Secure VoIP Wasn’t: ZRTP Flaws (and Snowden updates)

The most widely used library implementing the “secure voice-over-IP” protocol ZRTP had a flaw… allowing anyone on the wire to upload malicious software onto your phone.

Not only could an eavesdropper use it to bypass the encryption on your phone call, they could just swipe everything else on your personal tracking device while they were at it.

Fortunately, not only has the flaw been fixed, but it’s unlikely it was ever used in practice. Many/most smartphones include this particular bug… as a hidden “feature.”

(ZRTP on the desktop is sadly not so widely used, at least the last time I checked.)

Snowden updates: The Naked Skiing Association does have “direct access” to those pesky central servers… courtesy the FBI’s taps in all the central server rooms.[1] Also, evidently Snowden can’t leave Russia because the Russians won’t let him.[2] Now he’s applied for asylum in 15 different countries besides Ecuador — possibly including Russia, but later reports denied this. Putin then said Snowden is welcome to stay in Russia… as long has he stops the leaks! [3]

a) Getting Snowden stuck in Moscow may indeed have been the US’ goal all along.

b) There could be some REALLY interesting leaks in the pipeline and/or set to drop if Snowden gets arrested/killed. All the stuff released so far isn’t overly surprising, and likely not really news at all to the Russians… but there may well be things that so far only the US, Russia, and other perhaps a handful of other highly advanced countries have known about (presumably because they invented them separately/stole them from each other/extracted them from similar UFOs/whatever).

[1] [2]

“A security researcher has uncovered a number of serious vulnerabilities in one of the core security components of several secure telephony applications, including the Silent Circle system developed by PGP creator Phil Zimmermann. The vulnerabilities in the GNU ZRTPCPP library already have been addressed in a new version of the library and Silent Circle has implemented a fix, as well.

ZRTPCPP is a library that implements the ZRTP protocol that Zimmermann and others developed to establish secure sessions over a pre-existing connection. Silent Circle, which sells a cryptographically secure mobile phone application, and several other products implement the ZRTPCPP library, and Mark Dowd of Azimuth Security has identified several vulnerabilities in the library that could give an attacker the ability to get remote code execution. Dowd said that the bugs can be exploited by remote, unauthenticated users.”

%d bloggers like this: