Thursday, July 10, 2014

Top 10 forgotten mobile threats revealed

Do you have a smartphone? Of course you have. Let's say you even use some encryption for your mobile calls. Do you know what threats you are exposed to when using it? Keep reading...

Just for you. Really?

1. Spyware
Spyware run on smartphone and can record all communication. It can send the recorded communication later or broadcast it live. Spyware is hidden and difficult to detect.

2. Record microphone
A malware can record the microphone of your smartphone can send or broadcast the communication it captures.

3. Man-in-the-middle attack
A malicious outsider inserts him or herself into a conversation between you and your party and gains access to your private information.

4. Stealing encryption keys
The encryption keys can be stolen before or during the communication. It is a common problem of encryption software. However it is possible to physically protect encryption keys with cryptochip or TPM technology. It requires a hardware piece in your smartphone, typically integrated into a micro SD card.

5. Cracking encryption keys
Cracking the keys can be easier if you use public key encryption. Since public keys are sent over the Internet and define the key space, they make cracking a lot easier. You can find a nice explanation of the mathematical background here: https://www.udacity.com/course/cs387.

6 to 10
Find the rest in the infographic below. Just click on it. Hover or tap the threats.

 Mobile Security Threats Skycraper


Please share and like :-) Thank you!



Friday, February 21, 2014

First NSA-proof phone already on the market


Believe it or not, the first NSA-proof phone is on the market for years, and it is called Secfone, not Blackphone. It was not available for public for a long time - only for governments and military organizations -, but as of 2013 it can be ordered from BeSure Europe LLP. It was announced at Mobile World Congress (MWC) Barcelona in 2013.

This is the only solution that we have enough information about to claim it to be NSA-proof or rather eavesdrop-proof.

How can Secfone protect mobile conversations?

Secfone is the only solution on the market that implements triple-level protection. Triple-level protection means the protection of communication, encryption keys and smartphone. Leaving any level out makes the encryption solution vulnerable and easy to tap. For example encryption software on iPhone and BlackBerry smartphones can not protect the smartphone itself, since these smartphones have proprietary operating systems. We had no information how these operating systems work until Snowden released the NSA documents. These documents prove that iPhone and BlackBerry has a backdoor. The backdoor called DROPOUTJEEP, and provides direct access to the smartphone's microphone and camera. This makes these smartphones a personal bug.

Protection of communication - Level 1

Secfone protects the communication with unique implementation of assymetric encryption. Using non-standard implementation is inevitable. Standards define the methods of cracking - they provide enough information to crack the keys. Encryption cracking software and hardware appliances are designed and optimized to crack standard encryptions.

Read the implementation (patent description only for experts!)

Protection of encryption keys - Level 2

Encryption keys can not be protected on any smartphone, especially not with encryption software. Keys can be protected only in a special hardware, called Trusted Platform Modul or cryptochip. This hardware is designed to generate, manage and use encryption keys. It is unreadable by design, and there is no known method for getting the encryption keys out of it.

Protection of smartphone - Level 3

The solution have to protect the smartphone itself too. It means that no software can access the smartphone's microphone and camera during calls. Secfone monitors the microphone during the calls, detects the malicious software that tries to access it, and handles the situation.

Takeaway

NSA-proof phone will never come from US or any other world-power. Think it over...

Please click Google+ below, or share this post on Facebook, Twitter or any other social media. Thank you!

Wednesday, February 19, 2014

5 questions your boss will ask you on encrypted mobile communication


Companies working with valuable technologies and information have to protect their ideas from the beginning. Employees work on valuable ideas for a while before the idea becomes a product or a service. Meanwhile they communicate with each other through mobile communication too. It is essential to protect the information in transit. If you work a company like that, and you do not use high security level mobile communication solution, than be prepared to brief your boss on encrypted mobile communication. You will have to make the brief, sooner or later…

1st Question: What encryption software should we use?
Answer: Encryption software provide very limited security level. One of the most fundamental features of a secure mobile encryption solution is to protect the encryption keys, because once the key is compromised, the communication is leaked. Software reside on smartphones non-protected storage and run on smartphones non-protected processor. These parts of the smartphones are not designed to protect any information. There is no way to protect the keys on any smartphone.

2nd Question: Is there a mobile encryption solution that can effectively protect the encryption keys?
Answer: Yes, there are some solutions on the market. Only special hardware, designed for generating, storing, managing and using encryption keys can protect the keys. These hardware are not readable by design and hack-proof. Often referred to as cryptochip or trusted platform modul. They are sensitive by design, so any attempt to read out the information from them damages the hardware and destroys all the information it stores, including the encryption keys.

3rd Question: Which TPM or cryptochip based solution should we choose?
Answer: TPM or cryptochip is just the bottom line. For the highest level of security the solution has to implement the protection of the communication, the encryption keys and the smartphone too. If let’s say the smartphone is not protected, than the communication can be eavesdropped directly through the microphone before any encryption takes place. Known backdoor called DROPOUTJEEP exists on all iPhone and BlackBerry smartphones. It is totally useless to use any mobile encryption solution on these smartphones.

