Verizon Offers Encrypted Calling With NSA Backdoor At No Additional Charge

from the trust-us,-we're-the-phone-company dept

As a string of whistle blowers like former AT&T employee Mark Klein have made clear abundantly clear, the line purportedly separating intelligence operations from the nation’s incumbent phone companies was all-but obliterated long ago. As such, it’s relatively amusing to see Verizon announce this week that the company is offering up a new encrypted wireless voice service named Voice Cypher. Voice Cypher, Verizon states, offers “end-to-end” encryption for voice calls on iOS, Android, or BlackBerry devices equipped with a special app made by Cellcrypt.

Verizon’s marketing materials for the service feature young, hip, privacy-conscious users enjoying the “industry’s most secure voice communication” platform:

Verizon says it’s initially pitching the $45 per phone service to government agencies and corporations, but would ultimately love to offer it to consumers as a line item on your bill. Of course by “end-to-end encryption,” Verizon means that the new $45 per phone service includes an embedded NSA backdoor free of charge. Apparently, in Verizon-land, “end-to-end encryption” means something entirely different than it does in the real world:

“Cellcrypt and Verizon both say that law enforcement agencies will be able to access communications that take place over Voice Cypher, so long as they’re able to prove that there’s a legitimate law enforcement reason for doing so. Seth Polansky, Cellcrypt’s vice president for North America, disputes the idea that building technology to allow wiretapping is a security risk. “It’s only creating a weakness for government agencies,” he says. “Just because a government access option exists, it doesn’t mean other companies can access it.”

Just because we put a backdoor in a product, doesn’t mean those backdoors will be abused, right guys? Right? Of course this is the same Verizon that has mocked Internet companies for “grandstanding” when it comes to their latest encryption push. But while those companies have refreshingly started competing over who can respect your privacy more, Verizon’s making it clear that privacy is an afterthought, even when pitching privacy services. Perhaps someday Verizon can see fit to offer “end-to-end encryption” that actually is.

Filed Under: , , , , , , ,
Companies: cellcrypt, verizon

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Verizon Offers Encrypted Calling With NSA Backdoor At No Additional Charge”

Subscribe: RSS Leave a comment
77 Comments
Rich Kulawiec (profile) says:

Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."

Oh, no…it’s worse than that. This is backdoored for EVERYONE — as soon as someone reverse-engineers it, or figures out how to crack it, or successfully impersonates a law enforcement agency, or hacks the underlying OS, or hands a Verizon employee an envelope with $100K in crisp tax-free income, or combinations/variations of these.

This is pre-compromised at the factory.

sigalrm says:

Re: Re: Re:3 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."

They aren’t claiming otherwise – You just have to know telco-ese:

From Verizon’s website (http://business.verizonwireless.com/content/b2b/en/solutions/technology/mobile-security/voice-cypher.html)

“Voice Cypher Conferencing protects conference calls from unauthorized access, provides total control over calls in progress and can provide government-grade, end-to-end encryption to prevent voice-call interception.”

Very carefully worded but here’s the rub – it all hinges on the word “authorized”: Customers will assume that they get to determine who and what is “Authorized”. This is an incorrect assumption based on wishful thinking, and utterly at odds with well-established US Law.

Ultimately, the software application, as configured by the carrier determines what’s “Authorized” – and “Lawful Intercept” is by definition going to get authorized. Every time.

Anonymous Coward says:

Re: Re: Re:4 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."

“protects conference calls from unauthorized access”

The very nature of a backdoor is to circumvent normal access, which is typical kept hidden from others so that unauthorized access is not made easier. Which also follows the flawed logic of security by obscurity which has already been well proven to be a fucking stupid idea.

The Government is becoming the very thugs we are looking to be protected from, and for some have already BECOME!

sigalrm (profile) says:

Re: Re: Re:5 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."

Because Telco’s are oh-so-trustworthy, always adhere to their marketing collateral, and never redefine words, terms, and phrases to mean something other than what a technically inclined person would think they mean?

If Verizon copies the encrypted stream as it’s delivered from endpoint to endpoint and then decrypts the copy off-line using key escrow technology, it’s still technically “end-to-end” encryption because there’s no encrypt/decrypt/re-encrypt step in the interception. The endpoints can talk directly to each other, negotiate their own session keys, etc. Am I splitting hairs? Absolutely. Is that the same type of hair that a telco’s lawyer would split? Absolutely. And that’s just one way they’ll monkey around with it.

It’s a fun new game called “exploit the loophole”, and everyone’s playing – even the home game.

