Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Tuesday October 06 2015, @03:53AM   Printer-friendly
from the hello-is-there-anyone-there? dept.

ArsTechnica has an extensive review of the BlackPhone version 2.

You may remember that the first Blackphone was a creation of Phil Zimmerman's secure communications service Silent Circle and the Spanish specialty phone manufacturer Geeksphone. It underwhelmed many in performance and device quality.

A lot has changed in a year. Silent Circle—founded by Phil Zimmerman (creator of PGP), former Entrust Chief Technology Officer John Callas (the man behind much of the security in Mac OS X and iOS), and former Navy SEAL and security entrepreneur Mike Janke—bought out Geeksphone and absorbed the joint venture. [They] renamed and rebuilt its Android-based operating system, upgraded the infrastructure of its encrypted voice and text communications network, and built an entirely new hardware platform based on a somewhat more industry-standard chipset.

Pay special attention to the "This is a secure line" topic in the review to gain an understanding of what the Blackphone and Silent Circle can do, and what it can't do.

Silent Phone, offers the encrypted, SIP-based voice and videoconferencing application, and Silent Text, the Jabber-based encrypted "ephemeral" text and file sharing tool.

The service can call both other Silent Circle service users and act as a voice-over-IP connection to the public switched phone network. The main difference is that Silent Circle Phone calls are encrypted peer-to-peer and end-to-end over the network, so the service doesn't hold a key to decrypt the contents.

Ars did limited testing on the Silent Circle calling to other Blackphone Users:

Sniffing the traffic for both voice and text messaging revealed nothing other than that Silent Circle is now using servers in the Amazon cloud rather than in its own data center. The apps use "pinned" certificates, so attempting an SSL proxy man-in-the-middle was also ineffective.

Obviously calls to other services, or land lines, are not secure once they are bridged to the normal telephone networks.

Clearly this phone is designed for corporate or government users, as the cost is rather high, and requires a Silent Circle subscription in addition to your Carrier account. You will need a healthy data plan because so much of the communications are pushed through SIP and Jabber.

Without anyone to talk (securly) to among your circle of friends, this phone will have little appeal to even a security conscious private user. Companies, Journalists, Government workers, on the other hand might be willing to standardize on this phone for sensitive calls.


Original Submission

Related Stories

Silent Circle Encrypted Phone App Cleared for U.S. Gov't Use 42 comments

The same government that is fighting against the use of encryption by its citizens has approved use of Silent Circle's app, which allows users to make end-to-end encrypted phone calls from iPhones, iPads, and Android devices:

The certification follows other major software makers, including BlackBerry and Apple, whose software is also allowed to be used for low-level secure work.

[...] The certification may benefit users in government, but it's the same administration that's spent the past year fighting Silicon Valley against encryption.

Some have called for backdoors to be put in encryption, despite calls from the security and academic community saying it would defeat the very point of scrambled data. Others have called on greater cooperation between the US government and tech companies.

Irony much?

Related: Blackphone V2
Security-Conscious Blackphone Found to Have Basic SMS Vulnerability
Silent Circle Blackphone - Out in June for $630 US


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Tuesday October 06 2015, @04:07AM

    by Anonymous Coward on Tuesday October 06 2015, @04:07AM (#245959)

    No full source, why should I believe them? Or do I just believe because its a paid service, like SpiderOak, ie post-purchase rationalization?

    Never trust a computer that someone else has set up for you.

  • (Score: 3, Interesting) by Gravis on Tuesday October 06 2015, @06:45AM

    by Gravis (4596) on Tuesday October 06 2015, @06:45AM (#245985)

    just like the first blackphone, they have not released any info on the baseband processor, let alone the source code for what runs on it. the baseband processor interfaces with the radio itself and runs independently. our friend Ralf Philipp Weinmann has shown they are generally insecure for the last five years [google.com] at various technology security meetings. if they only tried, the blackphone could be using a (TI Calypso) baseband processor running an open source cellular stack. [wikipedia.org]

    this smartphone still is not secure.

    • (Score: 1) by cpghost on Tuesday October 06 2015, @01:37PM

      by cpghost (4591) on Tuesday October 06 2015, @01:37PM (#246068) Homepage

      That's a valid argument. The issue is not so much the data that is received and transmitted over the radio by the baseband processor: if it's end-to-end encrypted, then it doesn't matter if it's intercepted by the baseband processor, by an IMSI catcher, by the wireless operator, or by a satellite. What's on the air, is free-for-all to read: that's why the stuff needs to be encrypted end-to-end before it even reaches the radio processor, and decrypted after the radio processor has delivered its content to the main processor.

      The problem is how the radio / baseband CPU and main CPU are connected to the memory buses of the Blackphone: can the baseband CPU access the whole main memory of the phone or just a restricted window of it, barely enough to do its job? If the baseband CPU and its own little OS can access more RAM than absolutely necessary, than it could access plain text / plain voice before its encryption or after its decryption by the main CPU, and the whole system would be useless, unless that baseband CPU and its OS are open source too. If it can't, and if the radio module is hardware-limited to a well-defined RAM-window, then this CPU could be closed-source and run a proprietary binary blob and still not compromise the confidentiality of the transmitted messages.

      --
      Cordula's Web. http://www.cordula.ws/
      • (Score: 2) by Gravis on Tuesday October 06 2015, @03:17PM

        by Gravis (4596) on Tuesday October 06 2015, @03:17PM (#246096)

        you are forgetting that the baseband processor is also hooked to the SIM card. there is plenty of havoc to be had by manipulating the SIM or spoofing it's contents. check it out: https://simhacks.github.io/defcon-21/ [github.io]

        • (Score: 2) by frojack on Tuesday October 06 2015, @09:08PM

          by frojack (1554) on Tuesday October 06 2015, @09:08PM (#246216) Journal

          Still won't help the spys: because of encryption. You

          Besides, this argument about the baseband processors is pointless as the FCC (and foreign equivalents) are not going to turn end users loose to control baseband radio firmware.

          --
          No, you are mistaken. I've always had this sig.
  • (Score: 0) by Anonymous Coward on Tuesday October 06 2015, @11:20AM

    by Anonymous Coward on Tuesday October 06 2015, @11:20AM (#246029)

    ... then it still wouln't be able to avoid the fundamental insecurities which android brings with it. I just bought an android-based stick computer for my dumb TV. Already, the browser is showing me targetted adverts even though I created a new fake gmail account for it. I considered installing firefox, but firefox demands permission to read my contacts list, as well as my identity and my location. I feel dirty just using the device, it's got information sharing - aka leakage - designed into the core.

    • (Score: 0) by Anonymous Coward on Tuesday October 06 2015, @12:41PM

      by Anonymous Coward on Tuesday October 06 2015, @12:41PM (#246047)

      It's Linux. God damn. Root it and make it work the way you want. If that's beyond your abilities, go back to Slashdot where you can ask such technical questions as, "How do I make Windows Update work Automatically?" and, "How Often do you Update your OS?"