Verizon Offers Encrypted Calling With NSA Backdoor At No Additional Charge
from the trust-us,-we're-the-phone-company dept
As a string of whistle blowers like former AT&T employee Mark Klein have made clear abundantly clear, the line purportedly separating intelligence operations from the nation’s incumbent phone companies was all-but obliterated long ago. As such, it’s relatively amusing to see Verizon announce this week that the company is offering up a new encrypted wireless voice service named Voice Cypher. Voice Cypher, Verizon states, offers “end-to-end” encryption for voice calls on iOS, Android, or BlackBerry devices equipped with a special app made by Cellcrypt.
Verizon’s marketing materials for the service feature young, hip, privacy-conscious users enjoying the “industry’s most secure voice communication” platform:
Verizon says it’s initially pitching the $45 per phone service to government agencies and corporations, but would ultimately love to offer it to consumers as a line item on your bill. Of course by “end-to-end encryption,” Verizon means that the new $45 per phone service includes an embedded NSA backdoor free of charge. Apparently, in Verizon-land, “end-to-end encryption” means something entirely different than it does in the real world:
“Cellcrypt and Verizon both say that law enforcement agencies will be able to access communications that take place over Voice Cypher, so long as they’re able to prove that there’s a legitimate law enforcement reason for doing so. Seth Polansky, Cellcrypt’s vice president for North America, disputes the idea that building technology to allow wiretapping is a security risk. “It’s only creating a weakness for government agencies,” he says. “Just because a government access option exists, it doesn’t mean other companies can access it.”
Just because we put a backdoor in a product, doesn’t mean those backdoors will be abused, right guys? Right? Of course this is the same Verizon that has mocked Internet companies for “grandstanding” when it comes to their latest encryption push. But while those companies have refreshingly started competing over who can respect your privacy more, Verizon’s making it clear that privacy is an afterthought, even when pitching privacy services. Perhaps someday Verizon can see fit to offer “end-to-end encryption” that actually is.
Filed Under: back doors, backdoors, encryption, end-to-end encryption, law enforcement, nsa, surveillance, voice cypher
Companies: cellcrypt, verizon
Comments on “Verizon Offers Encrypted Calling With NSA Backdoor At No Additional Charge”
Seems clear
“to-end” encryption.
“Okay, dear. Got it. Pick up the girls from swimming practice and swing in and get dinner. Should be home by 8pm.
Oh, and Phil, tell the boys poker’s been canceled this week. Meg’s wife is coming, but of course you already knew that.”
Of course it's End-to-End encryption
they just don’t tell you that the NSA is one of the “ends”
Re: Of course it's End-to-End encryption
Its end-to-end-to-end and hopefully it is going to end too.
Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
This is way worse than an NSA backdoor. This is an every LEO or government agency backdoor. Even the bought and paid for City of London (Corporation) Police (not to be confused with the Met) could theoretically get access.
Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
Oh, no…it’s worse than that. This is backdoored for EVERYONE — as soon as someone reverse-engineers it, or figures out how to crack it, or successfully impersonates a law enforcement agency, or hacks the underlying OS, or hands a Verizon employee an envelope with $100K in crisp tax-free income, or combinations/variations of these.
This is pre-compromised at the factory.
Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
Don’t worry, I’m sure one or more of those happened well before this announcement.
Re: Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
Verizon – as a telephone company – cannot legally provide a voice service in the United States which doesn’t accommodate lawful intercept as required by CALEA. Full Stop.
Re: Re: Re:2 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
Then they shouldn’t be offering a service that claims otherwise.
Re: Re: Re:3 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
They aren’t claiming otherwise – You just have to know telco-ese:
From Verizon’s website (http://business.verizonwireless.com/content/b2b/en/solutions/technology/mobile-security/voice-cypher.html)
“Voice Cypher Conferencing protects conference calls from unauthorized access, provides total control over calls in progress and can provide government-grade, end-to-end encryption to prevent voice-call interception.”
Very carefully worded but here’s the rub – it all hinges on the word “authorized”: Customers will assume that they get to determine who and what is “Authorized”. This is an incorrect assumption based on wishful thinking, and utterly at odds with well-established US Law.
Ultimately, the software application, as configured by the carrier determines what’s “Authorized” – and “Lawful Intercept” is by definition going to get authorized. Every time.
Re: Re: Re:4 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
“protects conference calls from unauthorized access”
The very nature of a backdoor is to circumvent normal access, which is typical kept hidden from others so that unauthorized access is not made easier. Which also follows the flawed logic of security by obscurity which has already been well proven to be a fucking stupid idea.
The Government is becoming the very thugs we are looking to be protected from, and for some have already BECOME!
Re: Re: Re:4 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
Claiming “end-to-end encryption” is claiming otherwise.