I haven’t picked apart the marketing collateral, but it was written by lawyers specifically for the intent of being entirely true even if intentionally misleading. But at the end of the day, by all accounts, Verizon has stated that they’ve built in LI capabilities. So the way to ask the question is: “Now that they’ve said they’re doing it, how are they doing so in a way that doesn’t result in them losing a false-advertising lawsuit?”

Scote (profile) says:

Re: Re: Re:2 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."

“Verizon – as a telephone company – cannot legally provide a voice service in the United States which doesn’t accommodate lawful intercept as required by CALEA. Full Stop.”

AKA, why you must not purchase any “secure” communications platform from Verizon or any Telco – though with all the secret stuff the NSA and the Obama administration do, including lifetime gag orders, there’s no way to know for sure if any closed source security app is actually secure. And open source apps are just begging for subtle, really hard to notice tweaks that make one minor change or error default or whatnot that transforms secure into interceptable. There is no panacea for security. :-p

sigalrm says:

Re: Re: Re:3 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."

To be fair, with lifetime gag orders, you can’t necessarily trust open source, either, unless you manually vet it yourself, and lets face it – there’s a very, very small percentage of the population who can do that effectively.

sigalrm (profile) says:

Re: Re: Re:5 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."

This is why a generalized erosion of trust is so insidious, and appears to be a key component of an overarching campaign.

It’s hard to know who to trust when it comes to crypto right now, and the overall climate is one where it becomes easy to call into question the credentials of well-known crypto engineers, and a fools errand to trust anonymous contributors.

This is not a good spot to be in.

John Fenderson (profile) says:

Re: Re: Re:3 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."

“though with all the secret stuff the NSA and the Obama administration do, including lifetime gag orders, there’s no way to know for sure if any closed source security app is actually secure.”

In all fairness, there’s no way to know with 100% certainty that any security app or process is actually secure even regardless of all that secret stuff.

Any security plan that relies entirely on any single security mechanism is a terrible security plan. This isn’t a new thing at all — it has been this way for the whole history of mankind. This is also why I discourage people from thinking of crypto as some kind of final word in security. It isn’t anything of the sort.

It’s also, by the way, by PGP was named “pretty good privacy” — to try to keep people from thinking of it as some kind of panacea.

Scote (profile) says:

Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."

True, true. And it’s just what I’ve always needed, a secure voice encryption system with all the security of a TSA approved baggage lock*. (

*Really, “lock” should be in quotes. A zip tie is more of a lock than those things that can be opened by universal keys that pretty much anyone and everyone has or can buy or make.

Anonymous Coward says:

Re: Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."

That’s why I always use zip ties when traveling anywhere. Even if they replace it, they’re not going to be using the same kind you do. And there’s no way they’re going to attempt to get that tie open stealthily instead of just cutting it off and replacing it. Plus, I bet a bunch of TSA guys don’t bother with luggage that has a zip tie — as the tie usually indicates someone’s already been through the bag 😉

I’ve had every one of my luggage locks cut; I’ve never had a zip tie cut.

sigalrm says:

Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."

Rich,

For what it’s worth, the FBI has links to all of the relevant lawful intercept technical standards here: http://askcalea.fbi.gov/standards.html

Many of them are freely available for download, although even the for-pay standards look to cap out at about $350 to purchase.

So, not only are they “pre-compromised” as you put it – the standards documents are readily available to anyone who’s bored enough to read them.

Uriel-238 (profile) says:

The ending to this story I hope for...

Again, I accidentally tapped enter in the subject line and submitted… I think before I actually added any text.

Is that one of our grey-hats finds and publicizes the back door within a week, after which Verizon tries to sue him or prosecute him and gets laughed out of court. Preferably without any actual jail time for the poor grey-hat.

Backdoors and golden keys are serious vulnerabilities. Apparently we need someone to demonstrate this in a way that ridicules those who don’t get it.

Anonymous Coward says:

Re: Re:

Even if it were just with a warrant, that wouldn’t be good enough. There’s no way to ensure that they government won’t use a national security letter.

If companies were allowed to disclose what NSL’s they are being served (perhaps after some period of time), I would be more comfortable with it.

Anonymous Coward says:

…so long as they’re able to prove that there’s a legitimate law enforcement reason for doing so.

Notice here he doesn’t say “warrant” – how interesting.

“Just because a government access option exists, it doesn’t mean other companies can access it.”

Yes, of course…because that’s who we’re afraid of exploiting government-mandated backdoors…companies.

Sounds like Verizon’s marketing department needs a real enema if this is the best spin they can come up with.

John Fenderson (profile) says:

A company to avoid

It’s only creating a weakness for government agencies,” he says. “Just because a government access option exists, it doesn’t mean other companies can access it.”

