.

WadeSeptember 3, 2014 10:00 AM

I wonder how we can trust that they are not intentionally leaking the private portion of the DH keys? To make it NSA-friendly, all they need to do is have it reply with the private key portions when a specific query is inserted into the encrypted data stream.
Two people can use it normally and not detect anything out of the ordinary in the encrypted data, yet when the attacker sends the "reveal thyself" command on the phone line, the keys are exposed. Unless the users were monitoring the encrypted connection and noticed a few unexplained data packets, they would never know.

JeffHSeptember 3, 2014 10:02 AM

I love the idea.

If I'm reading correctly, it seems to be foremost a man in the middle detector that happens to provide defense against eavesdropping after that initial check, in that they are suggesting it's critical you read the pairing number back to each other to verify no man in the middle attacks.

My immediate thought was that I have no idea how feasible it would be for a man in the middle in a phone conversation to duplicate a voice reading a set of numbers, perhaps by introducing a subtle delay in transmission to allow for signal processing time. I seem to recall voice data being reduced quite a bit, which might allow for quite some tolerance in duplication, but I have no expertise in such an area.

After all, if you're using this device pair, just who are your adversaries? Could they achieve that?

@David in Toronto - yeah I had the same initial thought - it takes a bit of reading the site to figure out they mean you plug two devices into two different handsets!

WadeSeptember 3, 2014 10:14 AM

Even if the JackParir designers aren't intentionally inserting a NSA back-door, the NSA could intercept the device in transit with the post office, and replace the ROM with one that has the back door I described earlier. That's probably more realistic NSA attack against a high-value target.

OskarSeptember 3, 2014 10:17 AM

JeffH: If I'm reading correctly, it seems to be foremost a man in the middle detector that happens to provide defense against eavesdropping after that initial check, in that they are suggesting it's critical you read the pairing number back to each other to verify no man in the middle attacks.

I wouldn't say that it's foremost a man in the middle detector: first and foremost, it's an encryption system designed to keep your conversations private. The only reason they stress that it's critical that you read out the pairing number is that this kind of key exchange is extremely vulnerable to man-in-the-middle attacks, and you need some way to authenticate the other user.

It's a pretty brilliant idea, to use the voice of the other person as authentication. It solves the MITM attack problem handily. I might buy this, not because I plan to use it, but because it's such an excellent product.

AlexSeptember 3, 2014 10:17 AM

The idea is good. It seems to be protected against logical attacks. But what about physical attacks, ie if the attacker gets (for some time) physical access to the device, can they extract the DK key and/or forge certificates? I cannot see there is secure HW ie in form of a smartcard controller or secure element resistant against HW attacks. It should be quite easy to add and would provide an additional layer of security.

pots blitzSeptember 3, 2014 10:22 AM

Nice, I am going to dig for one of my old analog modems :-)

There's only thing, that I read too often under the bold headline "Open Source" is this "we plan...", "we intend..." - which makes me want to say: Do it now! The earlier it can be reviewed, the more trustworthy it is.

MrCSeptember 3, 2014 10:23 AM

@ Wade:
Well, if it's going to be open hardware running open source firmware, you could always build your own. As far as I'm aware, that's the first, last, and only thing you can do if you've got serious fears about interdiction or vendor compromise.

Andrew2September 3, 2014 10:27 AM

From the link:

Stream Cipher like Salsa20 is a natural fit with OTSK, which is used as the seed for PRNG (Pseudo Randon Number Generator) to create key streams with similar property of One-Time Pad (OTP), an encryption technique that cannot be cracked.

Sigh. These people either have no clue, or have no problems misleading people.

kryptoniteSeptember 3, 2014 11:05 AM

Shame about the "Made in USA" part. How long do you give it before it ships with a lovingly crafted hardware-embedded backdoor?

WalterSeptember 3, 2014 11:13 AM

Some of the comments here seem bizarre. Now I wonder if it is even possible to mfr and sell security anything anymore?

I'm also puzzled, why they haven't raised more money? Will people not trust something they don't understand, yet, they'll never understand because they don't care, so they never trust anything or anyone? Wow, that would be a truly pathetic state of affairs. Or, does their description come across as psycho paranoia, images of Florissant, etc. Or, does this simply not solve a big problem? Is it too expensive for what it does? I really don't get it.


ScaredSeptember 3, 2014 11:19 AM

Doesn't a cellphone rely on compressing the speech based on a model of the human voice?
I assume the encrypted speech would be white noise, so in order to transmit it, the phone would take up way more bandwidth than if it was unencrypted speech.

WalterSeptember 3, 2014 11:20 AM

Would you prefer Made in the UK? How about Syria? Oh I know, someplace you believe is special, like Switzerland, or Canada where we all know nothing EVER goes wrong and where even people like Snowden can hide. No wait, he's actually in Russia, isn't he? How about they make it and ship it from Russia? After all, those guys are freedom loving people who deeply respect privacy.

Stupid.

keinerSeptember 3, 2014 11:23 AM

@Walter

If you are out on the sea in a rubber boat with 10 holes in it, it's too late to think about buying some duct tape... sometimes... in the near future...

ThothSeptember 3, 2014 11:25 AM

JackPair requires some ironing out. Still have too much rough edges. I have given them some sound advice on OPSEC and also JackPair device security and ideas which they are reviewing especially on the part of the KEX mechanism.

WalterSeptember 3, 2014 11:37 AM

At least Americans know what the score is, unlike Europeans walking around in a trance hoping and wishing for a better future. Americans design and build the best. We went to the Moon, and then we went to Mars. What the hell did you build? Cuckoo clocks?

I've decided I'm going to back these guys, these innovators, because they need the support.

divSeptember 3, 2014 11:41 AM

This is basically analogueanalogue conversion, so (non-specifically-malicious) things I'd be concerned about:

1) leakage/crosstalk between the input and output side of the device mixing unencrypted signal into the encrypted side. (May vary based on manufacturing/component tolerances, so analysing a "gold" review copy might not prove anything.)

2) The phone itself not completely disabling the built-in microphone when using this, but mixing from all inputs (even if at a low, imperceptible, level).

