As if it wasn’t already bad enough that our own National Security Agency (NSA) is collecting everything digital that we produce online (e.g., emails; SMS; metadata; Facebook posts), now German researchers have discovered a flaw that could let anyone listen to your mobile phone calls!
From the Washington Post article:
German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available.
The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network.
While the German researchers didn’t analyze U.S. mobile carriers (though did call out the German-owned T-Mobile USA as one that is vulnerable) the article did point out that simply encrypting ones communications may not be enough: “Those skilled at the myriad functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption.”
This is especially true since the NSA has their $2 billion digital collection and analysis facility in Utah where they are archiving the encrypted communications and files they’re gathering with their mass surveillance and can’t yet crack…until they get their new quantum computers online, no doubt.
With obviously zero awareness of the irony, the NSA has this page touting their Utah facility and in it is a photo of their sign, welcoming visitors. It says, “Welcome to the Utah Data Center. If you have nothing to hide, you have nothing to fear.” A bogus argument, at best.
Fortunately there is no shortage of ways to keep your voice communications private and secure, at least until they can be cracked quickly and there is actual, warrant-based reasons to decrypt some person’s encrypted communications. Until the mobile phone providers implement truly secure, end-to-end encryption for voice—and not like what Verizon did with their app that put an NSA-friendly ‘backdoor’ in their new Voice Cypher app.
While one, sweeping problem is the NSA collecting everything (both encrypted and unencrypted) it goes way beyond that because of what those German researchers found which is worth repeating: that anyone with the requisite skills and resources can hack the mobile networks and eavesdrop on (or record) mobile calls.
So how do you stay safe?
PROJECTS
There are a number of projects working on end-to-end encryption for voice calls. The two that stand out are the Zfone Project and the Guardian Project.
The former is led by the guy that created the world’s top email encryption, Pretty Good Privacy, Phil Zimmerman and the latter which has delivered a phone app integration called Ostel, which works with apps for Android, iPhone, Blackberry, Nokia, Windows, Mac OS X and GNU/Linux. Read more about its app integration here. While still not as straightforward to implement as it would be if end-to-end encryption for voice was built in to the phone, there are some good approaches and apps that should make it easy for you.
APPS & APPROACHES
There are no shortage of apps for both iOS and Android. One that stands out (and one I personally trust) is from a company called Silent Circle setup by the aforementioned Phil Zimmerman and a team of savvy technologists and cryptologists.
Silent Circle offers two key products you might be interested in if you want secure, end-to-end, encrypted voice calls:
- Silent Phone (iOS and Android): The app is free but requires a Silent Circle encrypted calling plan. The cool thing? Like other app-to-app calling solutions, calling to another subscriber using the app is free (and there is a desktop app too). Otherwise you buy a monthly subscription for a number of “out-of-circle” minutes (so you can call regular phones).
- Silent Circle also has a full, secure, Android-based smartphone called the Blackphone.
- Other apps:
- Signal: Free and open source. Can make free encrypted calls to both Signal users and Android users (who are using RedPhone, the free calling app). Note that, unlike Silent Phone, calls can be made or received ONLY to those using Signal or RedPhone. Both use Wifi or Data for voice call connections.
- Acrobits Softphone for iOS and Android: $6.99 plus $24.99 for secure calls and another $9.99 if you want the best audio codec. Requires a SIP account like from Anveo (plans), Phonepower, or RingTo, and many, many others.
- Groundwire for iOS: $9.99 plus $24.99 for secure calls and another $9.99 if you want the best audio codec.Requires a SIP account like from Anveo (plans), Phonepower, or RingTo, and many, many others.
While many journalists, security bloggers and social media users seem tickled that the FBI director James Comey came out with his deep concern that the new iOS8-based iPhone 6 was encrypting emails, pictures and contacts making it ‘impossible’ for law enforcement to gain access, there might be more to it than it appears. It is highly likely this is all “theater” to help Apple be positioned to sell in countries like China who threatened to block sales of the new phone due to the ‘threat’ to their national security and China’s (and other countries) concerns has nothing to do with voice. It is highly doubtful any U.S.-based, mainstream maker of mobile phones or devices, will implement end-to-end voice encryption. So you’re on your own….for now.
Good luck out there. Stay safe and secure.