That the VP of a company can make such a ludicrous statement tells me that the company is completely incompetent when it comes to security matters and their products and services cannot be trusted (even ignoring the presence of the backdoor).

Anonymous Coward says:

Re: Re: Re:

Security theater, and good old self fulling prophecies as well.

To make everyone a criminal ripe for picking from the crop as needed you just tweak the rules so that it is not possible for them to make it from home to work without breaking some laws, no matter how benign.

As an officer will tell you… follow anyone long enough and they will make a mistake that justifies and excuse to pull you over. This way they can have their cake and then accuse everyone else using non-government friendly tools or encryption to begin with as we are now of being terrorists with something to hide. As I said… self fulfilling prophecy.

sigalrm (profile) says:

Re: Re: Re: Re:

AC:

Indeed. It comes back to this oldie (but goodie):

“If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.”

Commonly attributed to Cardinal Richelieu (1585-1642) although I gather there might be some dispute there.

Smart guy. He would have loved mobile devices.

Anonymous Coward says:

“Cellcrypt and Verizon both say that law enforcement agencies will be able to access communications that take place over Voice Cypher, so long as they’re able to prove that there’s a legitimate law enforcement reason for doing so.”

Ummm, law enforcement can access communications right now as long as they’re able to prove that there’s a legitimate law enforcement reason for doing so. Its called a warrant. If you sign up for this, can law enforcement just say “we have a good reason” or do they still have to get a warrant?

Retsibsi (profile) says:

Of course the beauty of this scheme is that by singing up for it you immediately go on Verizon’s records as someone who appears to have something to hide.
Sounds rather like the scheme some years ago when the UK government arranged for an article / book to publicly suggest that terrorists didn’t bother with life insurance when taking a plane trip. Needless to say, having suggested a way for terrorists to hide their tracks by signing up for life insurance, anyone who then signed up for life insurance when booking a plane trip promptly became someone of interest to the security services….

Anonymous Coward says:

CALEA backdoors have already been used by hackers to break into Greece’s phone systems and spy on Greece’s prime minister, his defense and foreign affairs ministers, top military and law enforcement officials.

http://spectrum.ieee.org/telecom/security/the-athens-affair

Hackers used Regin to infect Belgacom’s cellphone networks in Belgium. Allowing hackers to issue GSM commands directly on Belacom’s network infrastructure, redirect calls, and gather location information about customers.

http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/

Why anyone would use, let alone pay for security software with intentional weaknesses designed into it for hackers and other nation states to exploit. Is beyond me.

Especially when there’s lower cost and more secure alternatives such as Silent Circle or free software solutions such as TextSecure and RedPhone.

If you’re afraid about cellphone backdoors there’s even devices that encrypt your voice before it ever touches the cellphone’s microphone. In that case JackPair voice encryption might float your boat.

I believe Verizon’s push for Crypto Wars v2.0 is somehow about trying to set a legal precedent for backdoors in telcom devices. Sounds like another Clipper chip to me.

I don’t believe CALEA currently requires telcoms to modify their end-to-end encryption software on order to make it wiretap friendly. Which means Verizon chose to introduce the backdoors voluntarily on their own accord. That to me, speaks about their attitude towards the privacy of their customers. Or lack of.

I don’t want hackers and foreign governments listening to my private, backdoored conversations.

Lewis V (profile) says:

"Verizon Offers Encrypted Calling With NSA Backdoor"

Always hated verizon. They’ve always been more friendly with government and special interests (i.e. MPAA/RIAA mafia) than with their regular customers. As long as they’re making money, why should they care about you? Bank of america along with other institutions screwed the American people with bad home loans. Then screwed everybody by taking away they’re homes and making billions of dollars more in the process. NONE went to jail. But many people, stupidly, still do business with them.

Anonymous Coward says:

So, the only people who would buy that service are people who:

-Are somewhat lacking in tech literacy and/or knowledge of current events.
-Own a smartphone.
-And need to communicate sensitive information privately.

So, Sony employees, celebrities prone to taking nude photos, hopefully more than a few government employees…
When (not if) this “secure calling” feature gets hacked, it’s surely going to unleash yet another blockbuster dramabomb. I can’t wait. 🙂

Anonymous Coward says:

That old joke about an amercian and a russian diplomat

I remember that old joke about an american and russian diplomat bragging about their countries during the cold war.

The american diplomat says: “our country is great, we can pick up the phone, dial a number and talk to the police.”

The russian diplomat says: “we don’t have to dial.”

It looks like the americans have copied the red menace 🙂

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...