ChelloveckSeptember 3, 2014 11:47 AM

@Walter: I suspect that the reason it hasn't raised more money is that it's a solution to a pretty uncommon problem. Even if my associate and I both have the device, it only encrypts the voice data. It does nothing to secure any metadata associated with the call, like who did the calling at what time from what location. There's probably only a very limited need for anyone to hide the content without also hiding the call records. It's an attractive product at an attractive price if you have a need for it, but very few people have that need.

keinerSeptember 3, 2014 11:50 AM

@Walter

"We went to the Moon,"

Rrrreally sure?

At least you made up the Kennedy murder and 911...

bot:

Do you really think Mr. chose Russia on free will?

A land to trust nowadays? Nothing to see. Therefore there is no hope any longer for freedom.

SomebodySeptember 3, 2014 12:10 PM

I'll second Scared.

How the heck does this thing work? If you play white noise into a cell phone the white noise the other side hears is generated in the receiver and has little or nothing to do with the input. The encrypted signal has to be something that resembles human speech so that it is pass through the codexes in the link relatively unchanged.

Has anybody played back the encrypted output? Does it sound like human language?

Gerard van VoorenSeptember 3, 2014 12:27 PM

@ keiner, Walter

About the man on the moon. I have no doubt about that.

Although of course it was a tremendous project, the question remains whether the US could have managed it on time without the German scientists [1]. That is also with the A-bomb btw. It was Einsteins letter to FDR that started the Manhattan project.

[1] http://en.wikipedia.org/wiki/Operation_Paperclip

BruceSeptember 3, 2014 12:32 PM

My mind will be blown off this works through AMR. Unless it's designed to only work with a higher bandwidth connection designed for data, I just don't see it working.

Mike AmlingSeptember 3, 2014 12:48 PM

1. It wouldn't seem to actually need a phone. The headset could be one you've been plugging into your PC for Skype or VOIP.

2. Apparently there are two encoding problems. The sound has to be digitized, then after encryption, the ciphertext has to be analogized(?) to something that resembles voice enough to get through the voice network.

3. I agree it's disappointing to see them use the term "one-time pad".

4. "Hang up to remove secret key". How does it know when I've hung up, just from microphone and speaker signals? Some headsets may have controls for dialing and/or hanging up, but mine doesn't and they say it works with "any phone with a headset and microphone." Could the MITM simulate a hangup to both JackPairs and continue the call in the clear?

5. "The first thing you should do is to read the Pairing Code on your screen to the other party over the phone, and verify that the Pairing Code is the same on both ends." There's one 'pairing code' that's displayed on both ends. Rather than me reading it and my correspondent saying "yeah", it would be better if we read each other alternating digits of it. Or two codes, one that I read and one that I expect to hear. Unless I'm sure my correspondent would never choose convenience over security, I'd want to be the one listening to the digits, and she might feel the same way about me.

6. "Open source" is OK, but can I actually run the binary that I compiled myself?

7. "JackPair is inspired in large part by Edward Snowden. The first Snowden leak led to the revelation that the NSA collects records of every U.S. phone call under a call log metadata program." Ironically, JackPair has no effect on metadata surveillence.

8. It would be nice if they had a warrant canary.

9. How hard would it be to change the web site so the answers to the FAQ could be seen without enabling JavaScript?

AnuraSeptember 3, 2014 1:08 PM

According to the website:

"we are able to pack all the functionality required for JackPair into a small PCB board the size of a cigarette lighter"

"into a small PCB board"

"PCB board"

I'm not sure I can trust this.

CPUTempSeptember 3, 2014 1:11 PM

"Some of the comments here seem bizarre. Now I wonder if it is even possible to mfr and sell security anything anymore?"

No offense, but "Made in USA" is not exactly a strong selling point these days when it comes to privacy and technology.

BrendanSeptember 3, 2014 1:16 PM

The FAQ on the site answers several of the questions brought up on the thread. RTFA people, really.

Most importantly, it is meant to work over standard low/medium bitrate cellular networks and work well with the audio codecs used by the handsets.

The audio codec used for the plaintext (plainspeech?) is a very low bitrate codec, perhaps 1/4 to 1/2 that of a standard handset codec bitrate. This compressed (and then stream encrypted) speech data is modulated and expanded into an audio signal using some neat psychoacoustic tricks that is seen by common handset codecs as similar to human speech, that is to say, audio that it tries to preserve the nature of.

The demodulated audio coming out of the other handset retains enough of the original nature that it can then be converted back into the encrypted very low bitrate audio stream, which can then be decrypted into a low bit rate compressed audio, which is then converted back to audio.

There's a youtube demo of the output which shows that you lose significant voice quality, but not too much of the intelligence of the speech.

ScaredSeptember 3, 2014 1:17 PM

Oops. It helps to read the whole web page. From the FAQ:


Does it work with mobile phones that have severely limited bandwidth? What audio codec is used in JackPair?
JackPair uses audio codec from Codec2, which has reasonable good sound quality at 1.2kbps. We have tested JackPair on top of GSM AMR 4.75 (Adaptive Multi-Rate, 4.75kbps) and HR (Half-Rate, 6.5kbps).

How do you deal with GSM codec that removes static noise and disables fax-modem transmission?
Unlike traditional fax-modem technologies, our modem is designed from scratch to fight off the optimization done by GSM codec, including memory-less codec, voice activity detection (VAD)., automatic gain control (AGC) etc.. Basically we have to use synthesized voice to make mobile phones & media servers believe our signal is human voice, not just modulated waves.

How does the voice over JackPair sound like?
You can listen to my voice before, during, and after the encryption through JackPairs over mobile phone network, here: https://www.youtube.com/watch…


Looks pretty legit. So they use an audio codec, encrypts the data and decode it, using the same coded. I'm still a *little* surprised if an audio codec can accept totally random data.....

ScaredSeptember 3, 2014 1:20 PM

... and added feature of this device is that it'll make NSA's speech to text systems melt down!

CatMatSeptember 3, 2014 1:22 PM

@walter
I'd be prepared to trust Made in Finland, but unfortunately Microsoft killed that venue.