Re: Re: Re:5 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
Because Telco’s are oh-so-trustworthy, always adhere to their marketing collateral, and never redefine words, terms, and phrases to mean something other than what a technically inclined person would think they mean?
If Verizon copies the encrypted stream as it’s delivered from endpoint to endpoint and then decrypts the copy off-line using key escrow technology, it’s still technically “end-to-end” encryption because there’s no encrypt/decrypt/re-encrypt step in the interception. The endpoints can talk directly to each other, negotiate their own session keys, etc. Am I splitting hairs? Absolutely. Is that the same type of hair that a telco’s lawyer would split? Absolutely. And that’s just one way they’ll monkey around with it.
It’s a fun new game called “exploit the loophole”, and everyone’s playing – even the home game.
I haven’t picked apart the marketing collateral, but it was written by lawyers specifically for the intent of being entirely true even if intentionally misleading. But at the end of the day, by all accounts, Verizon has stated that they’ve built in LI capabilities. So the way to ask the question is: “Now that they’ve said they’re doing it, how are they doing so in a way that doesn’t result in them losing a false-advertising lawsuit?”
Re: Re: Re:6 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
What you’re saying here is “telcos lie”. Which is absolutely true, and was pretty much my point.
Re: Re: Re:7 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
Fair enough. I probably misread the intent in your post. No offense was intended.
Re: Re: Re:8 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
I see nothing in anything you said that would offend me. ๐
Re: Re: Re:5 "End-to-end"
It’s labeled as “end-to-end” encryption the way that new wireless data technologies two years ago were labeled as “4G”.
Re: Re: Re:2 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
AKA, why you must not purchase any “secure” communications platform from Verizon or any Telco – though with all the secret stuff the NSA and the Obama administration do, including lifetime gag orders, there’s no way to know for sure if any closed source security app is actually secure. And open source apps are just begging for subtle, really hard to notice tweaks that make one minor change or error default or whatnot that transforms secure into interceptable. There is no panacea for security. :-p
Re: Re: Re:3 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
To be fair, with lifetime gag orders, you can’t necessarily trust open source, either, unless you manually vet it yourself, and lets face it – there’s a very, very small percentage of the population who can do that effectively.
Re: Re: Re:4 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
“there’s a very, very small percentage of the population who can do that effectively.”
But that’s still thousands upon thousands of people. It only takes one to get the information out.
Re: Re: Re:5 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
This is why a generalized erosion of trust is so insidious, and appears to be a key component of an overarching campaign.
It’s hard to know who to trust when it comes to crypto right now, and the overall climate is one where it becomes easy to call into question the credentials of well-known crypto engineers, and a fools errand to trust anonymous contributors.
This is not a good spot to be in.
Re: Re: Re:3 Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
“though with all the secret stuff the NSA and the Obama administration do, including lifetime gag orders, there’s no way to know for sure if any closed source security app is actually secure.”
In all fairness, there’s no way to know with 100% certainty that any security app or process is actually secure even regardless of all that secret stuff.
Any security plan that relies entirely on any single security mechanism is a terrible security plan. This isn’t a new thing at all — it has been this way for the whole history of mankind. This is also why I discourage people from thinking of crypto as some kind of final word in security. It isn’t anything of the sort.
It’s also, by the way, by PGP was named “pretty good privacy” — to try to keep people from thinking of it as some kind of panacea.
Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
True, true. And it’s just what I’ve always needed, a secure voice encryption system with all the security of a TSA approved baggage lock*. (
*Really, “lock” should be in quotes. A zip tie is more of a lock than those things that can be opened by universal keys that pretty much anyone and everyone has or can buy or make.
Re: Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
That’s why I always use zip ties when traveling anywhere. Even if they replace it, they’re not going to be using the same kind you do. And there’s no way they’re going to attempt to get that tie open stealthily instead of just cutting it off and replacing it. Plus, I bet a bunch of TSA guys don’t bother with luggage that has a zip tie — as the tie usually indicates someone’s already been through the bag ๐
I’ve had every one of my luggage locks cut; I’ve never had a zip tie cut.
Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
Rich,
For what it’s worth, the FBI has links to all of the relevant lawful intercept technical standards here: http://askcalea.fbi.gov/standards.html
Many of them are freely available for download, although even the for-pay standards look to cap out at about $350 to purchase.
So, not only are they “pre-compromised” as you put it – the standards documents are readily available to anyone who’s bored enough to read them.
Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
Just like “Unlimited” doesn’t mean unlimited to AT&T, “End-to-end Encryption” doesn’t mean End-to-end encryption for Verizon.
The ending to this story I hope for...
Again, I accidentally tapped enter in the subject line and submitted… I think before I actually added any text.
Is that one of our grey-hats finds and publicizes the back door within a week, after which Verizon tries to sue him or prosecute him and gets laughed out of court. Preferably without any actual jail time for the poor grey-hat.
