1
Blackphone rooted at Defcon — Parts 1 & 2
2
News From The World Of Government Spyware
3
BBM Unprotected
4
Blackphone: Privacy People WANT to Buy
5
Why Are We Competing with Phone Makers, Skype and Telecom Carriers – All in the Same Week?
6
Silent Text 2.0: The next generation of private messaging
7
Our Move to Switzerland
8
10 Tips To Protect Your Privacy While Traveling
9
Finishing Up From Heartbleed
10
Heartbleed Bug

Blackphone rooted at Defcon — Parts 1 & 2

From Dan Ford, Chief Security Officer of SGP Technologies at this year’s Def Con – Mike Janke:

Greetings from Def Con! Thus far Team Blackphone has been having a very positive Con. We have been receiving a lot of positive feedback and praise for taking on the flag of building and maintaining a secure and private smartphone system. This was a challenge that we knew full well would not be easy, but if it were easy then anyone could do it.

The researcher @TeamAndIRC was a little miffed at our initial response to his inquiry and I understand his point. In response, he had a t-shirt made that stated he rooted the Blackphone at Def Con. The ironic part to this is I would have absolutely gone over and made that t-shirt for him myself once the full vulnerability was explained.

Read the entire post here.

For Dan’s Part 2 post click here.

News From The World Of Government Spyware

silentcircle-logo300.41268926acf8
We have gotten a report that the commercial/government spyware system FinFisher has themselves been hacked and that documents, code, etc. have been posted online. Our friends who have looked at some of these leaked documents have told us that they have a module using some set of malware to get to the video camera of a cell phone. We have been told that there are decode modules for pictures and video of a variety of systems including Silent Phone.

Our understanding is that this is a compromise of the base system itself, and not our apps or services. We also understand that this requires a jail broken or rooted device to work at all. We are evaluating our software and systems to see if there is anything we need to do ourselves. We will let you know more as we do.

BBM Unprotected

A recent post from Dan Ford, Chief Security Officer of SGP Technologies (maker of Blackphone) comparing BBM and Silent Text’s security – Mike Janke:

Recently some of you may have noticed that BlackBerry turned their attention to us. The basis was that our friends in Canada made various claims about Blackphone and suggested their closed end-to-end solution was the only way to ensure adequate “corporate” security. Therefore, they claimed, our inaugural launch product which started shipping on June 30 wasn’t competitive with their complete infrastructure which resulted from 15+ years of R&D. Our response was that there is more than one way to solve this kind of problem.

Read Dan’s entire post here.

Blackphone: Privacy People WANT to Buy

This is a direct excerpt from Toby Weir-Jones, CEO of SGP Technologies (maker of Blackphone) in response to a recent Blackberry Blog post – Mike Janke:

Dear Privacy Enthusiast,

On July 11, our friends at Blackberry posted an article about, of all things, us! The piece goes to some effort to suggest that BP1 is “consumer-grade”, and therefore “inadequate” for business users. Setting aside the fact that we think consumers deserve the same security as companies, we weren’t surprised the piece extols the virtues of Blackberry’s own solutions at our expense…

Read the rest of Toby’s comments here.

Why Are We Competing with Phone Makers, Skype and Telecom Carriers – All in the Same Week?

It’s simple: because we believe that technology should be a force for good. As a result, we’re developing technologies and products that disrupt the industries we’ve rapidly come to accept as “traditional” industries – telcos, tech companies, phone makers. Why – because those industries have ended up as a raw deal for people.

The result is we offer better value and a more secure communication ecosystem for enterprises and individuals seeking privacy and security. And we’re only just getting started.

Last week we shipped our Blackphone. Selected as one of the Top 10 Devices of the Year at Mobile World Congress as well as one of the Top 10 Breakthrough Technologies of 2014 by MIT Technology Review.

Today, we launched the world’s first Global Encrypted Calling Plan. The first of its kind, a pink unicorn that is the brainchild of my co-founders Phil Zimmermann and Jon Callas. This unique innovation is already causing serious concern among major telecom companies around the world. We are not only exploiting massive holes in the market, we are attacking them. Our newly expanded Global Encrypted Calling Plans are up to 50% less expensive than many of the telecom’s existing plans, but our coverage offers about 45 more countries than they do; and oh, by the way it’s encrypted to the public switch telephone network. That is something no other company offers in the marketplace today. We are literally saving businesses tens-of-thousands of dollars a month.

With each of our products, we are doing things that no one else does. Individually they are best-in-class. In combination, it’s a new approach to communication. It’s as simple as that.

