[Infowarrior] - Android App Aims to Allow Wiretap-Proof Cell Phone Calls
Richard Forno
rforno at infowarrior.org
Mon Jun 28 20:43:17 CDT 2010
Android App Aims to Allow Wiretap-Proof Cell Phone Calls
May 25, 2010 - 5:15 pm
Andy Greenberg is a technology writer for Forbes.
http://blogs.forbes.com/firewall/2010/05/25/android-app-aims-to-allow-wiretap-proof-cell-phone-calls/
Worried about the NSA, the FBI, criminals or cyberspies electronically eavedropping on your private phone calls? There may be an untappable app for that.
On Tuesday, an independent hacker and security researcher who goes by the handle Moxie Marlinspike and his Pittsburgh-based startup Whisper Systems launched free public betas for two new privacy-focused programs on Google's Android mobile platform: RedPhone, a voice over Internet protocol (VoIP) program that encrypts phone calls, and TextSecure, an app for sending and receiving encrypted text messages and scrambling the messages stored in their inbox.
Marlinspike says the apps will interface with users' contact lists and other functions on the phone to take the hassle out of making calls and sending texts that can't be eavesdropped by third parties. "Our main aim is to make this as easy as possible," he says. "We want it to be a secure and anonymous drop-in replacement for the normal dialing system on your phone."
RedPhone uses ZRTP, an open source Internet voice cryptography scheme created by Phil Zimmermann, inventor of the widely-used Pretty Good Privacy or PGP encryption. When a caller dials another RedPhone user, the app uses the two users' keys to create a simple passphrase ("flatfoot eskimo" or "slingshot millionaire," for example) and display it on each phone, allowing the speakers to verify that the codes match, and that there's no man-in-the-middle intercepting the call.
TextSecure uses a similar scheme developed by cryptographers Ian Goldberg and Nikita Borisov known as "Off The Record" to exchange scrambled text messages. Both apps automatically generate a new key and delete the old one with every communication so that even if a user's key is stolen, none of his or her past calls or texts can be deciphered.
The two apps will likely remain free even once they leave beta, Marlinspike says, though he also plans to offer a premium, paid version of the programs.
Whisper Systems' apps aren't the first to bring encrypted VoIP to smartphones. But apps like Skype and Vonage don't publish their source code, leaving the rigor of their security largely a matter of speculation. Marlinspike argues that because those apps interface with the traditional telephone network, they may also be subject to the Communications Assistance for Law Enforcement Act, (CALEA) which requires companies to build backdoors into their technologies for law enforcement wiretaps.
Since the passage of CALEA in 1994, the number of those law enforcement wiretaps has exploded. There were 2,376 wiretaps by law enforcement agencies in 2009, 26% more than the year before, and 76% more than 1999.
Marlinspike, whose past work has focused on SSL vulnerabilities and thwarting Google's data collection, says his apps are meant to offer privacy in an age of overzealous legal wiretaps, as well as those that may be using vulnerabilities created by CALEA for illegal surveillance.
He points, for instance, to the Athen Affairs, a situation in 2005 when legal intercept capabilities in Ericsson equipment were used to spy on Greek politicians including the country's prime minister. "We've entered this really problematic situation where we have insecure infrastructure everywhere, communications being broadcast in the air around us, and anyone with a bit of radio equipment can reach out and intercept communications," says Marlinspike. "Individuals need to start taking steps to protect their privacy and the confidence of their communications."
If the new apps see widespread adoption, the usual criticisms of wiretap-defeating encryption may follow. Since the 1990s, opponents of encrypted communication technologies have argued that scrambling messages would give free rein to criminals and terrorists. FBI director Louis Freeh argued in 1997, for instance, that "uncrackable encryption will allow drug lords, spies, terrorists and even violent gangs to communicate about their crimes and their conspiracies with impunity."
But Marlinspike points out that criminals today can use other means to avoid wiretaps, such as anonymous, prepaid "burner" phones, like the one used by the Times Square attempted bomber. "This matters much less to criminals than it does for everyone else," he says.
Of more concern to Marlinspike may be another statistic published by the judicial system last month. Last year, law enforcement officials only encountered encryption in one case, and in that case, the technology "did not prevent officials from obtaining the plain text of the communications," according to the courts' report, raising questions of why encryption has failed to stop the expansion and success of wiretaps.
Better encryption technology like Marlinspike's could change the technology's seeming ineffectiveness. But University of Pennsylvania Computer Science professor Matt Blaze says that the report may also demonstrate that law enforcement can find its way around even strong encryption by planting spyware on the target's phone. "If I were law enforcement, intelligence, or a bad guy, I would waste very little time trying to defeat the encryption and instead install my software on your phone to simply see the key," says Blaze. He points to the trial of alleged mafia member Nicky Scarfo, whose computer was revealed to have been bugged by the FBI with spyware to log his keystrokes.
In Whisper Systems' defense, Android malware is hardly widespread, and planting spyware on a target's phone is still far more work than traditional wiretaps, which involve simply asking the user's carrier to bug the phone.
One way to reduce that remaining vulnerability, however, may be moving the apps to Apple's more tightly controlled iPhone platform. Whisper plans to submit RedPhone and TextSecure to Apple for review, though Marlinspike admits he has doubts about the company's review process. "Getting this approved by Apple," he says, "might be challenging."
In the mean time, Android users can download both apps here.
More information about the Infowarrior
mailing list