Menu
homeBios

Mobile encryption - TOP10 mobile anti-PRISM applications. Protection against eavesdropping on mobile phone conversations

In June last year, a scandal broke out in Ukraine around the mobile operator MTS-Ukraine, related to the illegal “wiretapping” of telephone conversations of Ukrainian subscribers. As it turned out, the MTS-Ukraine network suffered an unprecedented hack. Using a vulnerability in the GSM protocol, FSB agents switched some of the operator’s subscribers to a server owned by the Russian subsidiary of Tele2, as a result, communications of Ukrainian MTS subscribers were available to Russian intelligence services.

In addition, just yesterday, Kyivstar turned off a segment of the mobile communication network in the part of the Donetsk and Luhansk regions captured by militants. The network was turned off due to freelance work that arose for unknown reasons. The press service explained that since part of Donbass is temporarily not controlled by the Ukrainian authorities, there is no possibility of physical control of the network. In other words, Kyivstar specialists suspected physical penetration into the network, that is, an attempt to install wiretapping. It’s not difficult to guess who tried to install it, at least not homeless people or bandits who proudly call themselves “militia.” The trail leads all the way to the same place – to its northern neighbor.

Thanks to the revelations of Edward Snowden, we learned that intelligence services wiretapping the phones of even the most senior government leaders is not difficult. And although most subscribers have absolutely nothing to hide (“Do you want to hear how my friends and I drank beer yesterday? So listen, we don’t mind”), sometimes they still want confidentiality. Of course, you are unlikely to be of interest to any intelligence agency (be it the SBU, FSB, NSA or CIA), but caution will not hurt. Moreover, achieving a completely sufficient level of privacy is not at all difficult if you turn to the following applications for smartphones on Android.

Orbot: proxy included with Tor

Orbot is a free proxy server that provides a secure Internet channel for various applications. To encrypt Internet traffic, Orbot uses the anonymous Tor network, which helps protect against online surveillance. As the New York Times reports, “When a connection comes from the Tor network, there is no way to know who or where it was activated from.”

According to experts, Orbot truly creates a completely private connection and is the safest way to surf the web on the Android platform. Orbot redirects the user's encrypted traffic several times through computers around the world, instead of directly connecting, as happens with VPN networks. Of course, traffic delivery in this case takes a little longer, but confidentiality and protection of the user profile are guaranteed.

In universal mode, Orbot can be configured to transparently pass all traffic through Tor. Also, the user can select specific applications whose traffic should be passed through Tor.

Orweb: private web browser

The Orbot proxy server is used in conjunction with other applications, such as Orweb, a private web browser that supports a proxy connection. When used in conjunction with Orbot, the Orweb web browser protects against web traffic analysis by regulatory authorities, blocks cookies, deletes web browsing history and disables Flash for greater security.

ChatSecure: Encryption of chat messages

The free application provides unlimited exchange of encrypted private messages in GoogleChat (GChat), FacebookChat, VKontakte, Yandex, Hyves, Odnoklassniki, StudiVZ, Livejournal and Jabber. The application works on Android, iPhone, Mac, Linux and Windows platforms.

OTR encryption is used to protect messages. As a result, no one will be able to intercept or view your messages. It's worth noting, however, that all of these security measures only work if your interlocutors are using a compatible OTR client, such as ChatSecure, Adium or Pidgin.

Ostel: encryption of telephone conversations

The free Ostel utility is designed for full end-to-end encryption of phone calls. This public test application of the Open Secure Telephony Network (OSTN) project aims to promote free, open protocols, standards and software designed for securely secure voice communications on mobile devices and desktop computers. The utility is fully integrated with the CSipSimple application for Android. The OSTN Setup Wizard is included. To make calls, just enter your name, password and ostel.co!

DuckDuckGo: Safe Search

According to the developers, the DuckDuckGo search service does not collect user information at all. The app provides true privacy, no matter what you're trying to find.

The smart search feature helps you quickly find what you're looking for. For this, instant responses from hundreds of sources are used, as well as requests to thousands of other sites.

CSipSimple: VOIP telephony encryption

CSipSimple is a free opensource SIP client for Android that provides end-to-end encryption using the TLS encryption algorithm for SIP, and SRTP/ZRTP for media files. It features easy setup, the ability to record calls, and an attractive interface.

TextSecure: SMS protection

The utility, developed by Whisper Systems programmers, provides reliable encryption of SMS text messages. It goes without saying that both subscribers conducting SMS correspondence must install this program on their Android smartphones.

K-9 and APG: Email Encryption

The open-source K-9 Mail application is based on a built-in utility for working with email on the Android platform. The project allows you to simplify the management of various accounts and large volumes of email, and also supports OpenPGP encryption when using Android Privacy Guard.