4th Question: What kind of encrypted mobile solution should we use?
Answer: We should use a cryptochip based solution with triple-level protection. The solution has to protect the communication, the encryption keys and the smartphone. It has to run on a smartphone and operating system which has no known backdoors. 

5th Question: How much does the most secure solution costs? Is it expensive?
Answer: Surprisingly not the highest level of security is the most expensive. The most expensive software solution, Crypttalk costs 250 euro/month with all the defects mentioned. Yet we can reach the highest level of security at a reasonable price of 55 euro/month. A one-time fee of 300 euro applies that includes the price of a unique cryptochip. We do not have to buy new smartphones, we just have to insert the cryptocard into the micro SD card slot of our smartphones. The solution is called Secfone.

If you liked this post please Google+ it or share it on Facebook, Twitter or any social media you prefer. Thank you!

Friday, January 17, 2014

Secfone beyond encrypted mobile communication - Key protection



A recent blog post on the impacts of Snowden's leaded documents on encryption softwares skyrocketed on this blog. Thanks folks!

However several questions came up concerning Secfone's solution let me answer them here. I try not to be too technical, so it will be understandable for non-infosec users too.

How Secfone protects encryption keys?

One of the fundamental issues in communication encryption is how the solution protects the encryption keys. If the keys are compromised, than the communication can easily be tapped. Encryption softwares can use only the device's (smartphone) store and CPU to store, generate, manage and use encryption keys. However these hardware elements are not designed to protect anything. This is one of the biggest weak-point of all encryption software.

Secfone uses TPM technology (Trusted Platform Module), a cryptochip integrated into a micro SD card (the card goes into the micro SD slot of the smartphone). This hardware piece is designed to generate, store, manage, use and PROTECT encryption keys. The cryptochip is designed to be very sensitive on purpose. That means the information can't be retrieved from the chip (it is not readable by design). If you try to hack the cryptochip - with an oscilloscope, or put it under an electro-microscope, try to freeze and remove it - it damages the chip and all the information it stores is lost immediately. This is the only proven technology today that can protect encryption keys (More on TPM technology: 5 functions of TPM you did not know about).

Interesting: One of an early version of cryptochips was hacked by Cristopher Tarnovsky in 2010. The hack required very high level of expertise and physical possession of the chip. This hack does not work anymore with the new hardwares.

What about stealing the encryption keys?

Good question. There are some companies that use cryptochip (they call it security card or trustchip, this is the very same thing) and put the keys into the chip at production. The keys are safe inside the cryptochip, it is no question, but can be compromised BEFORE they put it into the chip.

Secfone has its own method. Secfone does not put keys into the cryptochip, but uses cryptochip's functions to generate the keys for itself at production. What does it mean?

  1. Keys needed to decrypt the information that arrives to the device NEVER leave the safe storage of cryptochip.
  2. Keys can not be stolen from the factory or from a sysadmin.
  3. Nobody knows the keys (producer of the cryptocard, Secfone, the customer, nobody)

Interesting: Cryptochip is a military-grade technology under special export regulations. Strict legislation apply to keep information on who possesses the technology. It can not be exported to "sensitive" countries. 

Now the keys are safe. However, there are more layers of security in Secfone, I will write a post about them soon.

Thanks for reading. If you found this blog post interesting, please spread the word.

Wednesday, January 15, 2014

Snowden killed all iPhone encryptions

If you use encryption software on your iPhone and you paid for it, than you paid for illusion not for security. Thanks to Snowden and security researcher Jacob Appelbaum now the entire World knows the magic word DROPOUTJEEP and the meaning of it.

DROPOUTJEEP is a spyware program developed by NSA that runs on iPhone, and provides access to almost everything. It can intercept SMS messages, can read the contact lists, locate the iPhone based on cell tower data, and the best part is, it can turn on the camera and the microphone, and can listen to any conversation. It can even be deployed remotely.

According to leaked documents NSA claims 100% success rate on iOS devices. It is impossible to reach 100%, unless you have access to a backdoor. Of course Apple denies that it helped NSA to build iPhone's backdoor, but it does not change anything. It does not change the 100% success rate.

How DROPOUTJEEP impact encryption softwares on iPhone?

Now come the bad news. It is well known for the industry experts that purely software-based mobile encryption solutions can not secure any communication. Now things are going bad to worse. No encryption solution can protect your communication on iPhone. Not even hardware based solutions.

Since DROPOUTJEEP can manage the microphone of the iPhone, it listens to the conversation BEFORE any encryption takes place. Your software or hardware solution can even use military-grade 4096 bit encryption keys, it provides zero security if you use it on iPhone. If you use Gold Lock, Silent Circle, Zfone, Crypttalk, Cellcrypt, Kryptos, Secustar or any other encryption software on iPhone and you still need secure mobile communication, consider just deleting your app.

Time to reconsider what you think about encryption software and iPhone security.

Takeaway

The good news is you still can have secure mobile communication. Avoid iPhone and BlackBerry, use open source operating system. Choose cryptochip (hardware) based encrypted mobile communication solution with triple-level protection. Triple level protection keeps any unauthorized process to access your phone's microphone.

If you have found anything new in this blog post, please share it. Thank you :-)