Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Leading voice encryption programs hacked in minutes

Most products don't work, says researcher.

Article comments

Most voice encryption systems can be tapped in minutes by installing a voice-recording Trojan on the target computer, a security researcher has confirmed after testing a range of well-known products.

Although this type of attack has been known about for some time, the scale of the issue uncovered by researcher ‘Notrax' is still surprising. In all, the unnamed engineer was able to intercept calls made using twelve popular encryption programs and hardware systems using an easily available $100 wiretapping utility called FlexiSPY. This tapped the voice stream in real time before any encryption was applied to the data.

The researcher then refined the principle of FlexiSPY into a custom-written Trojan that could record both the microphone and speaker and capture any conversation into a file for retrieval later on. Crucially, both attacks were able to carry out their work undetected by suppressing all rings, notifications and call logs.

Programs and hardware systems beaten included Zfone/ZRTP, Secure Voice, Caspertech, and even the well-regarded GSM handset security system from UK company Cellcrypt. Only three products resisted the simple attack, an unnamed Rohde & Schwarz Bluetooth device, PhoneCrypt from German company SecurStar, and a hardware product from SnapCell.

"It is easy to take the security at face value when the software told me the call was secured. I decided to dig a little deeper. What I discovered and what I was completely in shock about was I broke almost all of them in less than 30 minutes," says the engineer in an ongoing blog on the tests.

Using a Trojan to get around voice encryption software depends on getting such a program on to a target PC or handset in advance of a call, something that might or might not be difficult to achieve, depending on the PC or device in question. But it is an attack method that companies should know about given that it has been used against the one program not tested by the researcher, Skype.

As long ago as 2006, the Swiss government was reported to be using specially-written Trojans to record phone calls made by criminals using Skype and other VoIP services. The author of this software, Ruben Unteregger, later went public on his work, even going as far as to publish the source code in an attempt to stop his software being used for eavesdropping again.

"Like most security breaches, Notrax went for the weakest link; he did not attempt to crack the encryption itself, but used simple wiretapping techniques," says Wilfried Hafner, CEO at SecurStar, one of the vendors that managed to resist the Trojan attack. PhoneCrypt even threw up a skull and crossbones image when the Trojan tried to access the program's memory-resident service, letting the user know that the call was no longer secure.

Notrax has posted YouTube videos (scroll down) of how the hacks were conducted on specific products.


More from Techworld

More relevant IT news


John E Dunn said: Up date on this storyhttpnewstechworldcomsecu

John E Dunn said: Ive done an update on this story here httpnewstechworldcomsecu

Fabio Pietrosanti said: I have made a detailed analysis- its most probably a marketing initiative and not a independent security research- they consider only a security context where local device has been compromised- they do not consider cryptographic security argumentsRead it carefullyhttpinfosecuritych2010013Fabio Pietrosanti naif

Fabio Pietrosanti said: To alli made an analysis of the research with independent criteriaRead my discoveryhttpinfosecuritych2010013

Les Goldsmith said: I would assume this particular attack was done with the Cryptophone in low security mode which allows the installation of other parties software on the device Very few users of serious encryption products would choose that low security setting during setup

Paul Simon said: Gold-Lock seems to be a company that works with the Mosad who want to intercept phonecalls worldwide It is not surprising their solution got compromised so easily

Renate said: Well i think then rather then warning you they should have done something about it to protect you As others seems to have done because a phone can be compromised in many ways including by yourself if you download and infected application such as a Itunes file

Alfred said: I actually bought one of those systems wwwgold-lockcom they specifically warned me not to let anyone install trojans on my phones since this compromises any security system so far - no interceptions on my phone

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *