Recently I came across a series of articles that claims that most solutions that encrypt voice communications on mobile phones are not up to par and can easily be intercepted. My first reaction was that this was a very bold claim and after reading further I kind of lost a little faith in the author’s arguments. That being said, some of his arguments do have merit and his approach was very clever in its simplicity.
Notrax, the hacker in question, approached the challenge not by cracking the voice encryption algorithm itself but by installing a Trojan on the victim’s headset and intercepting the voice as it is being recorded from the cell phone’s microphone before it gets processed / encrypted. Simple and effective. Nearly all of the solutions were vulnerable to this approach.
He sees this as a failure on the side of solution providers; this is what I do not agree with. I do not believe that the approach Notrax employed is something that such a solution needs to cater for. It is true that a few solutions detected something fishy going on and stopped the connection; kudos to them, if Notrax praised these solution for their effectiveness I wouldn’t have anything to comment against but shooting down others who didn’t detect the intrusion goes a bit overboard in my opinion.
Notrax claimed that this failing on the solution provider’s part means that their security is useless. He says that this means they don’t do what they advertise, since they claim that your calls will be secure whereas he easily managed to intercept the calls with a simple procedure. However, like I argued in a previous article, there is no such thing as absolutes in security.
No solution can protect against every form of attack. Every device / software tries to secure its own little domain and whoever is implementing the security policy needs to not only understand this but build his strategy around this notion. Taking these secure calling solutions for instance, if I employ such a solution I don’t expect to be 100% secure against everything. No matter how well designed or how expensive it may be, do I expect such software to keep me safe from something as trivial as a person close by hearing me talk ( known as shoulder surfing)? Of course not! What I would expect from such a solution is that if someone were to sniff / intercept the encrypted voice transmission he will have no way to reverse it in a timeframe that makes it useable.
Notrax’s approach required physical access to the phone and the ability to deploy software. If an attacker gets physical access to something you want to protect then you’re already in a lot of trouble. No solution will protect you after an event like that. Even those applications that detect something amiss and block the call; what’s to stop an attacker who has physical access to the phone from uninstalling them and instead installing a lookalike application with as many backdoors as the attacker wishes? Nothing!
What I am trying to say is not that Notrax is wrong, he is right; his approach works and is definitely a threat; however, what I don’t agree with is that it’s the vendor’s fault. Physical security of the mobile phone is not their responsibility and his attack was, in my opinion, an attack against the physical security of the device and not the voice encryption solution. This attack vector cannot be protected against via software it can only be avoided if proper physical security is ensured. With physical access to the device one can simply hook a bug to the cell phone microphone itself and have everything transmitted unencrypted on any frequency the attacker wishes. No software solution will detect or block that.
What I want to say here is let’s keep focused on what we’re protecting against and definitely never assume that one solution will cover it all. Security is about identifying the risks, seeing which ones are worth mitigating and then adopting solutions that will mitigate them.