| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20130214144911.E2F4114DBDE@smtp.hushmail.com>
Date: Thu, 14 Feb 2013 15:49:11 +0100
From: sc2013a@...hmail.com
To: full-disclosure@...ts.grok.org.uk
Subject: SilentCircle (Encrypted VoIP auditing) - Please
cooperate
Hi,
this is the output of a quick analysis done on SilentCircle source
code published on https://github.com/SilentCircle/silent-phone-base .
It seems that someone "friendly with SC" is continuously vandalizing
the PAD where this activity was done at
https://pad.riseup.net/p/silentcircle .
Some hackers there should really complete the audit and prepare some
better organized analysis.
* A Latvian company wrote most of the software, not SilentCircleThe
application of SilentCircle seems to be a rebranded and customized
edition of TiviPhone, available from www.tivi.com made in
Latvia.silent-phone-base$ grep -ir tiviphone.com . | wc -l 180
From TiVi's page: http://www.tivi.com/en/company/news.php
"Until September 30, 2010, buy TiviPhone with ZRTP voice and video
encryption. The difference? You enter theprice; we approve it. Pay by
PayPal, get the license key, run it and tell your friends how much
more competitive TiviPhone is! If you resell (or rebrand) TiviPhone,
even better: bid for bigger batches of licenses in one go!" but I
can't find anything about licensing as FOSS. And it also looks to
have a prior relationship with Zfone per
http://www.tivi.com/en/company/news.php?Secured-mobile-VoIP-calls.
Copyright tells the story.Copyright © 2004-2012 Tivi
LTD,www.tiviphone.com. All rights reserved.Copyright © 2012-2013,
Silent Circle, LLC. All rights reserved. So the rebranding needed
to be more complete - and the prior TiVi partnership with Zfone and
Zimmermann resulted in this emergence. Much ado about nothing. as
usual.. jsut cut and past ",much ado about nothing"
_Indeed it appears the TiViPhone people work ~for~ Silent Circle. Just
like the bit about ZRTPCPP and Wener Dittmann below. Wait__ —_ so
Silent Circle has been developing TiviPhone since 2010 through those
people? With the intention of releasing it as Silent Phone years
later? I can't be that specific but look at
https://silentcircle.com/web/founders-leadership/ and the various
names associated with these libraries and projects appear all through
that list. Except PolarSSL.I don't know, but Occam's Razor would
probably say that they just made a deal with this company and either
bought them or partnered with them. That's pretty common for
startups. I noticed they have a "rebranding" pitch on their website,
maybe SC just took that a step further. Definitely seems like it was
around long before SC was formed though. Sounds more likely.Werner
dittman, looking from a Linkedin profile works for Nokia Siemens
Networks . Werner Dittman and Janis are both listed on the SC page
founders listed above. I think a number of them have "day jobs" in
the early phases of this startup.
"Silent Circle’s team: a unique and eclectic mix of
world-renowned cryptographers, Silicon Valley software engineers,
German VoIP engineers, Latvian system analysts and former US Navy
SEALs & British Special Air Service (SAS) security experts."
https://silentcircle.com/web/unique-story/
* Application is designed for VoIP, not specifically for SecurityThe
software TiviPhone appear to be designed for general mobile voip use
and not specifically designed for security.It does include a custom
written SIP parser rather than reusing existing code from other
projects:
*sipparser/client/CSipParse.cpp
*sdp/parseSDP.cpp
* It does use an outdated SSL library (PolarSSL 1.1.1) with some known
security vulnerabilities ?
*Latest version is 1.2.5 (2013-02-02), the project seems very active
as 1.1.1 has been released 2012-01-23
*PolarSSL Security Advisory:
https://polarssl.org/tech-updates/security-advisories (most recent
advisory Feb 2nd) .
*PolarSSL Changelog
https://github.com/polarssl/polarssl/blob/master/ChangeLog
*they embed 1.1.1 and 1.1.4 in libs, but I only find 1.1.1 usage in
the code
*TODO: It should be checked in details if that 1.1.1 is vuln and/or
patched to some of the advisory.
*^--- PolarSSL 1.1.1 suffers from "Weak Diffie-Hellman and RSA key
generation":
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2012-01
*Easily a non-issue as w/ many other projects. Verifying against
binaries is tougher.
* It does not use LibZRTP by Philip Zimmermann used in Zfone but
ZRTPCPP The application does use the ZRTPCPP available on
https://github.com/wernerd/ZRTPCPP but it does not use the LibZRTP
made by Philip Zimmermann that SilentCircle itself license (LibZRTP
SDK) https://silentcircle.com/web/zrtp-sdk/ Werner Dittmann works
for Silent Circle.
* It does use an outdated version of ZRTPCPP library? Looking at
libs/zrtp/Changelog it does use ZRTPCPP 1.5.2 version (released on
05-Dec-2010). Latests version is libzrtpcpp 2.3.2 (released on
20-Nov-2012) ZRTPCPP 1.5/1.6/2.3 download:
http://ftp.gnu.org/gnu/ccrtp/ .
* It does reveal their test/development server? In the file
./apple/ios/VoipPhone/settings.txt there is the hostname
fs-devel.silentcircle.org with ip 50.116.49.43 Do we have that code
too? It would be nice to have a full development enviornment to play
with / even a fake one would have its uses. That's a nice inquiry.
It would be also very interesting, while i think it's not doable
technically for smartphone platforms's constraints, to have
"Deterministic Building" to always have the exact checksum of files
given the same build process repeated in the same environment
(Unfortunately that's an hard topic, due to various timestamps and
stuff that linked put into the executable files).//AppStore binaries
are encrypted/heavily obfusticated... right, proving the released
binary match the released source code is hard.Unless the build is
reproducible and verifiable, releasing the source is pretty
meaningless.
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists