Azimuth Security: June 2013 <body onload='MM_preloadImages(&apos;;,&apos;;,&apos;;,&apos;;)'><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src=""></script> <script type="text/javascript"> gapi.load("", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: '\x3d509652393303233687\x26blogName\x3dAzimuth+Security\x26publishMode\x3dPUBLISH_MODE_HOSTED\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3d\x26blogLocale\x3den\x26v\x3d2\x26homepageUrl\x3d\x26vt\x3d1038547295672672920', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>
azimuth security services training resources about BLOG
project zeus
"You will not be informed of the meaning of Project Zeus until the time is right for you to know the meaning of Project Zeus."
Current Posts
April 2010
May 2010
August 2010
September 2012
February 2013
March 2013
April 2013
May 2013
June 2013
December 2013
March 2014
January 2015
Attacking Crypto Phones: Weaknesses in ZRTPCPP
Attacking Crypto Phones: Weaknesses in ZRTPCPP
posted by Mark @ 6/27/2013 09:08:00 AM  

In the wake of the recent NSA / Prism debacle, there has been a large push for secure, encrypted communications for the average user. This essentially means employing cryptography solutions in order to protect private communications from eavesdroppers (government or otherwise). Whilst this is a very positive course of action that user's can undertake, it makes sense to perform some evaluation of the security products upon which your communications are entrusted - does the attack surface change? Are there new avenues of exposure that didn't previously exist? With this in mind, I decided to take a brief look at the GNU ZRTPCPP library (, which is a core security component of various secure phone solutions (perhaps most notably, the impressive SilentCircle suite of applications). This blog post discusses several vulnerabilities that were uncovered in this initial audit. Note that these vulnerabilities can be triggered by un-authenticated, untrusted, remote parties, and affects the following software:

* SilentCircle (SilentPhone)
* CSipSimple
* Some of the Ostel clients (they use CSipSimple)
* LinPhone
* Twinkle
* Anything using the GNU ccRTP with ZRTP enabled

.. and possibly others. These vulnerabilities were recently reported by Azimuth to ZRTPCPP author/maintainer Werner Dittman who turned around fixes in a very short space of time, and also co-ordinated with some of the other vendors mentioned above. The remainder of this blog outlines some of the most major issues that were uncovered.

(UPDATE: The github now contains the fixes for these bugs, and SilentCircle has made their updates available via Google/Apple's app-stores).


© Copyright 2013 Azimuth Security Pty Ltd