Silk Road forums

Discussion => Security => Topic started by: Kiwikiikii on June 30, 2013, 09:51 pm

Title: Flaws In ZRTPCPP Library, Used In Secure Phone Apps
Post by: Kiwikiikii on June 30, 2013, 09:51 pm

http://threatpost.com/several-flaws-discovered-in-zrtpcpp-library-used-in-secure-phone-apps-2/

Quote

"A security researcher has uncovered a number of serious vulnerabilities in one of the core security components of several secure telephony applications, including the Silent Circle system developed by PGP creator Phil Zimmermann. The vulnerabilities in the GNU ZRTPCPP library already have been addressed in a new version of the library and Silent Circle has implemented a fix, as well. ZRTPCPP is a library that implements the ZRTP protocol that Zimmermann and others developed to establish secure sessions over a pre-existing connection. Silent Circle, which sells a cryptographically secure mobile phone application, and several other products implement the ZRTPCPP library, and Mark Dowd of Azimuth Security has identified several vulnerabilities in the library that could give an attacker the ability to get remote code execution. Dowd said that the bugs can be exploited by remote, unauthenticated users."

Title: Re: Flaws In ZRTPCPP Library, Used In Secure Phone Apps
Post by: astor on June 30, 2013, 11:11 pm

Thanks for the heads up. Looks like these bugs were fixed before the disclosure.

Title: Re: Flaws In ZRTPCPP Library, Used In Secure Phone Apps
Post by: comsec on June 30, 2013, 11:40 pm

https://twitter.com/whispersystems/status/350299634834477057
Redphone not affected

Be careful trusting guardianproject.info apps, though a noble cause there's problems with their ssl certs not being pinned inside the apps, and Gibberbot is still open to practical MITM attacks because of it unless you're using a .onion XMPP/jabber server
http://www.thoughtcrime.org/blog/strongtrustmanager-mitm/