Clive RobinsonSeptember 3, 2014 1:50 PM

A thought,

Why attack this device when you can probably bypass it more easily.

In many smart phones and others the "audio jack" does not of necessity disconnect the microphone... software does "maybe".

Thus you will probably be well within the range of the mic (or other sensors) and your convessation will be moniterable, or saveable for later download...

End run attacks are almost always possible and quite rewarding with "high tec" systems.

wumpusSeptember 3, 2014 1:53 PM

There is more in the FAQ. The last bit covers the need for a warrant canary: they are assuming that you can simply trust them that the hardware lacks any specific means to store/transmit the session keys. I guess the best question would be how difficult is it to check for an antenna or other wireless feature? X-rays should make most antennas reasonably clear, and a sweep of expected wireless frequencies should show some resonation of an antenna within 1/wavelength distances*

Other things are cleared up as well, although they seem to weasel badly on the "based on Salsa20" wording which is far to close to the "we rolled are own to cut corners" instead of "included the whole of Salsa20". This wouldn't be so alarming if not for the "one time pad" bit.

* note my antenna theory was weak many years ago and has only decayed since. I'm still pretty sure that they will show up that way (they should resonate at any distance, but it should be measurable at the source for 1

Lorin RickerSeptember 3, 2014 2:01 PM

Hell, looks good enough to me -- I threw 'em a contribution, and my best wishes for a successful product, even if it's only a v1.0. Yes, I could be gullible, they're too clever and have taken me in. If so, I'm out a few bucks. But it looks to me like this is a well conceived shot at doing something right for a change, instead of the typical "It's hopeless, let the Gov't win."

The snide cynic says "What if it doesn't work!"
...to which the optimist responds "But what if it does?..."

ChelloveckSeptember 3, 2014 2:26 PM

@Anura: I trust it as much as I trust the safety of typing my PIN number into the ATM machine.

SystemFailureSeptember 3, 2014 2:28 PM

@Clive Robinson

Nice infomercial!

"They are a known technology - but the surprise is that they are in active use"
If you ask me, the surprising thing would be that known vulnerabilities *weren't* in active use!

On a related note, folks might like to tinker with AIMSICD (a promising project, but still very much in beta).

Tony H.September 3, 2014 3:04 PM

The notion of mitigating MITM by confirming a short authentication string (SAS) is straight out of Zimmermann's ZRTP. And probably used by who-knows-what NSA secure phones and such over the years, for that matter. It's the analogue part using an existing phone and infrastructure in combination with that that seems to be new(ish).

JacobSeptember 3, 2014 3:49 PM

What bothers me, and I'm talking from experience, is their overly optimistic production schedule.

Not only do they not allow for design re-spin, even getting everything finalized, approved, parts procured, moulds machined, PCB fabricated, assembled, tested and software debugged in 3.5 months for the first cut - and under a limited budget - is *really* pushing it to the point of "unachievable".

March-April 2015 is more realistic if everything goes smoothly.

whprattSeptember 3, 2014 3:51 PM

Mr. Schneier' comment is already being used as a pull quote on the site. Dang this Interwebs thing moves fast.

pontSeptember 3, 2014 4:12 PM

The thing I like most about this is the little animated gif explanation of key exchange via paint colors .. I might just steal that.

If they can get malware onto your phone/laptop/etc... one way to get around JackPair would be to turn on the phone/laptops built in mic too. That way your listening in on a separate channel.

BrendanSeptember 3, 2014 6:24 PM

And one way to mitigate that threat/risk would be to snip the microphone leads on your secure phone. Perhaps also disable the accelerometer as well. :)

ChrisSeptember 3, 2014 10:12 PM

Hi thanks!
Been looking longtime for a similar device to no avail.
Going to have a look.

There has been some other approaches using Bluetooth in a similar manner but expensive and for governement use.

Not as secure though but something I also have been thinking about would be to use software doing the same thing and something similar to VirtualCable to connect the secure insecure ends to what ever software you use (Skype VOIP etc)
//Chris

AdjuvantSeptember 3, 2014 11:58 PM

@Clive: Why attack this device when you can probably bypass it more easily. My thoughts exactly. And if, by some miracle, the mic on the phone is properly disabled, there's always the gyroscope;-)
This would require some heavy-duty acoustic isolation to mitigate.

ThothSeptember 4, 2014 12:47 AM

In regards to RNG generation, they have been given the HWRNG found in the tinfoil chat documents. Advise have been given to them to use a HWRNG instead of some home
cooked PRNG.

KEX method have been suggested to be improved by me.

Clive Robinson's concern of bugging the microphone is a good idea but that cannot be avoided unless the microphone on the phone can be physically detached and a separate secure voice input used. Might as well not use a stock mobile phone and use some custom hardware which will give a much higher level of assurance.

I will recommend them to look into this comments section that your helpful and constructive comments can be beneficial to them.

JackPair isn't the highest assurance since there are insecure components like the host phones but it attempts to add some assurance to it. If one's goal is highest assurance level possible with say 0.95% chance of TLA access, I am afraid it is not going to be all that simple. You have to make your entire handset and probably your protocols all on your own and someone has to use it.

I have spoken to them and they seem to be highly keen on good advise :) .


WooSeptember 4, 2014 2:10 AM

I don't really get the key exchange part of the algorithm. How can they "generate the same OTP at both ends" (or shared color in the neat animation) without the devices knowing each other before? Wouldn't that PRNG need some kind of initialization values etc that need to be common to both (or all) Jackpair devices to achieve that goal? And a common-to-all IV could easily be gotten hold of by buying one and reverse engineering the chip...

If someone could give me a short run-down in non-cryptologist language, I'd be grateful

Iain MoffatSeptember 4, 2014 5:32 AM

I'm surprised that no-one has already mentioned prior art for things like this - the British BID family and American KY-57 secure combat net radio speech encryptors from the 1970s also connected between the headset/microphone and a standard VHF voice radio (with a wideband audio option to address the codec rate vs audio bandwidth issue) - see: http://www.jproc.ca/crypto/ky57.html .