Backdoors and golden keys are serious vulnerabilities. Apparently we need someone to demonstrate this in a way that ridicules those who don’t get it.
Re: The ending to this story I hope for...
Oh most of them do get it. They just want to exploit those vulnerabilities themselves, and aren’t too worried about who else exploits the vulnerabilities.
Re: The ending to this story I hope for...
“Apparently we need someone to demonstrate this in a way that ridicules those who don’t get it”. Someone like Senator Feinstein or some of the Judges on the Supreme Court.
“end-to-end”
To be fair, they didn’t say that the other end wasn’t the NSA.
Re: Re:
End-to-NSA encryption. I like it.
Very generous.
“… it is poor civic hygiene to install technologies that could someday facilitate a police state.”
Thank you, Mr. Schneier.
…so long as they’re able to prove that there’s a legitimate law enforcement reason for doing so
Does this mean a warrant? If so, I’m okay with that. I thought we were against warrantless surveillance.
Re: Re:
I’m sure that it doesn’t mean that at all. Requiring a warrant would be a higher level of restriction. If they required a warrant, they would have said that.
Re: "legitimate law enforcement reason"
That’s vague as fuck. Essentially, any time an officer wants to listen in, they get to do so.
Re: Re:
Even if it were just with a warrant, that wouldn’t be good enough. There’s no way to ensure that they government won’t use a national security letter.
If companies were allowed to disclose what NSL’s they are being served (perhaps after some period of time), I would be more comfortable with it.
Re: Re: Re:
“If companies were allowed to disclose what NSL’s”
You have already failed… it has been well proven that people like you can be fooled too easily.
To get this passed by someone like you they will allow companies to disclose them for a day to secure your vote then rip the carpet out from under you.
Re: Re:
“What? Oh no, you missunderstood. We don’t want to listen to the person we want to listen to the phone. We think it is dealing drugs and before we raid the phone we want to be sure.”
If you can sue a house you can listen to a phone.
Re: Re:
No, not a warrant.
Yes we need to access all of the calls made from this cellphone because my drug dog sniffed some drugs on the call.
Excellent!
I’ll put this on my Christmas list… along with the front door lock that all criminals can pick and windows shades that allow neighbors to see through.
Title 2 reclassification makes law enforcement assistance even worse.
Unintended consequence of giving the FCC authority
Re: Re:
Title 11 for Verizon and Comcast et al, does not change any relationships the government has with Google and Netflix et al.
So it is $45 for a constant MITM running on my phone? Decisions….
…so long as they’re able to prove that there’s a legitimate law enforcement reason for doing so.
Notice here he doesn’t say “warrant” – how interesting.
“Just because a government access option exists, it doesn’t mean other companies can access it.”
Yes, of course…because that’s who we’re afraid of exploiting government-mandated backdoors…companies.
Sounds like Verizon’s marketing department needs a real enema if this is the best spin they can come up with.
A company to avoid
That the VP of a company can make such a ludicrous statement tells me that the company is completely incompetent when it comes to security matters and their products and services cannot be trusted (even ignoring the presence of the backdoor).
I prefer not to be a walking target, I got rid of my mobile phone and haven’t looked back. As of this month I have saved over one thousand dollars in phone bills. Happy Holidays. ๐
Well. Whaddaya know – somebody’s actually selling a Tiger Rock.
END TO END TO END
And more for a small fee
they should have some kind of government subsidy for the rate plan you know because the government is in on that end to end to end
Re: END TO END TO END
ha ha ha…
You much remember… Government is essentially a LEGAL racket.
You pay them to protect you… from them!
This is the reason that Government is the greatest threat to mankind. I can more easily defend myself from an invading army than I can from government thugs.
What’s the point of making interception capabilities mandatory when criminals can just choose to use options that are truly end-to-end encrypted?
Re: Re:
Easy identification of targets comes to mind…
Re: Re: Re:
Security theater, and good old self fulling prophecies as well.
To make everyone a criminal ripe for picking from the crop as needed you just tweak the rules so that it is not possible for them to make it from home to work without breaking some laws, no matter how benign.
As an officer will tell you… follow anyone long enough and they will make a mistake that justifies and excuse to pull you over. This way they can have their cake and then accuse everyone else using non-government friendly tools or encryption to begin with as we are now of being terrorists with something to hide. As I said… self fulfilling prophecy.
Re: Re: Re: Re:
AC:
Indeed. It comes back to this oldie (but goodie):
“If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.”
Commonly attributed to Cardinal Richelieu (1585-1642) although I gather there might be some dispute there.
Smart guy. He would have loved mobile devices.
we’ll all go for that as long as the heads of Verizon and the NSA use it too, so we can listen in by the ‘back door’ on what they’re up to! no cheating now by using different phones!!