PixelKnot: steganography

Steganography involves the hidden transmission of information by keeping the very fact of transmission secret. A secret message can be hidden in a graphic image, and no one around will guess that this is not just a picture, but a “container with a secret.”

NoteCipher: secure DBMS

The free NoteCipher app is an easy-to-use notebook that stores encrypted notes in the SQL Cipher for Android DBMS. All records created and saved using this application are encrypted using a powerful industrial algorithm - 256-bit AES. Moreover, NoteCipher never transfers information in clear text to disk; when working with records, they are all stored in decrypted form only in RAM.

About the bill, which was supposed to prohibit officials from using uncertified mobile devices, since, according to the author of the bill, they pose a threat to national security. Still would! If the American intelligence services knew what our deputies were talking about, then they would understand that they would never defeat our country! After all, if we somehow develop with like this elected, then what will happen to us if adequate people come to the State Duma?..

Last time I looked at various alternatives to the usual iPhones, but they all have one thing in common - you need to give up your usual phone and switch to a new device or carry a second one with you, especially for confidential conversations. Is this convenient? Of course not. That's why I'm in at the very end of the last note and suggested that no one will voluntarily give up their Vertu and iPhone. And then the other day journalists asked me a question - have I heard about Russian headsets for mobile devices that encrypt voice traffic starting immediately from the headset?.. I haven’t heard, but I started digging. Actually, brief results of my digging (without claims to completeness).

So, if we discard the option of ensuring confidentiality on the phone itself (too much dependence on the version of the mobile OS and platform) and using a special telephone device (inconvenient), then we are left with two options for solving the problem:

  • encrypt in the headset itself
  • encrypt in the “layer”, an intermediate crypto-module between the headset and the phone.

Journalists also told me about the first option, mentioning Ruselectronics, which should flood the Russian market with specialized headsets with built-in encryption. But no matter how I searched, I never found a company that was already producing such devices. I thought that this might be the Tula OKB "Oktava", which specializes in producing headsets for security forces, special services, the Ministry of Emergency Situations, etc., but I didn’t find anything related to cryptography from them. There was also a statement from Ruselectronics about the release of cryptomodules for YotaPhone, but it has little to do with headsets - it clearly depends on the platform of the device.

Basically, modern headsets, such as Plantronics or Jabra, encrypt the voice from the microphone to the computer (or other device to which the headset is connected) using the 128-bit E0 algorithm, which is part of the Bluetooth protocol. But this option does not protect the voice connection from subscriber to subscriber. Rather, this is a solution for protecting the wireless connection from the headset to the computer or phone, between which there can be up to 100-120 meters. It is logical to assume that such a channel, in its unprotected version, is easily eavesdropped and therefore requires protection.

I didn’t find any more cryptographic information protection built into headsets. But I found several implementations of the second solution I mentioned. For example, TopSec Mobile from Rode-Schwarz.

This is a hardware device that does not depend on the model of phone or computer it is connected to. Negotiations are conducted either through the TopSec Mobile itself, brought to the mouth during a conversation, or through a headset connected to the crypto module. The only disadvantage of this approach is the presence of a dedicated call management server between subscribers registered on the server. But this is a necessary condition for building distributed interaction systems.


The second device I found was the “GUARD Bluetooth” scrambler from the domestic company LOGOS. Original Soviet device. There is no design as such. The headset is tightly “sewn” into the device and can only be replaced together with the device. But the protection of conversations is guaranteed - the device connects via Bluetooth to a transmitter - a computer or phone (not a word is said about protecting the Bluetooth channel using E0). I haven’t tested the device, but you can find a review of it online. The appearance of "GUARD Bluetooth" in comparison with the same TopSec Mobile gives a very good idea of ​​how domestic and Western CIPFs compare (both in appearance, and in ease of use, and in functionality). But this device does not require any external server to operate - point-to-point operation is possible.

The last solution I'd like to look at is IndependenceKey, which aims to protect various types of interactions between users. Among the protected types of communication is voice communication. However, this device is a kind of intermediate option between an independent crypto module and security software. In particular, a headset is connected to the IndependenceKey module, from which the voice is transmitted, encrypted in the module, but then it goes to software installed on a personal computer, where IndependenceKey is inserted into the USB connector. Connecting it to your phone will be problematic.

These are the solutions. True, none of them are certified, and it is unlikely that they will be. Maybe Ruselectronics will please you with something interesting in the near future?..

RedPhone is a mobile application for Android that allows you to make encrypted voice calls over Wi-Fi or the mobile Internet using regular phone numbers. RedPhone only encrypts calls between two RedPhone users or between RedPhone and Signal users.