Done properly this is equivalent to a military solution. Done badly with side channels due to key exchange (remotely) or grounding or the host phone microphone (locally) it is anything but. I think the concept is sound and as described it is probably way better than nothing for privacy against the wrong kind of journalist (UK readers will understand) or non targeted MITM attacks on VOIP. For critical applications secure against targeted attacks I think it needs to be open source software and hardware with easily multi sourced components - if necessary at the cost of size and looks - and one that has been subject to robust 3rd party cryptanalysis both as a black and white box.

It's also worth noting that national military radio or PSTN solutions differ whether they consider over the air rekeying (key exchange) safe, and whether they use D-H or a symmetric pre-shared key encryption key to do it - I suspect that potential users likewise will differ in wanting inband automatic key exchange or manual out of band pre-shared keys and strong symmetric crypto depending on the threat that they are seeking to mitigate. If I was buying a pair of these to protect a particular conversation or series of conversations I would much rather go the pre-shared symmetric route and rely on opsec to protect the keys given the choice. Something like an RS232 or PS2 keyboard port to allow manual keying by the end user in the field or before going into the field (ham radios like THD-7 use an audio jack for RS232 so it can be small, and PC RS232 and USB leads to that standard are widely available) would make me much happier - it can always be glued up after key setting by the paranoid.

A final thought regarding the audio/gyro/grounding side channels is that there are may older non-smart phones that have a much smaller attack surface and would be appropriate for use with one of these if you can still get batteries, especially if it will work with a long enough audio cable between the encryptor and the phone to remove any doubt over audio leakage (although something like an old Nokia 2110 http://en.wikipedia.org/wiki/Nokia_2110 probably lacks the risk of anyone accessing the microphone remotely in any case). You could also put the phone somewhere acoustically noisy for further assurance in that case.

Iain

bobSeptember 4, 2014 5:40 AM

@Walter, you used German technology to get to the moon... Your entire civilisation is built on European ideas and technology. USA has created many wonderful thing in it's short history, but it's got a long way to go before it can get cocky.

Iain MoffatSeptember 4, 2014 5:52 AM

As a postscript, it occurs to me that the pre-shared key option might also work with voice mail which was the main attack vector used by News of the World journalists and their private investigators in the UK. See: http://en.wikipedia.org/wiki/News_International_phone_hacking_scandal

I know this can largely be mitigated by changing the PIN but there are risks of unauthorised access by the voicemail platform owner or 3rd parties that can only be mitigated by means such as this.

Bob S.September 4, 2014 6:38 AM

The arrival of this affordable device is timely considering recent reports IMSI Stingrays are all over the place tracking thousands of calls every day. One manufacturer claims interception of their device is undetectable.

Meanwhile, the government will...."study"....proliferation of cell phone interceptors which are essentially illegal and/or unconstitutional. Police agencies take the usual entitled position that whatever they do is legal until the supreme court tells them it's not.

The wires are unsightly, but the principle is excellent. I wonder why all phones could not be so equipped internally? Why can't all phones have end to end encryption?

Why?

ThothSeptember 4, 2014 6:43 AM

@Bob S.
If all phones are secure by nature, what are the huge corporations and TLAs going to profit off ? Insecurity is the industrial standard so that they can sell faux security :D .

MarkinCASeptember 4, 2014 7:45 AM

There's also this: www.mocana.com/keytone. "KeyTone is a high assurance mobile communications app - enabling secure calls and instant messaging over WiFi & 3G/4G networks. KeyTone uses standards-based protocols and cryptography for establishing and protecting data communications between KeyTone app users."

pSeptember 4, 2014 8:09 AM

@JeffH
" how feasible it would be for a man in the middle in a phone conversation to duplicate a voice reading a set of numbers"

Ross Anderson's book says this is done and is not that hard.

Alan KaminskySeptember 4, 2014 9:59 AM

In a Diffie-Hellman key exchange using the multiplicative group of integers modulo a prime, the two parties first have to agree on the modulus (e.g. a 2048 bit prime) and on a generator for a large subgroup (e.g. a 256 bit prime subgroup order). One way to attack the key exchange is to replace the software with malware that chooses a generator for a small subgroup. The attacker can then observe the key exchange messages, compute discrete logarithms in the small subgroup, and deduce the key the two parties agree on. The same is true for elliptic curve Diffie-Hellman key exchange.

I don't see anything in JackPair's device that could prevent the NSA from doing this, either by forcing them to change the installed software via National Security Letter, or by intercepting the devices during shipment. So I don't consider this device secure against a government level adversary.

As for open source -- Open source software provides absolutely no assurance that there isn't a backdoor of some kind in the ROM on the device. You'd have to dump the ROM and disassemble it. Who's going to do that?

I'm not going to send JackPair any money.

BrendanSeptember 4, 2014 11:01 AM

My understanding is that they will allow firmware updates via the USB/power jack, but require a "user present" detection mechanism (buttons pressed at power on for upgrade mode).

That might mitigate the interception risk, and also might mitigate the NSL issue (if the source ends up being released).


MrCSeptember 4, 2014 11:20 AM

@Alan

The kickstarter page says that they also plan to open source the hardware. And it looks like this constructing device is within even my modest DIY capabilities. Building it yourself provides assurance against interdiction (insofar as all the components are available to consumers off-the-shelf), and assurance against built-in backdoors, at least up to the nightmare scenario that every off-the-self microcontroller is robustly compromised by design. (And, if that's the case, we pretty much need to give up on electronic communications altogether...)

ACORN1September 4, 2014 12:15 PM

I second the comments of "div" above: Amplitude or edge (frequency) modulation of the CT analog by the PT analog is a difficult problem to solve in these types of systems. Developers should strive for at least 90dB of isolation between PT analog and CT analog. The human ear is unbelievably keen at picking up this type of modulation and DSP processing techniques can be even more capable.

Erik V. OlsonSeptember 4, 2014 12:32 PM

If your worried about the mic on the cellphone or notebook being turned on remotely, the answer's pretty simple -- well, other than destroying that mic, which has issues if you want to use the phone as just a phone.

Get 10m long extension cable between the encryption device and the transmission device, converse in different room. For extra noise, turn fan on and point at mic of phone/notebook to add white noise to that input. Or build an insulated case for the phone. Or, fo course, do all of that. The design of the JackPair doesn't mandate that you be next to the transmission device, which I think is a feature.

