Flaws In ZRTPCPP Library, Used In Secure Phone Apps 42
Gunkerty Jeb writes "A security researcher has uncovered a number of serious vulnerabilities in one of the core security components of several secure telephony applications, including the Silent Circle system developed by PGP creator Phil Zimmermann. The vulnerabilities in the GNU ZRTPCPP library already have been addressed in a new version of the library and Silent Circle has implemented a fix, as well. ZRTPCPP is a library that implements the ZRTP protocol that Zimmermann and others developed to establish secure sessions over a pre-existing connection. Silent Circle, which sells a cryptographically secure mobile phone application, and several other products implement the ZRTPCPP library, and Mark Dowd of Azimuth Security has identified several vulnerabilities in the library that could give an attacker the ability to get remote code execution. Dowd said that the bugs can be exploited by remote, unauthenticated users."
Drats, foiled again... (Score:3)
Implementation bugs, not protocol bugs (Score:3)
Yes, I'm ignoring your joke; sorry :-)
Fortunately, while these bugs are annoying and may break a number of different programs, they're bugs in the implementation code, not bugs in the communication or crypto protocols themselves. That makes them much more fixable. (Perhaps harder to detect in the field, but fixable.)
why bother? (Score:2)
Nothing on an Android or iPhone device is ever secure; it's too easy for the NSA or other organizations to install Trojan horses. And installing a crypto app from the market is like painting a red bulls eye on your phone.
Re: (Score:3)
Nothing on an Android or iPhone device is ever secure; it's too easy for the NSA or other organizations to install Trojan horses. And installing a crypto app from the market is like painting a red bulls eye on your phone.
well.. that's why everyone should install a crypto app from the market then..
Re: (Score:2)
well.. that's why everyone should install a crypto app from the market then..
Simply installing such an app is of little use per se. One must install and use it. It's strongly recommended that it be one of the FOSS apps, as they are less likely to have back doors open to the NSA or other malefactors.
Re: (Score:2)
I'm not willing to accept the notion that the device itself isn't backdoored by default.
FYI: iPhone not among those vulnerable (Score:2)
Nothing on an Android or iPhone device is ever secure; it's too easy for the NSA or other organizations to install Trojan horses. And installing a crypto app from the market is like painting a red bulls eye on your phone.
This particular library is GPL'ed and therefore can not be used in iPhone Apps without violating the App Store terms of service agreement. So this library, and therefore your statement based on the vulnerability of this library, doesn't apply to iPhones.
Re: (Score:2)
That has nothing to do with this library. Apple, Google, and almost any government and telecom can push arbitrary code onto your phone. Android and iPhone are both equally vulnerable. It doesn't matter how Apple runs its markets or how they review their software or how secure their OS may be; if you can't trust the update channel, you can't trust the phone.
Re: (Score:2)
That has nothing to do with this library. Apple, Google, and almost any government and telecom can push arbitrary code onto your phone. Android and iPhone are both equally vulnerable. It doesn't matter how Apple runs its markets or how they review their software or how secure their OS may be; if you can't trust the update channel, you can't trust the phone.
Sure; but you post is off topic, since we are talking about this library (reread the original title, original summary, and original article, if you are confused). A flaw in this library does not imply an iPhone vulnerability.
Re: (Score:2)
My post is exactly on-topic: I pointed out that it doesn't matter whether ZRTPCPP is secure or not because both Android and iPhone are intrinsically vulnerable to the attacks that ZRTPCPP is supposed to guard against.
Re: (Score:2)
Not necessarily. The GPLv2 is perfectly compatible with the App Store in all its terms. The only thing is the App Store requires that if you use anything that's not of your copyright, you are licensed to use it. Since the GPLv2 allows it as long as you provi
Re: (Score:1)
Nothing on an Android or iPhone device is ever secure; it's too easy for the NSA or other organizations to install Trojan horses. And installing a crypto app from the market is like painting a red bulls eye on your phone.
Any door can be broken down with enough force and putting a lock on it is like painting a red bulls eye for burglars. Better to not install a lock on the front of your home or put an alarm in your car.
Re: (Score:3)
Languages like Ada/Spark and Haskell: Yes. The languages you mention: not really.
Re: (Score:2)
No, Jitsi is in Java and it doesn't use ZRTPCPP. Also there are no buffer overruns there.
Exactly. Java has more than enough vulns to go around without needing a buffer overrun as well.
CVEs assigned (Score:2)
Re: (Score:1)
So? Slashvertising doesn't mean anyone actually cares that you too can copy and paste something someone else wrote to a website.
A secure PHONE application? Funny! (Score:2)
When the phone company, the NSA, the FBI, and any of their contractors can literally climb into your phone at will and change anything they want to change? Heck, has anyone even checked to see if IP forwarding is turned off on these things?
Re: (Score:1)
Great (Score:2)
First he shoots a poor kid during his neighborhood watch, then writes a library with security vulnerabilities? Sheesh.