Showing posts with label encryption. Show all posts
Showing posts with label encryption. Show all posts

Thursday, July 10, 2014

Top 10 forgotten mobile threats revealed

Do you have a smartphone? Of course you have. Let's say you even use some encryption for your mobile calls. Do you know what threats you are exposed to when using it? Keep reading...

Just for you. Really?

1. Spyware
Spyware run on smartphone and can record all communication. It can send the recorded communication later or broadcast it live. Spyware is hidden and difficult to detect.

2. Record microphone
A malware can record the microphone of your smartphone can send or broadcast the communication it captures.

3. Man-in-the-middle attack
A malicious outsider inserts him or herself into a conversation between you and your party and gains access to your private information.

4. Stealing encryption keys
The encryption keys can be stolen before or during the communication. It is a common problem of encryption software. However it is possible to physically protect encryption keys with cryptochip or TPM technology. It requires a hardware piece in your smartphone, typically integrated into a micro SD card.

5. Cracking encryption keys
Cracking the keys can be easier if you use public key encryption. Since public keys are sent over the Internet and define the key space, they make cracking a lot easier. You can find a nice explanation of the mathematical background here: https://www.udacity.com/course/cs387.

6 to 10
Find the rest in the infographic below. Just click on it. Hover or tap the threats.

Mobile Security Threats Skycraper


Please share and like :-) Thank you!



Posted by at 70 comments:
Labels: , , , , , , ,

Friday, January 17, 2014

Secfone beyond encrypted mobile communication - Key protection



A recent blog post on the impacts of Snowden's leaded documents on encryption softwares skyrocketed on this blog. Thanks folks!

However several questions came up concerning Secfone's solution let me answer them here. I try not to be too technical, so it will be understandable for non-infosec users too.

How Secfone protects encryption keys?

One of the fundamental issues in communication encryption is how the solution protects the encryption keys. If the keys are compromised, than the communication can easily be tapped. Encryption softwares can use only the device's (smartphone) store and CPU to store, generate, manage and use encryption keys. However these hardware elements are not designed to protect anything. This is one of the biggest weak-point of all encryption software.

Secfone uses TPM technology (Trusted Platform Module), a cryptochip integrated into a micro SD card (the card goes into the micro SD slot of the smartphone). This hardware piece is designed to generate, store, manage, use and PROTECT encryption keys. The cryptochip is designed to be very sensitive on purpose. That means the information can't be retrieved from the chip (it is not readable by design). If you try to hack the cryptochip - with an oscilloscope, or put it under an electro-microscope, try to freeze and remove it - it damages the chip and all the information it stores is lost immediately. This is the only proven technology today that can protect encryption keys (More on TPM technology: 5 functions of TPM you did not know about).

Interesting: One of an early version of cryptochips was hacked by Cristopher Tarnovsky in 2010. The hack required very high level of expertise and physical possession of the chip. This hack does not work anymore with the new hardwares.

What about stealing the encryption keys?

Good question. There are some companies that use cryptochip (they call it security card or trustchip, this is the very same thing) and put the keys into the chip at production. The keys are safe inside the cryptochip, it is no question, but can be compromised BEFORE they put it into the chip.

Secfone has its own method. Secfone does not put keys into the cryptochip, but uses cryptochip's functions to generate the keys for itself at production. What does it mean?

  1. Keys needed to decrypt the information that arrives to the device NEVER leave the safe storage of cryptochip.
  2. Keys can not be stolen from the factory or from a sysadmin.
  3. Nobody knows the keys (producer of the cryptocard, Secfone, the customer, nobody)

Interesting: Cryptochip is a military-grade technology under special export regulations. Strict legislation apply to keep information on who possesses the technology. It can not be exported to "sensitive" countries. 

Now the keys are safe. However, there are more layers of security in Secfone, I will write a post about them soon.

Thanks for reading. If you found this blog post interesting, please spread the word.
Posted by at 2 comments:
Labels: , , , , , , , , , ,

Wednesday, January 15, 2014

Snowden killed all iPhone encryptions

If you use encryption software on your iPhone and you paid for it, than you paid for illusion not for security. Thanks to Snowden and security researcher Jacob Appelbaum now the entire World knows the magic word DROPOUTJEEP and the meaning of it.

DROPOUTJEEP is a spyware program developed by NSA that runs on iPhone, and provides access to almost everything. It can intercept SMS messages, can read the contact lists, locate the iPhone based on cell tower data, and the best part is, it can turn on the camera and the microphone, and can listen to any conversation. It can even be deployed remotely.

According to leaked documents NSA claims 100% success rate on iOS devices. It is impossible to reach 100%, unless you have access to a backdoor. Of course Apple denies that it helped NSA to build iPhone's backdoor, but it does not change anything. It does not change the 100% success rate.

How DROPOUTJEEP impact encryption softwares on iPhone?

Now come the bad news. It is well known for the industry experts that purely software-based mobile encryption solutions can not secure any communication. Now things are going bad to worse. No encryption solution can protect your communication on iPhone. Not even hardware based solutions.

Since DROPOUTJEEP can manage the microphone of the iPhone, it listens to the conversation BEFORE any encryption takes place. Your software or hardware solution can even use military-grade 4096 bit encryption keys, it provides zero security if you use it on iPhone. If you use Gold Lock, Silent Circle, Zfone, Crypttalk, Cellcrypt, Kryptos, Secustar or any other encryption software on iPhone and you still need secure mobile communication, consider just deleting your app.

Time to reconsider what you think about encryption software and iPhone security.

Takeaway

The good news is you still can have secure mobile communication. Avoid iPhone and BlackBerry, use open source operating system. Choose cryptochip (hardware) based encrypted mobile communication solution with triple-level protection. Triple level protection keeps any unauthorized process to access your phone's microphone.

If you have found anything new in this blog post, please share it. Thank you :-)

Posted by at 8 comments:
Labels: , , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)