There might be issues with a very long cable run causing enough of a signal drop to make the connection bad or impossible. Higher quality cables and inline amps could solve that, but I suspect a 5-10m extension cable would be just fine, if it's a decent one.

I like the fact that they're acting as if the device is compromised, demanding only that it pass audio to the other end of the connection.

Yeah, so far, the USA part bothers me too.

AnuraSeptember 4, 2014 12:40 PM

@Erik V. Olson

Or you can just get a regular landline phone without a speakerphone feature (or with the microphone snipped).

vas pupSeptember 4, 2014 12:59 PM

@Anura • September 4, 2014 12:40 PM.
As I recall, many years ago KGB could remotely activate microphone on land line phone without your knowledge and monitor all conversations around the phone. As protection, you could install switch/toggle on your phone which (on your discretion) mechanically disconnect microphone line when not in usage. Kind of permanent mute function. By the way,same applies to land line answering machine which has own microphone as well.

Nick PSeptember 4, 2014 1:44 PM

Basic Assessment of JackPair

It's an interesting product idea. As Iain says, there is prior art for this sort of thing. One Schneier commenter posted something years ago. Might have been RobertT or Wael. Whoever it was worked on a product that tried to run encrypted data over GSM voice. RobertT also proposed putting the crypto in the headset as a more practical choice than putting it in the phone. So, a bit of prior art. That's a side issue, though, that only pops up if they patent it and fight competitors.

So, now let's look at the product itself. The system uses a dedicated device that cryptographically isolates plaintext from transport, even phone itself. This is smart. The validation is done via people speaking a code to each other that's displayed on the device. This has risk in targeted attacks, but it's also a standard tradeoff in secure phones. The zero configuration, push button activation, and green LED indicator means the usability is excellent. That and its cost are more important than any other factor as we don't want the product succumbing to the PGP effect. I'm not commenting on the crypto details because (a) others will do that better and (b) that's not where the product or its security will fail. ;)

The bad news is the product *cannot* be trusted for its NSA goal. The product's personnel, development, and manufacturing are located in the United States. That means every measure the government can use to exert influence can be used on the team. That's already a huge no-no. The next risk is that they are using typical SOC's that have risks at shipping, firmware, and OS levels. Open sourcing their product doesn't have any real security benefit on such attack surface as TAO catalog shows us. I posted a framework for evaluating system security for anti-TLA uses and this is weak in a number of areas.

If NSA can break it, then Five Eyes, Israel & SIGINT partners might get the data. So, that introduces them into the threat profile to some degree. They will also work on attacks on it. Chinese and Russian attackers have been pretty good at 0-day hunting. They might find attacks on it or subvert it. So, there's plenty of risk left in TLA's. The only security benefit here is making mass, seemless collection difficult for TLA's without an automated attack on it. That *is* a security benefit, but not quite what project leader promises.

What about other attackers? Here's where the products' real benefit comes in. One gripe by Bruce and others here is that most telecom/Internet are unprotected by default. Having security and authentication on for any sensitive communication stops a ton of easy attacks and makes others harder. So long as OS and crypto are decent, this device might prevent many black hat attacks and monitoring by entities not as capable as above TLA's. This benefit has been available for a long time via products like Cryptophone. Yet, as project leader notes, they're pretty expensive. A low cost, "works with most phones," product that keeps the phone itself untrusted would be a great step up in this area.

So, their product won't stop TLA's that inspired their activity. It might give them headaches, though, while stopping many others. On top of it, it might do it cheaply and easily for users. So, I think it's potentially a good product if big TLA's and sophisticated black hats are outside of your threat model. I hope they make it to market at a good price point. I also put my money where my mouth is by backing them on Kickstarter.

A Nonny BunnySeptember 4, 2014 3:01 PM

>> The bad news is the product *cannot* be trusted for its NSA goal.
>> The product's personnel, development, and manufacturing are located
>> in the United States. That means every measure the government can
>> use to exert influence can be used on the team. That's already a
>> huge no-no.

Well, that just means we need similar devices made in Russia and China and other places, and then chain them all together. As long as the TLAs around the world don't all work together, at least one level of encryption should hold :P

(Actually, they'll likely just compromise you via other sensors on your smartphone. e.g. https://www.schneier.com/blog/archives/2014/08/eavesdropping_u.html
If your phone isn't safe, encrypting voice doesn't help.)

Gerard van VoorenSeptember 4, 2014 3:02 PM

@ KeithB

Funny. At that same page there is a chapter named: "Lack of vision in the United States"

That said, Goddard was indeed a serious pioneer. He also invented the bazooka.

Bauke Jan DoumaSeptember 4, 2014 3:02 PM

@Wade
Yes, and that just goes to show that the crux of the 'problem' of eavesdroppers and 'security' isn't 100% technical, it's to a large extent political as well. With a government that has basically limitless subversion-budgets and out-of-bounds 'political' backing, and no-holes-barred judicial 'envision', you and your solder iron will always be running behind.

Clive RobinsonSeptember 4, 2014 4:46 PM

@ Vas Pup,

The ability to turn on the microphone of a telephone by the "phone operator" not the "phone user" has been around for about as long as currently livind memory.

It's in as a "safety" or "test" feature in just about every countries phone standards from back in the old analog POTS days to the modern international digital standards, where it's been tucked away in part in various out of the way standards like Signaling System Seven (SS7).

You see the same reasoning applied for having GPS added to mobile phones and a variation for California's "kill switch" legislation all of which can be used behind the phone owners back by the network operator or those that have undue influence with them via "letters" or less formal means. In the case of the latter it sometimes goes wrong --think Vodaphone and Greek Olympics-- and often somebody dies by suicide or accident or some other misfortune befalls them such that real investication does not happen.

WaelSeptember 4, 2014 4:59 PM

@Nick P

Might have been RobertT or Wael
I talked about GSM and encryption, but not sure I am the one who posted what you refered to. Must have been RobertT...