The Skype Disruption

Now lets talk about Skype. The wiretap-friendly communication tool that started out with great intentions, and was a real breakthrough many years ago. Today, Skype is banned from being used in many of the Fortune 1000 companies and shunned by anyone expecting some level of privacy. I don’t necessarily fault Microsoft, as prior to the summer of Snowden every major technology company was capitulating on some level to its host-country intelligence service – in almost every country. Things are different now. The world now understands that a Skype call is not private between users and if you are fine with that, well I see no reason to fault you. Businesses understand that their intellectual property and competitive edge can be destroyed literally overnight by a communication leak.

oca-vs-skype

Today, we take on Skype, Viber, Ring Central and others as well. Not only by providing a secure alternative but also in price and reach. Skype’s website lists it’s premier global plan as covering 8 countries mobile and 63 landline for $13.99 per month. Our encrypted calling is secure to a country’s PSTN network, covers 41 Mobile and 79 landline countries, allows you to choose a phone number from 26 countries, receive calls from anywhere, anytime and you can choose 100, 250, 500 or 1000 global minutes. Oh, we also give you all three of our secure apps with the plan, so you can call, text or video-chat completely end-to-end encrypted. Skype? Uh no.

A True Virtual Operator – Disrupting the Telecoms

If there was one industry that is ripe for disruption – I would choose the telecommunications industry. In some countries and regions, the evil “roaming charge” represents up to 30% of a Telecom’s EBIDA. In Europe alone, one of the top expenses for a business or consumer is simply roaming and long distance charges. One of my good friends, Beat Geissler, is a Swiss native, former Swisscom executive, entrepreneur and investor who lives now in Berlin. He spends upwards of 2,500 CHF on roaming and long distance calls – a month! Now as a member of Silent Circle, its just $40 a month. One of our Fortune 100 customers in Zurich has estimated they will save over $38,000 a month AND be secure using Silent Phone. That is real disruption, not just a stupid word that gets tossed around management meetings.

We are now becoming a “Secure Virtual Operator” in the truest sense. We can challenge phone makers and telecoms from our office and network in Switzerland. We do not incur the billions of dollars of CAPEX and expenses that Telecoms spend on infrastructure a year – instead we utilize that infrastructure to send encrypted voice, video, text, files, conference calls and secure-to-PSTN calls over the world’s existing backbone, less expense and more secure than any telecom can.

There are however a few unique and innovative Telecom leaders out there. Carlos Slim at América Movíl, Eelco Block at KPN, Olaf Swantee at EE and Augie Fabela at Vimpelcom are the real visionaries who look beyond each quarter result and try to embrace the future while helping shape it. They get it. The others? Well, so far – no. These innovators have embraced Blackphone, our Global Encrypted Calling Plans and our Software-as-a Service to stay ahead of disruption and shape their future markets. They also see things that others are too slow to react to. They actually do things “FOR” the customer, not “TO” the customer. Eventually, we will handle every facet of operations – virtually. We will not need 10,000 customer service reps in Bangladesh or confusing options and massive CAPEX expenses. All of it end-to-end encrypted or secure to the PSTN network.

Becoming The Enterprise Device of Choice

Many of the prognosticators and pundits did not see this global shift coming. Only two of the phone makers are making money, Apple and Samsung. Those two also happen to be squeezing the Telecoms by taking a percentage of their data plans sold and forcing things on them. The rest of the pack (LG, Nokia, Sony, Motorola, Blackberry, etc.) have been losing billions. Some have decided to give up on chasing Apple and Samsung and instead have chosen to chase the $100-phone emerging markets; others are still in limbo trying to figure out what they will do next. We snuck in the back door, by offering the most secure commercial device system on the market. We don’t want to sell 100 million phones, we simply want to own the secure enterprise and prosumer market. It’s a journey for us and will take time, but it’s already happening. Come join us for the ride.

Mike Janke

CEO, Silent Circle.

Silent Text 2.0: The next generation of private messaging

Our release of Silent Text 2.0 (ST-2) is a major rewrite of our previous product and harbinger of some of the technology that Silent Circle will be using to improve the security and refine the user experience of our customers. We have learned quite a bit about how our customers use messaging over mobile devices and have rolled much of their feedback into this release.

The primary impetus behind ST-2 was to address the following:

Eliminate the keying delay.

The prevailing end to end security algorithms were designed with the assumption that both parties are concurrently present on the network. This isn’t often the case for mobile devices. Ideally you should be able to start sending secure messages without waiting for the recipient to respond, but without sacrificing the same level of security and end to end encryption provided by the key exchange that we employ our current product.

