Categories
Privacy & Security

Voice call encryption

does it really protect your privacy?

“If encryption made a difference, they wouldn’t allow us to use it,” someone said.

Encrypted calls protect you from those who don’t want to (or can’t) listen to your calls, but don’t protect you from those who can listen to your calls – law enforcement, Homeland Security and intelligence agencies. Does this make sense to you? If not, please read on.

Most people think that call encryption is the Holy Grail of secure communications, where it is a mainstream when it comes to mobile security software development. Why is that? Because of the 007 movies? Not at all. Because it’s the only product you’ll find in today’s crowded security market. From hardware devices to sophisticated software applications, everyone claims that encrypting your mobile voice calls is the best you can get and there are no other trusted solutions. Unfortunately, encrypted calls offer no real security if you are targeted by (abusive) law enforcement, Homeland Security or intelligence agencies, in the worst case even a target for a skilled hacker.

You don’t have to trust us. Just google “voice call encryption hack” and you will find tons of articles at a glance.

For those of you who use voice encryption products on cell phones, the last thing you would expect is that they can be easily decrypted and intercepted. You may have paid good money for your application and rely on it to ensure your mental security, but what if that security wasn’t as secure as you thought it would be, what if a readily available eavesdropping program and a simple Trojan slipped onto your device could compromise all your calls?

In 2010, blogger, hacker and IT security expert Notrax did just that. For his own safety, we won’t reveal his name. However, Notrax found that 12 commercially available mobile voice encryption products could be intercepted and compromised with a little ingenuity and creativity, as he carefully described on his website.

He tested a total of 15 voice encryption products, 12 of which were “worthless.” It’s easy to purchase the software if it “tells” you the call is secure. But how can you actually be sure it’s secure? Notrax investigated and found that it could break into almost any system in less than 30 minutes.

Secure means that Notrax has not managed to crack their system. It does not mean that someone else would not be able to crack it.

These calls can be intercepted by anyone with basic technical skills or the money for such an endeavor. “Statistics show that government agencies average 50,000 legal wiretaps per year (legal = those requiring a court order), (let’s not forget Echelon) another 150,000 phones are illegally tapped by private investigators, spouses and boyfriends and girlfriends trying to catch a potential fraudster. Another estimate shows that as many as 100,000 corporate and private sector phones are tapped in some form of industrial espionage. It’s happening, and it’s big business.”

SnapCell was secure, it is a private encryption device that plugs into your cell phone, they claim to protect your mobile voice, fax and data communications from eavesdropping, eavesdropping and line jamming. SnapCell’s website has been offline since January 21 for unknown reasons.

If you use any of the above voice encryption technologies, you should look for a new solution, such as XCell Stealth Phones. Although these cracked applications are not completely secure, it would take a lot of effort to bypass them, for example, the attacker could load software or a Trojan onto your phone without you noticing. It’s similar to a credit card. As long as you carry it in a safe place, you should be fine for the most part.

How the government uses spyware to bypass call encryption?

Do you think LTE mobile networks are safe? Well, think twice: Hackers are decrypting VoLTE encryption to spy on conversations. Read more.

Other disadvantages of voice encryption

Although using encryption to protect your privacy may be a wise decision, this method has its drawbacks as well:

  • Since a cell phone (regardless of brand, operating system, ram, or chipset) does not have enough processing power to encrypt and decrypt a call locally, voice encryption takes place on third-party servers. This means that your voice encryption app, which you just installed on your “secure” smartphone, acts like a connection to the encryption server. This way, you can use such an app only if you use a data connection (WIFI, etc.) and go to the outside world of the phone. The problem is that the server is actually someone else’s computer. You cannot find out who is really hiding behind this server. Some cryptographic device manufacturers have been proven to work covertly with intelligence agencies and interested private companies. Some of them do not even use publicly tested and standardized crypto algorithms (such as Diffie-Hellman, SHA256, AES and Towfish), but use “proprietary” encryption methods that are not available for public evaluation. Several “proprietary” crypto algorithms that have not been publicly tested have proven easy to crack in the past, such as the COMP128 algorithm used for authentication in many GSM networks, so the “proprietary crypto” approach must be considered very risky.

Ultimately, this means you have no real control over your voice calls.

  • Injecting a backdoor into a cryptosystem does not even require the active cooperation of the device or software manufacturer. It only takes one bribed programmer to compromise an entire product.
  • You never know if the encryption solution you are using is actually trustworthy, and there is no reliable way to verify it. Most developers of encryption applications do not make the source code public. There may be (and usually are) backdoors that are used by law enforcement agencies. Sure, you can find source code for some encryption applications that are made available to the public by the developer himself. Unless you are a cryptographer or cryptanalyst, there is no way for you as an average citizen to find out if your encryption application is affected by security vulnerabilities.

There is one master key for all encryption systems

Open sesame: encryption solutions

Would you use an encryption app whose servers are located in, say…? North Korea? Probably not, but you need to reconsider your opinion. In short, the more consolidated a democracy is, the easier it is for law enforcement to gain access to encryption servers based on a simple warrant.