You can call other RedPhone users from the app itself or using the stock Android dialer. RedPhone will automatically prompt you to switch to an encrypted call.

Installing RedPhone

Download and install RedPhone

On your Android phone, launch Google Play store and search for "RedPhone". Select the "RedPhone::Secure Calls" application.

Why can't I download RedPhone without registering on Google Play?

Many would prefer to download RedPhone from sources not associated with Google's Google Play service: there is less risk of substitution or data collection by third parties. Unfortunately, today developers use part of Google's infrastructure to update software and send push messages. The position of the developers (using the example of TextSecure) is outlined here.

Click "Install" and accept the "Terms of Use" by clicking "Accept". The program will be automatically downloaded and installed.

Register your mobile number

After the installation is complete, open the RedPhone program. You will be asked to register your mobile phone number.

Once you complete your phone number registration, RedPhone will send you a verification code via SMS. This way the program can make sure that the number really belongs to you. When prompted, enter the code you received. You have successfully installed RedPhone and are ready to make encrypted calls!

Using RedPhone

To use RedPhone for calls, the person you want to call must also have RedPhone (or Signal) installed on their mobile phone. If you try to call a person who does not have a RedPhone, the program will offer to send an SMS invitation to the interlocutors to use the RedPhone service, but you will not (yet) be able to call from RedPhone.

When you call another RedPhone or Signal user (using the standard dialer or from the app), the program will suggest a random pair of words. This pair will allow you to verify the authenticity of the interlocutor and his keys ( key verification).

The most reliable way to verify the identity of the caller is to use the mentioned pair of words and another communication channel. You can read the words out loud if you know the voice of the interlocutor, but keep in mind that some sophisticated attackers are able to fake the voice. The spoken and written pairs of words must match.

In today's world it is very difficult to be confident in privacy. Interception and wiretapping of telephone calls have become commonplace, no matter how unpleasant it may sound. Your mobile conversations can be listened to by intelligence agencies, fraudsters, employers, business competitors, etc. Therefore, more and more people are thinking about encrypting their telephone conversations. Especially if important confidential information is transmitted over the phone.

Encrypting a telephone conversation: what options are there?

Currently, there are several popular ways to protect yourself from telephone wiretapping. Using some techniques, you can encrypt mobile calls on iPhone, Android and other popular gadgets. This is the use of specialized programs, special devices (scramblers) and crypto phones. Let's look at each of the options listed in more detail.

Conversation encryption program

This method is convenient and universal, since you only need to install a special application on your phone. In this case, you can equally successfully encrypt Android calls, encrypt iPhone calls or other popular devices. As a rule, this does not reduce the functionality of the phone, and encrypted calls will be available to any other mobile phones.

Scrambler

A scrambler is a special encryption device that is attached to a cell phone. For example, you can implement conversation encryption on Android devices. At the same time, using a scrambler allows you to protect against wiretapping quite effectively, but it has a significant disadvantage. Namely: you will be able to talk over a secure line only with a subscriber who has a scrambler with the same encryption algorithm.

Crypto phone

Alas, we are talking about a special telephone set, which is usually not cheap. Here, as a rule, there are two fundamentally different ways to create a safe line. The first involves encrypted communication only between subscribers with similar ones. The second method is more functional, but not so reliable: the conversation is carried out over a secure Internet line, and you can talk to any subscribers.

Protection against GSM signal interception

I recommend watching an interesting video from PositiveTechnologies! You will learn how attacks on GSM networks occur with the substitution of a base station for a virtual one (MITM attacks - “man in the middle” attack), how hacker equipment works and what signs can be used to detect a fake station.

Summary

All kinds of ways to wiretap conversations create certain threats to our privacy. If you don't take information security issues seriously enough, there is always a risk of becoming a victim of scammers or various ill-wishers. However, there are means of protection against these threats that allow you to calmly talk and exchange information over the phone. You just need to adequately assess your needs and choose the appropriate method for encrypting your telephone conversations.

When they talk about the risks of using smartphones, they first of all mention malware and the loss (theft) of a smartphone. But there is a threat of eavesdropping on your smartphone and even unauthorized recording of information from the microphone of your smartphone during a meeting. And few people think that in our time a very dangerous threat is the formation of incriminating evidence uttered in your voice.

Modern technical means provide remote activation of the microphone and camera of the phone, which leads to unauthorized wiretapping of conversations and unauthorized photo and video recording. It is possible to isolate the harmonics of a microphone signal from a mobile phone antenna and intercept them before the signal is received by the nearest GSM station. In addition, contactless communication and hacking in the immediate vicinity of mobile phones equipped with NFC (Near Field Communication) modules pose risks.

