[cryptography] Micro-SD card encrypts voice on mobile phones

Ralf Philipp Weinmann ralf at coderpunks.org
Fri Dec 3 05:41:05 EST 2010


On Dec 2, 2010, at 4:26 AM, Steven Bellovin wrote:

> http://www.cellular-news.com/story/46690.php 
> 
> I know nothing more about this...

So I'm late to the party, but I have done some more digging into this. It looks like a classical case of Schneier's famous parking lot security fail to me:

http://coderpunks.org/pics/parking_lot_security_fail.jpg

So you have a EAL 5+ certified smart card controller in a microSD card enclosure interfacing to a (hopefully!) semi-hardened cellphone operating system with some proprietary software that does an ECDH key exchange over P-521? Great, I applaud you for your markmanship (NOT!) and lack of ingenuity, Giesecke and Devrient. Looks like that smartcard market is faltering with those talks about Virtual SIMs for GSM/3GPP phones and you're looking for other fields to sell your products?

Did you also cut the wires between the microphone and your baseband chip (I know some vendors of cryptophones who do that, notably GSMK)? Oh, you didn't? Bad luck for you, people will own the shit out of you in the very near future (if they haven't already):

https://cryptolux.org/media/deepsec-aybbabtu.pdf

I gave that presentation at DeepSec in Vienna (an academic paper is under submission and available upon request) last week with a live demo turning on auto-answer on an iPhone 2G (my USRPv1 with the 52MHz is busted at the moment; newer hardware has tuning problems with the USRP I borrowed - it was a stock one with a 64MHz clock).

Also, I wouldn't exactly call this technology new ("The market has never seen anything like this product" states their director of PR drivel, Marcus Rosin) as secusmart and T-Systems have allegedly shipped a product that is used by German chancellor's Merkel's cellphone (Simko2, a Nokia phone with a SecuVoice microSDc card).

Cheers,
RPW


More information about the cryptography mailing list