I still read the blog ;)

ThothSeptember 4, 2014 6:59 PM

@Nick P
I have mentioned to the JackPair teams regarding tamper resistant measures and verification. One of the ideas include a totally transparent tamper resistant module for visual verifications. on recent comms with them. Admittingly tamper resistance can be expensive, it's still something we are discussing and they are considering to their design updates.

What you see on the Kickstarter may not be the final edition as I have given many emails worth of input and feedback a little while before Schneier catches up and post their page.

I have also flagged the issue regarding DH KEX mechanism to them as well. The current model wouldn't stop TLAs but the goal I believe is to make it hard for TLAs.

If there are any suggestions, send them PGP emails or post here and I will try to hand them feedbacks. I have given them the link to this conversation.

ECCSeptember 4, 2014 9:32 PM

It looks like this is transmitting the data to the phone through analog audio. Won't this cause serious data integrity problems and corrupt the encryption stream?

43ugk3iugbik3gubiugSeptember 4, 2014 10:33 PM

Chip ROM or EEPROM can probably be dumped. Govs can do silicon RE.

The design is pretty awesome. You can do this with old consumer-hobby class OMAP 3xxx chips.

Tim LSeptember 4, 2014 10:37 PM

The product I would buy in a second would be an actual one-time pad encrypted device like JackPair in that it is a universal function block sitting between the headset and the phone.

But instead of in-line key exchange, you would need to physically transport an SD card with the key to the other person you talk with.

Some sort of true-random key generator would be used to make two SD cards with same key.

Different producers could compete on making both the key generators and the encryption boxes, since the SD card is the standard that links and decouples these functions.

Chief Michael Airic White SrSeptember 5, 2014 2:36 AM

I as you may use encryption on a daily avenue. Have you ever heard of sending audio on a recording so that friendly fire doesn't occur on open lines. You just send a difference in fluxuation of voice in a recording to secret police. Very handy for idenity verification when youre not face to face login. The software is being dunlopped

Thomas_HSeptember 5, 2014 2:52 AM

@Walter: Your blatant ignorance regarding world history is disappointing, and is the mark of a troll. Without Europe, the US of A would not exist in its current state. Furthermore, without the work done by Nazi Germany on rockets such as the V2, the US' space program would never have developed as it did. As for current European activities in space, start reading here: http://www.esa.int

TIMSeptember 5, 2014 5:27 AM

It is interesting to read all these posts about this attemt of creating a device for bringing back a bit more privacy.

Sure, if you would order such a device and someone could manipulate it, I would suggest this person would just add a microphone and leave anything else untouched.

Sure, the metadata are unencrypted and I learned, that metadata might be more useful, than the information transmitted, but if such a device would be used by default for all phone calls, the privacy would rise in sum, I think.

There might be hundreds of possible attacks on hard- and software-level, as always.

Have you ever heard an security-specialist saying "... in this case it's 100% secure"? If yes, please check his/her references and vita, maybe it just a salesman or someone who has never brought a system to do something it wasn't intend to be used for.

Today my eyes are much more open than two years ago and I am much more aware for the problems in the world of information security. Ideas like this give me a bit of hope, that the fight for more privacy and self-determination hasn't been lost completely.

So, thank you Bruce for posting this information.

P.S.:
Just one word about the moon. If there are really people thinking we have never been there ... there is a mirror on the moon to measure the distance (http://en.wikipedia.org/wiki/Lunar_Laser_Ranging_experiment).

ElmoSeptember 5, 2014 5:29 AM

Thanks for informing me about JackPair. It's exactly what I've been looking for. Now I just need buy a headset and remove the microphone from my cellphone and I'm all set! :)

Thomas StoneSeptember 5, 2014 6:19 AM

They claim that it works on POTS phones but I do not understand how they encrypt the analog side. The analog to digital conversion takes place at the CO with POTS phones. encrypting/decrypting the stream from the digital side of the codec is straight forward but I do not understand how they do it from the analog side (which is where the phone sits). The line cards in COs filter out any signal above 3.6Khz prior to hitting the codec.

BrendanSeptember 5, 2014 8:57 AM

For all those confused about how the device works, I say again: go to the website and read the FAQ. It is explained pretty well there, though they haven't go into the specifics of the specialized voice-like codec as much as I'd like. But I'm patient.

The FAQ explains that the device digitizes your voice with a low-bitrate codec, encrypts this digital information with a stream cipher and then converts the encrypted data into an analog audio signal using a specialized encoder/codec that produces analog audio with "characteristics" similar to human voice, at least from the perspective of "lossy" cell phone hardware codecs and/or internet voice call codecs that usually deal with the analog signal from a microphone or headset jack.

This is similar to how a modem works, except that this modem has been specialized to work over the much more restrictive GSM and other digital mobile signalling networks that expect to compress human voice signals significantly, using lossy codecs that only try to save enough information from the source signal to reconstruct a similar sounding audio on the far end.

Note: the old POTS/land-line networks only sampled once they went digital (though they may do some compression on voice signals these days if they recognize the call isn't a modem/fax). That's why the data-over-analog bitrates are so much higher on POTS than via a GSM modem/fax that uses only the "voice" channel.

jkiSeptember 5, 2014 9:19 AM

Their key exchange can easily be broken if it's a simple DH as stated on their page : It lacks the "commit" message of zrtp.
With a 12 digit "Pairing code" an attacker has to calculate 2^40 exponentiations to perform a MiM. And a well founded agency should have enough computing power to do it in near real time...

Moreover with more than 4 digits the pairing code won't ever be verified...

Nevertheless transmitting data over the GSM voice channel with high enough rate is really interesting !

01September 6, 2014 4:09 PM

@jki

Yeah, lack of "commit" is really kind of bad.

Not fatally bad (the kind of adversary I have in mind for my usecases does not have a powerful "auth message" breaker at its disposal) but they'd better implement the commit messages, at least in v2

ohaiSeptember 6, 2014 8:15 PM

> Americans design and build the best. We went to the Moon, and
> then we went to Mars. What the hell did you build? Cuckoo clocks?