All because consolidated democracy countries know what we call the rule of law. Since encryption apps were not developed outside of this planet and all encryption servers reside in some country, the government and related institutions have a simple tool called a judge’s warrant that instantly “opens” any “encrypted” server used for so-called “secure” communications.

Yes, it’s a matter of time. But in the end they will get a voice/text copy. Not to mention that the NSA and other similar actors have tools and solutions that effectively bypass any encryption application and are used today to find out what they are looking for in real time.

Using encrypted voice calls could make you look suspicious and draw unwanted attention to you from the very people you are trying to hide from. It’s like a ringing bell attached to your tail. Guess what they will do if you use an encrypted cell phone. For sure, they will use other ways to get the information they need.

They won’t wait to find some security holes in your crypto app, they won’t even try to decrypt it. They will simply bug your home, office and vehicle, spy on your computer, intercept your mail and use covert sources of human intelligence (HUMINT) and whatever it takes to get relevant information about you and your activities.

They can easily bypass the communications protection offered by encrypted phones by simply gathering relevant information from other sources. It’s that simple. Yes, it’s not real-time. But it can come very close.

If you’re targeted by an intelligence agency, encrypting your mobile communications doesn’t mean you’re 100% protected from interception. Think about it: Will they drop you just because you use encrypted communications? No, definitely not… Since you are a challenge to them, they will find other ways to get the information they need.

Sure, for a short time, your secrets will… will remain secret. But any decent agency will find security holes at any time and gather information they need about you by any means necessary.

By scrambling your phone calls, you’re letting them know you have something important to hide and inviting agencies to use other ways to gather information.

When using encryption over standard cellular network voice channels (not over a data connection) like the encryption devices attached to your cell phone, the encrypted call is not as… encrypted as you think. Yes, it protects against call eavesdropping by spyware apps installed on your phone, since the phone’s microphone is not used in encrypted calls. But even if you use such a device, the GSM operator or the company running a GSM interceptor can find out quite a lot of information, such as:

  • both phone numbers involved in the call
  • Call duration, with time stamp
  • Your (phone) location at the time of the call
  • Your geo-location at any time, through some simple and effective triangulation techniques, based on your phone’s IMEI, which cannot be hidden by any encryption app. As soon as you turn on your crypto phone, IMEI and IMSI (if a SIM card is inserted) are sent to the network to connect. There is no need to make a call or send an SMS. In this way, all cell phones work, including your crypto phone.

Other crypto-phone proven weaknesses:

  • Modern GSM interceptors can selectively and temporarily block any cell phone within their range based on IMEI and/or IMSI values, making that particular crypto phone unavailable for use for as long as they want. This happens when a crypto phone uses a data connection to make encrypted calls/messages.
  • It is well known that cell phone encryption requires a high-speed Internet connection. Many modern GSM eavesdroppers can downgrade your crypto phone connection from 3G/4G to 2G by simply jamming the 3G/4G uplink frequencies, which is a standard practice. This will cause crypto phones that use data connections to fail and become unusable.

Not even notoriously encrypted phones are immune to this attack. A few years ago, an average Joe posted a short movie on YouTube demonstrating how a well-known app used for corporate encrypted communications – GoldLock – could be defeated by a cheap commercial spy app called FlexiSpy. Since he had the phone in his hands that already had GoldLock installed, he also installed FlexySpy on the same phone. He started an encrypted phone conversation with another GoldLock phone. The entire conversation was recorded by FlexySpy in plain text, as FlexiSpy grabs audio data directly from the microphone before GoldLock goes to voice encryption. When the conversation was finished, FlexiSpy automatically sent it over WIFI or a data connection to a server where all files could be listened to via the personal user account. Simple, efficient and embarrassing for a top-notch encryption application. You can run the same test at any time.

For some reason, the video was removed from YouTube, so we can’t post a link. Also, since then, free trial apps from GoldLock are no longer available to avoid similar situations. However, that doesn’t make GoldLock any less effective for home users, as it is by far one of the most secure communication apps.

And yes, the same thing can happen to your “safe” cell phone.

For this reason, voice call encryption is a short-term solution for secure communication. In fact, being predictable is one of the worst choices on the battlefield of intelligence. And using a cryo-phone means you are more than predictable.

If you use any voice encryption solution (software or hardware), you’ll never know when your phone is actually being tapped, and as a result, you’ll never know when you’re in real danger. Instead of blind protection from the crypto phone, it is better to know when someone is trying to listen to your calls and when they are trying to locate you.

Only then can you act thoughtfully, make the right decisions, and even influence them through various deception techniques.

Here comes XCell Stealth Phones that gives you the best of both worlds:

  • Wiretap Detection and Interception. Detecting eavesdropping in real time and at the right time is really different from blind encryption, an advantage that professionals use against… Pros used.