Most voice encryption systems can be tapped in minutes by installing a voice-recording Trojan on the target computer, a security researcher has confirmed after testing a range of well-known products.
Although this type of attack has been known about for some time, the scale of the issue uncovered by researcher 'Notrax' is still surprising. In all, the unnamed engineer was able to intercept calls made using twelve popular encryption programs and hardware systems using an easily available $100 wiretapping utility called FlexiSPY. This tapped the voice stream in real time before any encryption was applied to the data.
The researcher then refined the principle of FlexiSPY into a custom-written Trojan that could record both the microphone and speaker and capture any conversation into a file for retrieval later on. Crucially, both attacks were able to carry out their work undetected by suppressing all rings, notifications and call logs.
Programs and hardware systems beaten included Zfone/ZRTP, Secure Voice, Caspertech, and even the well-regarded GSM handset security system from UK company Cellcrypt. Only three products resisted the simple attack, an unnamed Rohde & Schwarz Bluetooth device, PhoneCrypt from German company SecurStar, and a hardware product from SnapCell.
"It is easy to take the security at face value when the software told me the call was secured. I decided to dig a little deeper. What I discovered and what I was completely in shock about was I broke almost all of them in less than 30 minutes," says the engineer in an ongoing blog on the tests.
Using a Trojan to get around voice encryption software depends on getting such a program on to a target PC or handset in advance of a call, something that might or might not be difficult to achieve, depending on the PC or device in question. But it is an attack method that companies should know about given that it has been used against the one program not tested by the researcher, Skype.
As long ago as 2006, the Swiss government was reported to be using specially-written Trojans to record phone calls made by criminals using Skype and other VoIP services. The author of this software, Ruben Unteregger, later went public on his work, even going as far as to publish the source code in an attempt to stop his software being used for eavesdropping again.
"Like most security breaches, Notrax went for the weakest link; he did not attempt to crack the encryption itself, but used simple wiretapping techniques," says Wilfried Hafner, CEO at SecurStar, one of the vendors that managed to resist the Trojan attack. PhoneCrypt even threw up a skull and crossbones image when the Trojan tried to access the program's memory-resident service, letting the user know that the call was no longer secure.
Notrax has posted YouTube videos (scroll down) of how the hacks were conducted on specific products.