Vulnerabilities found in code library used by encrypted phone call apps

[InfoSec News <alerts () infosecnews org>]

https://www.computerworld.com/s/article/9240473/Vulnerabilities_found_in_code_library_used_by_encrypted_phone_call_apps

By Lucian Constantin
IDG News Service
July 1, 2013

ZRTPCPP, an open-source library that's used by several applications 
offering end-to-end encrypted phone calls, contained three vulnerabilities 
that could have enabled arbitrary code execution and denial-of-service 
attacks, according to researchers from security firm Azimuth Security.

ZRTPCPP is a C++ implementation of the ZRTP cryptographic key agreement 
protocol for VoIP (voice over IP) communications designed by PGP creator 
Phil Zimmermann.

The library is used by secure communications provider Silent Circle in its 
Silent Phone app, as well as by other programs that support encrypted 
phone calls, including CSipSimple, LinPhone, Twinkle, several client apps 
for the Ostel service and "anything using the GNU ccRTP with ZRTP 
enabled," said Azimuth Security co-founder Mark Dowd in a blog post on 
Thursday.

Following the recent reports about the U.S. National Security Agency's 
data collection programs that appear to cover Internet audio 
conversations, there's been an increased interest into encrypted 
communication services from end users.

[...]



--
Visit the new and improved InfoSec News website
http://www.infosecnews.org/