Category: BlackBerry

Verizon Launches Voice Cypher Secure VoIP Mobile App… With A Government Backdoor

Verizon Wireless this week did something that initially seemed quite impressive – they launched “Voice Cypher”, an app available for iOS, Android and Blackberry that promises secure end-to-end encryption. It uses VoIP and is an “over-the-top” (OTT) app that works on any carrier.  If you read the marketing material on their web site, it all sounds great!  Indeed their “Learn More” page has all the right buzzwords and security lingo – and says quite clearly: Voice Cypher provides end-to-end encryption between callers, even if the call crosses over multiple networks.” They include the requisite network diagram that shows how it protects against all threats:

Verizon Wireless Voice Cypher

It turns out there’s just one small little detail … as reported by BloombergBusinessweek, the app comes complete with a backdoor so that Verizon could decrypt the phone calls if requested to do so by law enforcement!

As the Businessweek article states:

Cellcrypt and Verizon both say that law enforcement agencies will be able to access communications that take place over Voice Cypher, so long as they’re able to prove that there’s a legitimate law enforcement reason for doing so.

Unfortunately, in this post-Snowden era I don’t know that many of us put a great amount of trust in our governments to only access communications with a “legitimate law enforcement reason”.  Or perhaps the concern is that what gets classified as “legitimate” can be widely construed to mean almost anything.

The article does point out that Verizon is bound by CALEA to provide lawful intercept  to the phone networks, but points out an interesting caveat that Verizon could have used:

Phone carriers like Verizon are required by U.S. law to build networks that can be wiretapped. But the legislation known as the Communications Assistance for Law Enforcement Act requires phone carriers to decrypt communications for the government only if they have designed their technology to make it possible to do so. If Verizon and Cellcrypt had structured their encryption so that neither company had the information necessary to decrypt the calls, they would not have been breaking the law.

A Verizon Wireless representative indicated that they believe government agencies looking for ways to protect sensitive information may be  customers of this service, as may be corporate customers concerned about leaking private information.

But… as we continue to hear more and more information about the massive amount of pervasive monitoring and surveillance by government agencies from many different governments around the world, you do have to wonder how safe those agencies and companies will feel with a “secure” solution that already comes with a backdoor.  The problem with a known backdoor is that even if you may trust Verizon Wireless to only allow legitimate law enforcement access… how do you know that some attacker may not be able to penetrate that backdoor?   The “secure end-to-end encryption” isn’t entirely secure.

Given that the service has a higher price tag of $45 per month per device, I do wonder how many businesses or agencies will actually embrace the service.

On reading about this Voice Cypher service, it certainly sounds quite interesting.  We need more secure voice solutions out there – and it’s very cool that Verizon Wireless is delivering this as an OTT mobile app that will work across different carriers.

It’s just too bad that it’s not truly “secure end-to-end”.  :-(

P.S. I also recorded an audio commentary on this same topic.

BlackBerry’s New Blend Application Requires IPv6 Networking

BlackBerry BlendYesterday BlackBerry held a series of events announcing their new “Passport” smartphone as well as an application called “BlackBerry Blend” that lets you use your computer or tablet (including iOS and Android tablets) in conjunction with the Passport phone. There was a good bit of media coverage, almost all focusing on the Passport phone itself.

One interesting fact to emerge, though, is that the BlackBerry Blend application requires IPv6 networking in order to function.

NOTE – it does not seem to require IPv6 connectivity, i.e. your network doesn’t have to have actual IPv6 addressing and connectivity to the IPv6 Internet, but your network needs to allow IPv6 networking.

This is stated very clearly under “Step 1″ on Getting Started with BlackBerry Blend and even more clearly in a knowledge base article titled “Unable to connect to BlackBerry Blend due to ipv6 being blocked on the computer“. That support document states:

Overview
BlackBerry Blend is unable to connect to, or communicate with the BlackBerry 10 smartphone when IPv6 traffic is being blocked.

Cause
An item in the network environment such as a VPN connector, firewall, network adapter setting, or anti-virus software is blocking or preventing IPv6 traffic.

Resolution
IPv6 is a requirement for BlackBerry Blend to connect and communicate with the BlackBerry Smartphone. In order to complete the connection, IPv6 traffic will need to be enabled or allowed in the network environment.

So you apparently don’t necessarily have to have actual IPv6 connectivity… but you can’t be blocking IPv6 packets on the WiFi network that Blend is using to communicate with the Passport smartphone.

Similarity to Apple’s Back To My Mac

I can’t yet find any further information on exactly how BlackBerry is using IPv6 to make the connection between your computer or tablet. However, on a certain level it sounds similar to what Apple does with their Back To My Mac (BTMM) function that is now part of their iCloud service. BTMM allows you to connect from one Mac back to another Mac to share files or to “share the screen” and remotely operate that remote Mac. Apple has more info about BTMM in its iCloud support area.

Similarly, BlackBerry Blend lets you connect from your computer or tablet to your Passport smartphone to be able to send and receive messages, view your calendars, transfer files, access internal websites using the Passport’s connection, etc. Effectively you are “remotely” managing the Passport smartphone from the tablet or computer, although unlike Apple’s BTMM you aren’t manipulating the actual desktop of the device but rather using the services and applications on the Passport.

The IPv6 connection comes in through the work of a team from Apple, UCLA and Toyota who documented how Apple’s BTMM service works in RFC 6281 and showed how it essentially creates an IPv6 “tunnel” over IPv4 between the two Macs. It’s well worth a read to understand how Apple did this.

Now, differently from what BlackBerry Blend apparently does, Apple tunnels all their IPv6 packets over IPv4 and so they don’t care about what the local network does with IPv6. Apple’s BTMM is also designed to work anywhere across the entire Internet, while the BlackBerry Blend is designed to only work across the local WiFi network. (The device running the BlackBerry Blend app and the Passport smartphone must both be on the same WiFi network to communicate.)

Still, it sounds like BlackBerry is creating some kind of IPv6 “tunnel” between the Blend app and the Passport device.

BlackBerry Assumes IPv6 Will Be Allowed

However, it seems BlackBerry assumed that IPv6 packets would not be blocked on the local WiFi network or would not be blocked on the computer running the Blend app. That probably is a safe assumption for many or even most networks, but I’ve heard of some enterprise networks who have not yet moved from IPv4 restricting IPv6 to prevent any unknown communication. It is those networks where Blend may have challenges working.

The reality is that the world is moving to IPv6 and so network operators MUST understand IPv6 security so that they can create appropriate IPv6 security policies that securely allow IPv6 traffic, rather than just blindly blocking IPv6.

BlackBerry’s Blend is just one of the first apps we’ll see assuming IPv6 is allowed. I’m sure there will be many more in the years ahead. Network operators who don’t at least allow IPv6 will find themselves with people or customers who are unhappy that they can’t use these new applications and services. Time to make IPv6 happen! (Or at least not block it!)

P.S. If you want to get started with IPv6, please visit our “Start Here” page to find resources targeted at your role or type of organization. And please let us know if you need more information!