To this end we have invented Progressive Encryption technology, a hybrid of both public key and ephemeral key agreement protocols. The SCIMP protocol used by Silent Text 2 incorporates this technology, enabling the sender to securely transport messages on the first packet and simultaneously transition to hash-committed Diffie-Hellman. All without the annoying push notifications for keying events.

We have also added some new non-NIST cryptographic algorithms to our protocol including TwoFish, SKEIN and Bernstein–Lange Elliptic Curve 41417.

Better security for data at rest.

The iOS implementation has been substantially rewritten. We walked away from Apple’s CoreData and didn’t look back. We replaced it with YapDatabase, developed by our own very talented Robbie Hanson. This gave us amazing improvements in performance and reliability as well as substantially better anti-forensics on the data at rest. All the protocol security in the world won’t help you if your device is not well protected and so we treat that with the same amount of concern. Robbie also wrote the XMPP Framework used by us, and it would seem by many other IOS messaging apps.

Improvements in user experience.

We have come a long way here, too. On Silent Text iOS we have done a major redesign of the user experience to improve the standards of secure mobile messaging. You will find a plethora of new features not the least of which is a native iPad split screen experience as well as Silent Contacts; a built-in secure contacts book. Other highlights include: messages can be queued while offline and sent later. Return receipts for messages, which can be turned off on a per conversation basis. There is also a secure media shelf to keep track of items such as documents and photos that are enclosed in the messages.

The Future.

We have a number of things in the works across all of our platforms in the near future. Expect to see secure group conversations, as well as major improvements in cloud storage management. We have come a long way in the last two years and I believe you will be happy with where we are going.

Silent Text iPad

Silent Text 2.0 iOS

Our Move to Switzerland

Switzerland – the land of Privacy, Neutrality and now Silent Circle (not to mention great cheese, chocolate and watches). We are very much an international firm. We have employees scattered among 9 countries, data centers in Canada and Switzerland, and we count customers from over 130 countries with a heavy concentration of Global 1000 enterprise customers outside of North America. We decided to move our Headquarters from the Caribbean island of Nevis to Switzerland and move a lot of our customer service, finance, sales and operations into this new large office.

It was very important for us to remain a “Global Neutral Privacy Provider”, as well as a political and religious agnostic company. Switzerland has the world’s most robust privacy laws, fantastic business and financial resources and an incredible business-friendly atmosphere. In addition to being the world’s center for Human Rights, Global freedom of speech and an innovative technology hub, Switzerland is our perfect home. This move was a logical an easy decision for us. With over 75% of our customer base outside of North America and our Joint Venture company Blackphone also headquartered in our joint new office space in Switzerland – it was a natural move.

We will continue to grow our North America office in Washington, DC as well as our London office, but most of our new growth will take place in our new headquarters. So, if you find yourself in Europe or close to Switzerland, we are only a short hop or train ride away – so please do stop into our new Headquarters office to say hi.

10 Tips To Protect Your Privacy While Traveling

Girl traveling

As the warmer weather of summer approaches you may be thinking about a trip or weekend getaway. Whether you’re planning on kicking it in Cabo or frolicking in the French Riviera- Silent Circle’s privacy gurus can help you to protect your privacy while traveling. Here is a countdown of some best practices…

10. Know your destinationIf certain types of content are illegal in the jurisdiction of your destination or are at risk of being stolen, don’t bring it with you. Possessing illegal or enticing content will make your device an attractive target for confiscation or theft.

9. Use a screen filter - If you want to avoid those wandering eyes at the airport or the coffee shop when you are using your laptop, tablet, or phone, protect your information with a screen filter.  This allows you keep your electronic information  private and confidential working in a public place.  There are a number of products on the market around $20 – $40 and the materials for the filters have improved over the last few years.

8. Keep a backup - Before you leave make a backup of all the contents of the devices that you plan on taking on your trip.  Delete any items off the device that you will not need because if this isn’t there, it can’t be stolen!  Be sure to password protect the backup and keep it safe at home. This way if something happens to your device there is no need to fret (and it’s probably time to order a Blackphone anyway- shameless plug).

7. Don’t put devices in checked bags - While traveling keep your devices with you at all times.  Checking your devices makes them vulnerable for theft, damage, or loss. D’oh!

6. Keep things locked up - Your hotel room should have a safe and it is important to use it to store valuables and devices.  Be sure to lock up your valuables after you check in.  It is a good idea to ask the hotel before making the reservation if they have a safe in the room. Conde Nast had some further advice on this topic. Note* – 1234 is NOT a good passcode.

5. Use strong passwords - Enable password protection on your devices and give them a strong password. For best practices on password protection visit our previous post on online privacy.