Lovely...
Let's see, what do Yurpeens produce? Chemicals, cars, machinery, way ahead of you 'mercans in renewable energy production and energy conservation, Airbus A380, close to 100% affordable healthcare including dental and eyeglasses (depending on which country you look at) at a fraction of the US prices, 30 days paid vacation and 35-38 hours work week, human rights, number of people in prisons, trying to limit the damage that you 'muricans do all over the world by diplomacy etc. pp.
We Actually produce stuff.
Just as an example: "old Europe" like Germany has a BUDGET SURPLUS, the government is taking in MORE MONEY than they spend, while you yanks continue the downward spiral into EXPONENTIAL DEFICIT SPENDING, enriching the top 1% while the rest earns less than they did 40 years ago. Yurpeens actually produce STUFF that is in high demand worldwide, apart from a few aircraft and shitloads of arms that you yanks manage to export. Yeah keep going "furthering 'murican interests" all over the globe and amassing huge deficits that you will never be able to pay back so the American Peso keeps going downhill and Bejing will soon own the soil you shit on.

vas pupSeptember 8, 2014 12:31 PM

@ohai • September 6, 2014 8:15 PM.
US is still have huge intellectual potential (just take a look/search at US Patent & Trade Mark Office site). Some examples of world technology are Internet, GPS (developed within DARPA). Recently Sandia labs developed new technology to replace MRI by terahertz hand held scanner. Unfortunately, utilization into manufacturing within US (and new high tech jobs) is not so bright. You are right regarding "close to 100% affordable healthcare including dental and eyeglasses (depending on which country you look at) at a fraction of the US prices, 30 days paid vacation and 35-38 hours work week". I guess you have more reasonable ratio of rich people to general population (that is the root), and you are make your middle class stronger as foundation of economical and political stability (less polarization)versus erosion of middle class in US. But, to be fair, you do have huge chunk of population not involved (and basically do not want to be involved)in the productive force and just reaping benefits as well. Those are utilized to full extend benefits you are so proud of.

hermanSeptember 8, 2014 11:16 PM

They should package it in a solid blob of transparent plastic, to make it more tamper evident.

sena kavoteSeptember 9, 2014 11:17 AM

Hopefully it works with symmetric keys too. Making 2 devices touch with some special button pressed should cause exchange of symmetric keys.

Higher security version would work with SD-card-stored keystream that is computed in off-line operating system on actual computer, before the call(s). The encryptor would not have enough computing power to make the keystream by itself. This lack of capacity increases security, because then the real keystream cannot be bypassed and data encrypted with the attackers key.

32GB micro SD card can take keystream enough to last maybe years. All that can be generated from a passphrase.

(required):September 10, 2014 2:40 AM

Jack Pair is designed to encrypt whatever goes trough the wire.

Apart from "Made in USA" and worries about key exchange / encryption implementation i see a huge barn door.

Any cellphone has an internal microphone that can be activated remotely at any time you don't even need to break any encryption here.

PC + Headset might be a different story though.

_JimSeptember 16, 2014 5:16 PM

Clive Robinson • September 4, 2014 4:46 PM

"The ability to turn on the microphone of a telephone by the "phone operator" not the "phone user" has been around for about as long as currently livind memory."

Cite please.

Something back to the days of the common POTS phone.

_Jim

Clive RobinsonSeptember 17, 2014 1:34 AM

@ jim,

Go to your local library and get out a copy of Peter Wright's Spy Catcher and read it, it provides sufficient details to show how to bridge the "hook switch" from the operator/telco side of the demark. Other information relating to it in the book indicates the trick going back into the 1950s. Peter Wright also mentions in the book who his young assistant was "Tony Sale", who in later life was responsable for setting up the Bletchly Park foundation. His and my professional paths crossed on the odd occasion, sadly he is no longer with us as he had some quite amusing anecdotes on when trying to tap telephone lines and other "secret squirrel" activities went horribly wrong, one involved a rather large "officer" dressed as a "nanny" pushing a Silver Cross pram into which they had put an early video camera and transmitter. Unfortunatly it caused interferance on nearby televisions, which resulted in the "officer" being chased down the road by an angry resident. Another was by one of his colleague's who had an early "wire" wireless mic on him which was very ineficient, the result was the Class A PA device (2N2219) got hot enough to cause burns to his inner thigh where the device had been strapped.

Etienne MathieuOctober 31, 2014 11:02 AM

I included the URL below to my Google Drive, as I'm always interested in modems.

I thought I would examine the modem sound in the youtube video (cut and amplify), so there are three files on the drive, two that show the time and frequency, and an MP3 file of just the modem sound.

I didn't try and decode the PCM.

http://goo.gl/qm8oIo

Have fun,

Etienne

scottNovember 2, 2014 3:18 AM

I sadly think this device is fake. The website lists several email addresses that all bounce back unreturned. Jeff Chang the founder also allegedly has several other companies yet I cannot find any contact info for him whatsoever that doesn't bounce back unreturned. My company is prepared to prepay for 3,000 units up front but I cannot locate working contact information for the company other than a Facebook page which stopped being updated the day the kickstarter met its funding goal.

Its too bad, it sounded like sbreslly great device.

I've attempted to message them through Facebook and kickstarter as a last ditch effort and I will gladly eat delicious crow of I'm proven wrong.

Nick PNovember 2, 2014 9:48 AM

@ scott

While that's always a possibility, they've been responding to feedback on their Kickstarter project. The updates they send are believable. I decided to look into it again anyway. You can get the project leader on LinkedIn by typing: "Jeffrey Chang A-WIT." It lists him as working there, others working there endorse him, and his background (Tandem Computers!?) indicates he could probably build a fault-tolerant HPC cluster for us, too. The company's web site mentions making PCB's as one of their services. And finally this site claims the company does a lot more with plenty of income.

So, it might be a con that backers loose money on. Least it would've been a con that checked out in quite a few ways. We won't feel as bad that way. ;)

JeffreyNovember 7, 2014 5:20 PM

@Scott and Nick,

I'm the creator of JackPair, Jeffrey Chang. This is NOT a fake project. We're debugging our second hardware prototype now; it has been a challenging & fun project for our team during the past 12 months, and we will deliver it on March 2015, which has been delayed from the original Dec. 2014 shipment schedule (see my Kickstarter update #7 for details).

