[VOIPSEC] News: Leading voice encryption programs hacked in minutes

Thu Jan 28 13:13:39 CST 2010

http://news.techworld.com/security/3211263/leading-voice-encryption-programs-hacked-in-minutes/

Leading voice encryption programs hacked in minutes -- Most products
don't work, says researcher.

By John E. Dunn | Techworld | Published: 11:35 GMT, 27 January 10

Most voice encryption systems can be tapped in minutes by installing a
voice-recording Trojan on the target computer, a security researcher
has confirmed after testing a range of well-known products.

Although this type of attack has been known about for some time, the
scale of the issue uncovered by researcher ‘Notrax' is still
surprising. In all, the unnamed engineer was able to intercept calls
made using twelve popular encryption programs and hardware systems
using an easily available $100 wiretapping utility called FlexiSPY.
This tapped the voice stream in real time before any encryption was
applied to the data.

The researcher then refined the principle of FlexiSPY into a
custom-written Trojan that could record both the microphone and
speaker and capture any conversation into a file for retrieval later
on. Crucially, both attacks were able to carry out their work
undetected by suppressing all rings, notifications and call logs.

Programs and hardware systems beaten included Zfone/ZRTP, Secure
Voice, Caspertech, and even the well-regarded GSM handset security
system from UK company Cellcrypt. Only three products resisted the
simple attack, an unnamed Rohde & Schwarz Bluetooth device, PhoneCrypt
from German company SecurStar, and a hardware product from SnapCell.

"It is easy to take the security at face value when the software told
me the call was secured. I decided to dig a little deeper. What I
discovered and what I was completely in shock about was I broke almost
all of them in less than 30 minutes," says the engineer in an ongoing
blog on the tests.

Using a Trojan to get around voice encryption software depends on
getting such a program on to a target PC or handset in advance of a
call, something that might or might not be difficult to achieve,
depending on the PC or device in question. But it is an attack method
that companies should know about given that it has been used against
the one program not tested by the researcher, Skype.

As long ago as 2006, the Swiss government was reported to be using
specially-written Trojans to record phone calls made by criminals
using Skype and other VoIP services. The author of this software,
Ruben Unteregger, later went public on his work, even going as far as
to publish the source code in an attempt to stop his software being
used for eavesdropping again.

"Like most security breaches, Notrax went for the weakest link; he did
not attempt to crack the encryption itself, but used simple
wiretapping techniques," says Wilfried Hafner, CEO at SecurStar, one
of the vendors that managed to resist the Trojan attack. PhoneCrypt
even threw up a skull and crossbones image when the Trojan tried to
access the program's memory-resident service, letting the user know
that the call was no longer secure.

Notrax has posted YouTube videos (scroll down) of how the hacks were
conducted on specific products. <http://infosecurityguard.com/>