By John E. Dunn
27 January 10
Most voice encryption systems can be tapped in minutes by installing a
voice-recording Trojan on the target computer, a security researcher has
confirmed after testing a range of well-known products.
Although this type of attack has been known about for some time, the
scale of the issue uncovered by researcher 'Notrax' is still surprising.
In all, the unnamed engineer was able to intercept calls made using
twelve popular encryption programs and hardware systems using an easily
available $100 wiretapping utility called FlexiSPY. This tapped the
voice stream in real time before any encryption was applied to the data.
The researcher then refined the principle of FlexiSPY into a
custom-written Trojan that could record both the microphone and speaker
and capture any conversation into a file for retrieval later on.
Crucially, both attacks were able to carry out their work undetected by
suppressing all rings, notifications and call logs.
Programs and hardware systems beaten included Zfone/ZRTP, Secure Voice,
Caspertech, and even the well-regarded GSM handset security system from
UK company Cellcrypt. Only three products resisted the simple attack, an
unnamed Rohde & Schwarz Bluetooth device, PhoneCrypt from German company
SecurStar, and a hardware product from SnapCell.
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News