I did not see Scott's comment here@SoS until today. It's funny that I've talked with Scott over the phone a few days after he posted the above comment here, without realizing that he was having such a concern about fake device of JackPair. We've been quite busy in the past month, and I didn't see his private emails until a few days ago; finally I got a chance to call him over the phone on Nov. 4th, and discovered that we share similar vision and goals. Scott has been engaging in another cool security project, and, after exchanging ideas and syncing up with each other, both Scott and I think that JackPair and his project are complementary to each other, and we are really excited about more partnership down the road.

I apologize for the email-bouncing and non-responsive issues Scott has mentioned during the past weeks, We've been burying our heads deep in some hardware debugging & development issues recently. Our new domain name, jackpair,com, didn't have its MX records set up properly until this week, hence the email boucing problems. This issue is now fixed and you should be able to write to "info@jackpair.com" etc without problems. In any case, I can always be reached by email at "jeffrey {dot} chang {at} awitsystems {dot} com".

One more clarification: Nick has mentioned the website of "a-wit.com", which is NOT associated with me or my company, AWIT Systems, at all. My company's domain name is "awitsystems.com", NOT "a-wit.com", and our company, AWIT Systems, Inc, is NOT associated with "A-WIT Technoligies, Inc." either. Nick is right that I did work for Tandem Computers long time ago; I was involved with fault-tolerant networking protocol stacks, ranging from ethernet driver to TCPIP stack and Web servers with high availability and scalabilities. My career has always been in computer networking, and I'm passionate about fully distributed, peer-to-peer systems; this is one of the reasons why JackPair is designed without any central server element involved.

You can find more info about us from JackPair's web site, www.JackPair.com. We love to hear from you, and have been taking your feedbacks seriously and implemented many of them. Let us know your comments.

--- Jeffrey


Nick PNovember 7, 2014 7:26 PM

@ Jeffrey

Appreciate your reply and clarification on the company name. Far as I see, you guys are running the project well and I'm glad I sponsored it. If JackPair succeeds and sells well, I might help your team raise its security assurance level with specialist techniques.

FigureitoutNovember 8, 2014 7:48 PM

Jeffrey
--Very cool. Best part (to me) is the "lack of trust" the device assumes (no software install-(always a problem), no subscription-(de-anonymize and target subscribers), work w/ any phone-(give users more freedom and not lock-in to certain device), and no messing w/ passwords).

This needs to be applied immediately when you're forced to make a debit card pin over a home phone line...(can still go change immediately at ATM, then you wonder about both that machine and the network again...).

Kind of blows my mind how this could work, hats off for the hard work.

scottNovember 9, 2014 12:01 AM

There's that crow.

I've spoken to Jeff about this device and was wrong about the device or the company being fake.

Apparently I got a little excited and let my skepticism about things I find online take over too quickly.

I'm looking forward to the release of this device and the possibility of pairing it with a project I'm currently developing. While I'm not a cryptographer, after talking to Jeff about this device I'm really excited to see/hear it in action.

ThothNovember 13, 2014 3:23 AM

@Jeffrey
Regarding the USB port that maybe used for recharging, it would be a nice idea to clip out the data cables and leave the ground and power intact. This way, there is lesser chances for accidental transfer of data or exflitration.

Future Considerations:
For future consideration of side-loading keystreams via MicroSD cards,a manual switch to physically connect the MicroSD card slot to the main device board should be an option and the data flow from the MicroSD should only enable copying and no writing even if MicroSD is set to allow write (data diode concept). Copied keystreams should be segregated and non-executable (cannot be executed as executable codes in case of hidden malware) but can be read as raw bytes for raw encryption.

Tamper detection and wiping would be nice. First step would probably be pressure switches to detect lifting of covers.

Andrew_KNovember 13, 2014 4:31 AM

@ Thoth

A USB port with just the two power pins in it will not be enough for several devices. Especially devices designed in Cupertino and made in China demand to be tickled with 2.5V at each data pin to go to charge mode. There exists already a product with the appealing name "USB Condom".

ThothNovember 13, 2014 5:19 AM

@Andrew_K
My idea was derived from USB Condom. What I meant is a built-in USB Condom into JackPair so that you do not need carry one of those USB Condom around.

WaelDecember 1, 2014 4:26 PM

@Andrew_K,

There exists already a product with the appealing name "USB Condom"
Not just the name, but the advertisment as well.
Have you ever plugged your phone into a strange USB port because you really needed a charge and thought: "Gee who could be stealing my data?". We all have needs and sometimes you just need to charge your phone. "Any port in a storm." as the saying goes. Well now you can be a bit safer. "USB Condoms" prevent accidental data exchange when your device is plugged in to another device with a USB cable. USB Condoms achieve this by cutting off the data pins in the USB cable and allowing only the power pins to connect through.Thus, these "USB Condoms" prevent attacks like "juice jacking".

And:
Use charging stations in public without worrying [...]
If you're going to run around plugging your phone into strange USB ports, at least be safe about it. ;-)

Would be funnier if they made a movie and extended the analogy with "other cable enhancement" products ;)

Nick PApril 7, 2015 8:08 PM

Update on JackPair

The project just asked everyone for shipping details. It's apparently almost ready to deploy.

Charles H.April 17, 2015 11:57 AM

This is a great idea, but it looks hard to make into a product that most people will use. It would be really awesome if something similar could be standardized and the major device manufacturers could be persuaded to embed such a functionality into all of the headphones which ship with their phones. Then everyone would have this capability as a basic feature when they buy a phone. If anyone reading this has clout at Apple or any other device manufacturer, I hope this finds it's way into production :-)

SSG Sexton (Ret)April 19, 2015 6:00 PM

Can three or more people use multiple Jackplugs on a conference call?

If so, what would stop someone from recording the whole encrypted conversation (from Ring to Tip) and then play it back with a modified Jackplug to 'hear' the key exchange and decode?

Or listen in real time with a receive only line tap and modded firmware?

Can the Jack plug be used on cheap wall-mart walkie talkies? CB radios?

I am not a uber up on the ins and outs of the inners of crypto...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.