Who is this for?
Given the backdoor, exactly who is this ‘end-to-end’ encryption protection protecting us from? Bueller? Bueller?
Re: Who is this for?
Silly wabbit, it’s to protect us from Terrorists and Pedophiles!
Can you even call it encrypted when so many have the password?
At that point, isn’t it just needlessly complicated?
“Cellcrypt and Verizon both say that law enforcement agencies will be able to access communications that take place over Voice Cypher, so long as they’re able to prove that there’s a legitimate law enforcement reason for doing so.”
Ummm, law enforcement can access communications right now as long as they’re able to prove that there’s a legitimate law enforcement reason for doing so. Its called a warrant. If you sign up for this, can law enforcement just say “we have a good reason” or do they still have to get a warrant?
Of course the beauty of this scheme is that by singing up for it you immediately go on Verizon’s records as someone who appears to have something to hide.
Sounds rather like the scheme some years ago when the UK government arranged for an article / book to publicly suggest that terrorists didn’t bother with life insurance when taking a plane trip. Needless to say, having suggested a way for terrorists to hide their tracks by signing up for life insurance, anyone who then signed up for life insurance when booking a plane trip promptly became someone of interest to the security services….
The droids you are looking for aren’t here.
they do know that if you make a back door, SOMEONE will figure out how to get into it illegally, other than the police….
CALEA backdoors have already been used by hackers to break into Greece’s phone systems and spy on Greece’s prime minister, his defense and foreign affairs ministers, top military and law enforcement officials.
http://spectrum.ieee.org/telecom/security/the-athens-affair
Hackers used Regin to infect Belgacom’s cellphone networks in Belgium. Allowing hackers to issue GSM commands directly on Belacom’s network infrastructure, redirect calls, and gather location information about customers.
http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/
Why anyone would use, let alone pay for security software with intentional weaknesses designed into it for hackers and other nation states to exploit. Is beyond me.
Especially when there’s lower cost and more secure alternatives such as Silent Circle or free software solutions such as TextSecure and RedPhone.
If you’re afraid about cellphone backdoors there’s even devices that encrypt your voice before it ever touches the cellphone’s microphone. In that case JackPair voice encryption might float your boat.
I believe Verizon’s push for Crypto Wars v2.0 is somehow about trying to set a legal precedent for backdoors in telcom devices. Sounds like another Clipper chip to me.
I don’t believe CALEA currently requires telcoms to modify their end-to-end encryption software on order to make it wiretap friendly. Which means Verizon chose to introduce the backdoors voluntarily on their own accord. That to me, speaks about their attitude towards the privacy of their customers. Or lack of.
I don’t want hackers and foreign governments listening to my private, backdoored conversations.
My hoodie-footie PJ's have a builtin backdoor
for NSA/FBI “end to end” surveillance.
The "Cypher" in "Voice Cypher" is just Rot13
https://en.wikipedia.org/wiki/Rot_13
Backdoors don’t know difference between good guys and bad guys
Re: good guys and bad guys
It is a difficult distinction, in any circumstance. Particularly when so many who think themselves good guys, aren’t.
"Verizon Offers Encrypted Calling With NSA Backdoor"
Always hated verizon. They’ve always been more friendly with government and special interests (i.e. MPAA/RIAA mafia) than with their regular customers. As long as they’re making money, why should they care about you? Bank of america along with other institutions screwed the American people with bad home loans. Then screwed everybody by taking away they’re homes and making billions of dollars more in the process. NONE went to jail. But many people, stupidly, still do business with them.
So, the only people who would buy that service are people who:
-Are somewhat lacking in tech literacy and/or knowledge of current events.
-Own a smartphone.
-And need to communicate sensitive information privately.
So, Sony employees, celebrities prone to taking nude photos, hopefully more than a few government employees…
When (not if) this “secure calling” feature gets hacked, it’s surely going to unleash yet another blockbuster dramabomb. I can’t wait. ๐
Oh, so it's a double-end-to-end encryption.
You NSA whom you call.
Sweet.
Hmmm
Seth Polansky, Cellcrypt’s vice president, says…”Just because a government access option exists, it doesn’t mean other companies can access it.”
And this guy works in encryption software. Wow.
Re: Hmmm
And the idea that Government Agencies would accept such a flawed option is ridiculous.
Just because a government access option exists, it doesn’t mean other companies can access it.”
No, it just means GOVERNMENT can access it
You dip wad whose purpertrating that this is an okay thing
Let me not throw my money at the screen
That old joke about an amercian and a russian diplomat
I remember that old joke about an american and russian diplomat bragging about their countries during the cold war.
The american diplomat says: “our country is great, we can pick up the phone, dial a number and talk to the police.”
The russian diplomat says: “we don’t have to dial.”
—
It looks like the americans have copied the red menace ๐