Full Disclosure mailing list archives
SilentCircle (Encrypted VoIP auditing) - Please cooperate
From: sc2013a () hushmail com
Date: Thu, 14 Feb 2013 15:49:11 +0100
Hi, this is the output of a quick analysis done on SilentCircle source code published on https://github.com/SilentCircle/silent-phone-base . It seems that someone "friendly with SC" is continuously vandalizing the PAD where this activity was done at https://pad.riseup.net/p/silentcircle . Some hackers there should really complete the audit and prepare some better organized analysis. * A Latvian company wrote most of the software, not SilentCircleThe application of SilentCircle seems to be a rebranded and customized edition of TiviPhone, available from www.tivi.com made in Latvia.silent-phone-base$ grep -ir tiviphone.com . | wc -l 180 From TiVi's page: http://www.tivi.com/en/company/news.php "Until September 30, 2010, buy TiviPhone with ZRTP voice and video encryption. The difference? You enter theprice; we approve it. Pay by PayPal, get the license key, run it and tell your friends how much more competitive TiviPhone is! If you resell (or rebrand) TiviPhone, even better: bid for bigger batches of licenses in one go!" but I can't find anything about licensing as FOSS. And it also looks to have a prior relationship with Zfone per http://www.tivi.com/en/company/news.php?Secured-mobile-VoIP-calls. Copyright tells the story.Copyright © 2004-2012 Tivi LTD,www.tiviphone.com. All rights reserved.Copyright © 2012-2013, Silent Circle, LLC. All rights reserved. So the rebranding needed to be more complete - and the prior TiVi partnership with Zfone and Zimmermann resulted in this emergence. Much ado about nothing. as usual.. jsut cut and past ",much ado about nothing" _Indeed it appears the TiViPhone people work ~for~ Silent Circle. Just like the bit about ZRTPCPP and Wener Dittmann below. Wait__ —_ so Silent Circle has been developing TiviPhone since 2010 through those people? With the intention of releasing it as Silent Phone years later? I can't be that specific but look at https://silentcircle.com/web/founders-leadership/ and the various names associated with these libraries and projects appear all through that list. Except PolarSSL.I don't know, but Occam's Razor would probably say that they just made a deal with this company and either bought them or partnered with them. That's pretty common for startups. I noticed they have a "rebranding" pitch on their website, maybe SC just took that a step further. Definitely seems like it was around long before SC was formed though. Sounds more likely.Werner dittman, looking from a Linkedin profile works for Nokia Siemens Networks . Werner Dittman and Janis are both listed on the SC page founders listed above. I think a number of them have "day jobs" in the early phases of this startup. "Silent Circle’s team: a unique and eclectic mix of world-renowned cryptographers, Silicon Valley software engineers, German VoIP engineers, Latvian system analysts and former US Navy SEALs & British Special Air Service (SAS) security experts." https://silentcircle.com/web/unique-story/ * Application is designed for VoIP, not specifically for SecurityThe software TiviPhone appear to be designed for general mobile voip use and not specifically designed for security.It does include a custom written SIP parser rather than reusing existing code from other projects: *sipparser/client/CSipParse.cpp *sdp/parseSDP.cpp * It does use an outdated SSL library (PolarSSL 1.1.1) with some known security vulnerabilities ? *Latest version is 1.2.5 (2013-02-02), the project seems very active as 1.1.1 has been released 2012-01-23 *PolarSSL Security Advisory: https://polarssl.org/tech-updates/security-advisories (most recent advisory Feb 2nd) . *PolarSSL Changelog https://github.com/polarssl/polarssl/blob/master/ChangeLog *they embed 1.1.1 and 1.1.4 in libs, but I only find 1.1.1 usage in the code *TODO: It should be checked in details if that 1.1.1 is vuln and/or patched to some of the advisory. *^--- PolarSSL 1.1.1 suffers from "Weak Diffie-Hellman and RSA key generation": https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2012-01 *Easily a non-issue as w/ many other projects. Verifying against binaries is tougher. * It does not use LibZRTP by Philip Zimmermann used in Zfone but ZRTPCPP The application does use the ZRTPCPP available on https://github.com/wernerd/ZRTPCPP but it does not use the LibZRTP made by Philip Zimmermann that SilentCircle itself license (LibZRTP SDK) https://silentcircle.com/web/zrtp-sdk/ Werner Dittmann works for Silent Circle. * It does use an outdated version of ZRTPCPP library? Looking at libs/zrtp/Changelog it does use ZRTPCPP 1.5.2 version (released on 05-Dec-2010). Latests version is libzrtpcpp 2.3.2 (released on 20-Nov-2012) ZRTPCPP 1.5/1.6/2.3 download: http://ftp.gnu.org/gnu/ccrtp/ . * It does reveal their test/development server? In the file ./apple/ios/VoipPhone/settings.txt there is the hostname fs-devel.silentcircle.org with ip 50.116.49.43 Do we have that code too? It would be nice to have a full development enviornment to play with / even a fake one would have its uses. That's a nice inquiry. It would be also very interesting, while i think it's not doable technically for smartphone platforms's constraints, to have "Deterministic Building" to always have the exact checksum of files given the same build process repeated in the same environment (Unfortunately that's an hard topic, due to various timestamps and stuff that linked put into the executable files).//AppStore binaries are encrypted/heavily obfusticated... right, proving the released binary match the released source code is hard.Unless the build is reproducible and verifiable, releasing the source is pretty meaningless.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- SilentCircle (Encrypted VoIP auditing) - Please cooperate sc2013a (Feb 15)
- Re: SilentCircle (Encrypted VoIP auditing) - Please cooperate Ali-Reza Anghaie (Feb 16)