False base stations

A special device called an “IMSI trap” (International Mobile Subscriber Identity - a unique identifier written in the SIM card) pretends to be a real cellular network base station for nearby mobile phones. This kind of trick is possible because in the GSM standard, a mobile phone is required to authenticate itself at the request of the network, but the network itself (base station) does not have to confirm its authenticity to the phone. Once the mobile phone accepts the IMSI trap as its base station, it can deactivate the subscriber's encryption feature and work with the normal clear signal, passing it on to the real base station.

Today this trick is successfully used by the American police. According to The Wall Street Journal, the US Department of Justice is collecting data from thousands of American citizens' mobile phones through devices that imitate cell towers. These devices, known as dirtboxes, are carried on board Cessna aircraft and are designed to catch people suspected of committing crimes. According to sources familiar with the project, this program has been in service with the U.S. Marshals Service since 2007 and covers most of the country's population.

The 60-centimeter dirtboxes imitate the cell towers of major telecommunications companies and “lure out” the unique registration data of mobile phones. The device's technology allows the operator to collect identification and geolocation information from tens of thousands of mobile phones in just one Cessna flight. However, even the presence of an encryption function on the phone will not prevent this process.

Moreover, with the help of IMSI traps, false calls or SMS can be sent to the phone, for example, with information about a new service of a false operator, which may contain the activation code for the mobile phone microphone. It is very difficult to determine that a mobile phone in standby mode has its microphone turned on, and an attacker can easily hear and record not only conversations on the phone, but also conversations in the room where the mobile phone is located.

Encryption in GSM networks does not help protect communications from interception. Therefore, you need to think in advance about the protection of sent text messages (SMS, various IM messengers) and email messages.

You can record conversations in different ways. So, today there are Trojans that record conversations from the microphone of your PC and images from its video camera. And tomorrow? Tomorrow, I think, corresponding Trojans will appear for smartphones. Fantastic? Not at all.

It is very difficult to protect yourself from eavesdropping devices using software. And if on a PC you can still hope that you don’t have a Trojan, then on a smartphone... And especially indoors... I wouldn’t.

Run outside and talk there? Where is the guarantee that you are not being hunted using a directional microphone?

Today, many executives' favorite smartphone is the iPhone. But do not forget that a very popular way of wiretapping is to give the “victim” a smartphone with pre-configured spyware. Modern smartphones offer many tools for recording conversations and text messages, and it is very easy to hide spyware on the system. Especially if you purchased a so-called reflashed smartphone. The iPhone generally allows you to record everything that happens and upload the resulting archive through built-in services. Agree, a godsend for a spy.

What to do? But this is already a question. The increasingly widespread encryption systems for voice, SMS and e-mail will come to the rescue. And if encryption of e-mail, files, hard drives and other media (flash drives, smartphones, tablets) has been discussed more than once, then encryption of telephone conversations is most often still a novelty.

Encryption problem in GSM networks

When the GSM communication standard was created, it was believed that it was almost impossible to listen to someone else's conversation on GSM networks. At one time, James Moran, director of the unit responsible for the security and protection of the system from fraud at the GSM consortium, stated: “No one in the world has demonstrated the ability to intercept calls on the GSM network. This is a fact... As far as we know, there is no equipment capable of carrying out such an interception.” But is this really true? After all, the main disadvantage of cellular communications, like any radio communication, is the transmission of data via wireless communication channels. The only way to prevent information extraction is to encrypt the data.

The basis of the GSM security system is three secret algorithms, which are disclosed only to equipment suppliers, telecom operators, etc. A3 - authorization algorithm that protects the phone from cloning; A8 is a utility algorithm that generates a cryptokey based on the output of algorithm A3; A5 is an encryption algorithm for digitized speech to ensure confidentiality of negotiations.

Today, two versions of the A5 algorithm are used in GSM networks: A5/1 and A5/2. This division was made possible due to export restrictions on the length of the encryption key in America. As a result, in Western Europe and the USA the A5/1 algorithm is used, and in other countries, including Russia, the A5/2 algorithm is used. Despite the fact that the A5 algorithms were classified, by 1994 their details became known. Today, almost everything is known about GSM encryption algorithms.

A5 implements a stream cipher based on three linear non-uniform shift registers. This cipher has proven itself to be very stable with large register sizes and was used for some time in military communications. A5 uses registers of 19, 22 and 23 bits, which together give a 64-bit key. Despite the fact that the length of the cipher is small, even quite powerful computers cannot crack it “on the fly” (and this is required by the task of wiretapping), i.e., with proper implementation, the GSM communication protocol can have good practical protection.

But! Back in 1992, Order No. 226 of the Ministry of Communications “On the use of communication means to support operational investigative activities of the Ministry of Security of the Russian Federation” established the requirement to ensure full control over subscribers of any means of communication (including mobile). Apparently, this is why in a 64-bit key 10 bits are simply replaced with zeros. In addition, due to numerous design defects, the strength of the cipher is at the 40-bit level, which can easily be broken by any modern computer in a couple of seconds.

Thus, we see that the possibility of listening to any subscriber in GSM networks is not only a reality, but also a norm, a law (in addition to listening, there is an indulgence for determining location, fixing a number and many other “services”).

And the answer to the question of whether it is possible to listen to a GSM network subscriber has been found. Today, there are many programs available on the Internet for hacking the security of GSM communication protocols, using different methods. However, it is worth considering that in order to decrypt, you must first intercept the corresponding signal. There are already about 20 popular types of equipment for listening to traffic in GSM networks in the world.

Falsifying the speech of subscribers with the aim of compromising them

Not only can you be listened to. Your voice can simply be faked by forming sentences that you never spoke. It is extremely difficult to prove later that it is not you. Thus, American scientists from the AT&T laboratory have developed a completely new technology for synthesizing human voices. The program can speak in any voice, based on its preliminary recording. In addition, she copies the intonation and characteristic pronunciation features of the model. The creation of each new synthesized voice takes from 10 to 40 hours. First, the person whose voice they want to convert into computer form is recorded. The voice is then digitized and analyzed. The results are input to the speech synthesis program. The program in its general form is intended to work in call centers as part of text-to-speech software, as well as in automated voice news feeds. And who prevents such software from being used to compromise this or that user? Nobody!

What to do? Again, encryption systems will come to the rescue.

Software encryption. In fact, encryption of telephone conversations most often comes down to the transmission of voice traffic over the Internet in the form of encrypted traffic. Most often, encryption is carried out programmatically using the resources of your smartphone.

Despite the fact that the software method has a number of advantages, it also has a number of disadvantages, which, in my opinion, significantly exceed its advantages.

Advantages of software encryption:

1. ease of installation;

2. use of one smartphone.

Flaws:

1. you need a fairly powerful smartphone to cope with encryption and decryption of the voice stream;

2. additional load on the processor will contribute to faster battery discharge, and since today rare smartphones are able to work for more than a day in talk mode, this will lead to the fact that you will have to constantly charge your smartphone;

3. risks of using malware;

4. the need to completely irrecoverably erase data on a smartphone before replacing it. In some cases, this is only possible in a service center;

5. slower stream encryption compared to hardware implementation;

6. needs a 3G or higher speed connection, otherwise the quality of the decrypted voice signal drops significantly.

Hardware encryption. At the same time, I would like to note that currently there are already hardware encryptors that are connected via Bluetooth to your phone (in this case, not only a smartphone, but any mobile phone can be used, even without an operating system, the main thing is that it provides a stable connection via Bluetooth).

In this case, the speech is encrypted and decrypted in the corresponding hardware module. Encrypted data is transmitted via Bluetooth to the subscriber's mobile phone and then through the GSM network of the cellular operator to another subscriber. Encryption directly in the hardware module eliminates the interception of unencrypted speech and the possibility of information leakage due to the fault of the cellular operator. Hardware encryptors are invulnerable to malware because they run their own unique OS.

The encrypted speech is transmitted through the GSM network of the cellular operator to the mobile phone of the second subscriber and then via Bluetooth to his encryptor, where decryption occurs. Only the subscriber with whom the conversation is taking place can decrypt the speech, since each subscriber has its own encryption key for communication.

Naturally, this makes speech interception difficult. Moreover, even if the microphone of your smartphone is turned on unauthorized by an external attacker, the hardware encoder also has a microphone suppression function, and the attacker will simply hear white noise instead of a conversation.

Advantages of hardware encryption:

  1. performance;
  2. immunity to malware attacks;
  3. it is impossible to pick up speech signals from a smartphone’s microphone, since during operation the microphone only intercepts white noise generated by the hardware encoder;
  4. does not require smartphone resources, and therefore does not affect its discharge.

Flaws:

  1. you will have to carry two devices in your pocket (the smartphone itself and the encoder);
  2. higher price of hardware encryption compared to software.

The conclusion that can be drawn is: if you have something to hide, and we all have something to hide, you need to either remain silent and not enjoy the benefits of civilization, or think in advance about the possible risks associated with communication.

What type of encryption (software or hardware) you choose is up to you. But this must be decided absolutely consciously.