Forgot your password?
typodupeerror
Encryption Security Communications Software

Flaws In ZRTPCPP Library, Used In Secure Phone Apps 42

Posted by timothy
from the fix-is-in dept.
Gunkerty Jeb writes "A security researcher has uncovered a number of serious vulnerabilities in one of the core security components of several secure telephony applications, including the Silent Circle system developed by PGP creator Phil Zimmermann. The vulnerabilities in the GNU ZRTPCPP library already have been addressed in a new version of the library and Silent Circle has implemented a fix, as well. ZRTPCPP is a library that implements the ZRTP protocol that Zimmermann and others developed to establish secure sessions over a pre-existing connection. Silent Circle, which sells a cryptographically secure mobile phone application, and several other products implement the ZRTPCPP library, and Mark Dowd of Azimuth Security has identified several vulnerabilities in the library that could give an attacker the ability to get remote code execution. Dowd said that the bugs can be exploited by remote, unauthenticated users."
This discussion has been archived. No new comments can be posted.

Flaws In ZRTPCPP Library, Used In Secure Phone Apps

Comments Filter:
  • by msauve (701917) on Sunday June 30, 2013 @03:36PM (#44148715)
    Now the NSA will have to go to Plan B.
  • Nothing on an Android or iPhone device is ever secure; it's too easy for the NSA or other organizations to install Trojan horses. And installing a crypto app from the market is like painting a red bulls eye on your phone.

    • by gl4ss (559668)

      Nothing on an Android or iPhone device is ever secure; it's too easy for the NSA or other organizations to install Trojan horses. And installing a crypto app from the market is like painting a red bulls eye on your phone.

      well.. that's why everyone should install a crypto app from the market then..

      • well.. that's why everyone should install a crypto app from the market then..

        Simply installing such an app is of little use per se. One must install and use it. It's strongly recommended that it be one of the FOSS apps, as they are less likely to have back doors open to the NSA or other malefactors.

        • by adolf (21054)

          It's strongly recommended that it be one of the FOSS apps, as they are less likely to have back doors open to the NSA or other malefactors.

          I'm not willing to accept the notion that the device itself isn't backdoored by default.

    • Nothing on an Android or iPhone device is ever secure; it's too easy for the NSA or other organizations to install Trojan horses. And installing a crypto app from the market is like painting a red bulls eye on your phone.

      This particular library is GPL'ed and therefore can not be used in iPhone Apps without violating the App Store terms of service agreement. So this library, and therefore your statement based on the vulnerability of this library, doesn't apply to iPhones.

      • by stenvar (2789879)

        That has nothing to do with this library. Apple, Google, and almost any government and telecom can push arbitrary code onto your phone. Android and iPhone are both equally vulnerable. It doesn't matter how Apple runs its markets or how they review their software or how secure their OS may be; if you can't trust the update channel, you can't trust the phone.

        • by tlambert (566799)

          That has nothing to do with this library. Apple, Google, and almost any government and telecom can push arbitrary code onto your phone. Android and iPhone are both equally vulnerable. It doesn't matter how Apple runs its markets or how they review their software or how secure their OS may be; if you can't trust the update channel, you can't trust the phone.

          Sure; but you post is off topic, since we are talking about this library (reread the original title, original summary, and original article, if you are confused). A flaw in this library does not imply an iPhone vulnerability.

          • by stenvar (2789879)

            My post is exactly on-topic: I pointed out that it doesn't matter whether ZRTPCPP is secure or not because both Android and iPhone are intrinsically vulnerable to the attacks that ZRTPCPP is supposed to guard against.

      • by tlhIngan (30335)

        This particular library is GPL'ed and therefore can not be used in iPhone Apps without violating the App Store terms of service agreement. So this library, and therefore your statement based on the vulnerability of this library, doesn't apply to iPhones.

        Not necessarily. The GPLv2 is perfectly compatible with the App Store in all its terms. The only thing is the App Store requires that if you use anything that's not of your copyright, you are licensed to use it. Since the GPLv2 allows it as long as you provi

    • Nothing on an Android or iPhone device is ever secure; it's too easy for the NSA or other organizations to install Trojan horses. And installing a crypto app from the market is like painting a red bulls eye on your phone.

      Any door can be broken down with enough force and putting a lock on it is like painting a red bulls eye for burglars. Better to not install a lock on the front of your home or put an alarm in your car.

    • by BitZtream (692029)

      So? Slashvertising doesn't mean anyone actually cares that you too can copy and paste something someone else wrote to a website.

  • When the phone company, the NSA, the FBI, and any of their contractors can literally climb into your phone at will and change anything they want to change? Heck, has anyone even checked to see if IP forwarding is turned off on these things?

    • by mlw4428 (1029576)
      Android phone w/ Cyanogenmod & an encrypted VoIP behind a firewalled, logged WIFI connection on a tablet without a phone radio would make it next to impossible to not be caught.
  • by Coppit (2441)

    First he shoots a poor kid during his neighborhood watch, then writes a library with security vulnerabilities? Sheesh.

% APL is a natural extension of assembler language programming; ...and is best for educational purposes. -- A. Perlis

Working...