4. Turn off Bluetooth - Scammers are continuing to find new ways to exploit your device.  In addition to WiFi, Bluetooth also creates vulnerabilities.  If you do want to use Bluetooth, be smart about it and don’t accept pairing requests from unknown parties. Also, try to use a minimum of eight (8!) characters in your PIN.  Of course, turn off your Bluetooth connection when you aren’t using it especially in public areas- your credit history, your contacts, and your battery will thank you.

3. Be smart when using WiFi - If you follow a simple metaphor, we all need water, but you wouldn’t drink ANY water you could find. Well, the same is true for WiFi. Don’t trust any old network that you are connecting to – you never know what’s “floating” around in it (OK- no more metaphors).  Use a VPN to connect to the Internet (perhaps Hotspot Shield, VyprVPN, Private WiFi, to name a few). Plus, it’s a good idea to turn off WiFi when you do not need access to the Internet. 

2. Don’t announce on social media that you will be traveling - Posting about your upcoming travel plans on social media can make you or your property an easy target.  If you use a travel site to book your trip make sure to turn off the social sharing options that dump your travel details into someone else’s news feed.  Stay mum about your next trip (don’t “check-in” or use anything with geolocation) and wait until you get back to post pictures to make your friends jealous.  Also, be mindful of your privacy settings on social regarding who has access to your photos.

1. Use encryption - We’d be remiss not to mention this one. If your devices have the option to encrypt the storage, do it!  This will give you peace of mind in the event your device is lost or stolen.  If you haven’t encrypted your storage yet, try not to leave it to the last minute- it can take over an hour to encrypt. Don’t even get us started on encrypted calling…

Always use caution when traveling and be mindful of your surroundings.  Safe travels.

Finishing Up From Heartbleed

In our previous blog post on Heartbleed we said that we would tell you more when we had finished our own cleanup. We completed our work this weekend. We replaced all our SSL certificates, and that required us to update the Silent Text apps themselves. We would also like to give a shout-out to our CA, Entrust, who is giving free updates to certificates for any of their customers who want to replace an SSL certificate over this issue.

ComputerWe have thus updated all of our affected servers, replaced all our certificates, updated our apps, and tested and verified everything. It’s been a busy few days, and our team has done a fantastic job keeping many things working as we revised the working infrastructure.

That means that there are two things that are a good idea for you, a subscriber, to do:

1. Change your password. Now that the servers have new certificates, it’s a good idea to do that now.

2. Reset your devices. Silent Circle apps get provisioned with authentication tokens that let the app automatically connect to our servers and authenticate properly as a subscriber. There’s a unique authentication secret for every service (Silent Phone and Silent Text) and every device that you provision.

Just as in theory, Heartbleed could leak passwords and keys, it could in theory leak the authentication tokens. By resetting the devices connected to your account, you throw away the existing tokens. You will need to re-provision your devices, but that’s simple.

You reset your devices by going to this page on accounts.silentcircle.com and click the reset button. That breaks the connection between our server and your apps.

Then restart the apps, and re-provision. On Android, you only need to type your username and password once, and that provisions all the apps. On iOS, you’ll need to type a username and password for Silent Phone, and get a provisioning code for Silent Text. We’ll have an update for Silent Text that makes this easier soon.

That’s it. Changing your password and resetting the apps tidies up all the security that could possibly have been leaked by Heartbleed.

Heartbleed Bug

heartbleed

We are sure that you have heard about the Heartbleed bug. Heartbleed attacks the heartbeat extension (RFC 6520) implemented in OpenSSL. The official reference to the Heartbleed bug is CVE-2014-0160. We want to give an update about how it does and does not affect Silent Circle.

We use a diversity of SSL systems in Silent Circle. Our whole Silent Phone infrastructure uses PolarSSL, not OpenSSL, and consequently is unaffected by this bug. Silent Text clients use the native SSL for iOS and Android, which is sometimes OpenSSL on Android, but the problem is primarily a server issue.

Our Silent Text servers and web servers use OpenSSL. All of our servers that  use OpenSSL were upgraded within two hours of hearing about the Heartbleed bug. To those servers, over 99% of the observable traffic uses the Perfect Forward Secrecy crypto suites, and thus the existing risk is mitigated. We say “observable” because our customer account servers don’t log and we had to infer the statistics.

Silent Circle is secure, the threat has passed; the few servers that were vulnerable are upgraded. We are now looking at additional mitigations that we feel we should do, including replacing SSL server certificates. We’ll update you as soon as we have more to say.

© 2014 Silent Circle | Private Communications