Your iPhone Can Ultimately Make Free, Encrypted Calls, WIRED

Your iPhone Can Finally Make Free, Encrypted Calls, WIRED

Your iPhone Can Eventually Make Free, Encrypted Calls

Your iPhone Can Eventually Make Free, Encrypted Calls

If you're making a phone call with your iPhone, you used to have two options: Accept the notion that any wiretapper, hacker or spook can listen in on your conversations, or pay for pricey voice encryption software.

As of today there's a third option: The open source software group known as Open Whisper Systems has announced the release of Signal, the very first iOS app designed to enable effortless, strongly encrypted voice calls for free. "We're attempting to make private communications as available and accessible as any normal phone call," says Moxie Marlinspike, the hacker security researcher who founded the nonprofit software group. Later this summer, he adds, encrypted text messaging will be integrated into Signal, too, to create what he describes as a "single, unified app for free, effortless, open source, private voice and text messaging."

Signal encrypts calls with a well-tested protocol known as ZRTP and AES one hundred twenty eight encryption, in theory strong enough to withstand all known practical attacks by anyone from script-kiddy hackers to the NSA. But WIRED's test calls with an early version of the app, after a few false-starts due to bugs that Marlinspike says have now been ironed out, were indistinguishable from any other phone call. The only sign users have that their voice has been encrypted is a pair of words that show up on the screen. Those two terms are meant to be read aloud to the person on the other end of the call as a form of authentication. If they match, a user can be sure he or she is speaking with the intended contact, with no man-in-the-middle eavesdropping on the conversation and sneakily decrypting and then re-encrypting the voice data.

Like any fresh and relatively untested crypto app, users shouldn't entirely trust Signal's security until other researchers have had a chance to examine it . Marlinspike admits "there are always unknowns," such as vulnerabilities in the software of the iPhone that could permit snooping. But in terms of preventing an eavesdropper on the phone's network from intercepting calls, Signal's security protections are "most likely pretty good," he says.

After all, the technology behind Signal isn't exactly fresh. Marlinspike very first took on the problem of smartphone voice encryption four years ago with Redphone , an Android app designed to foil all wiretaps. Signal and Redphone both use an encryption protocol called ZRTP, invented by Philip Zimmermann, the creator of the iconic crypto software PGP.

Zimmermann has developed his own iPhone implementation of ZRTP for his startup Silent Circle, which sells an iPhone and Android app that enables encrypted calls and instant messaging. But unlike Open Whisper Systems, Silent Circles charges its mostly corporate users $20 a month to use its closed-source privacy app. Signal offers the same services gratis, making it the very first free encryption app of its kind for iOS.

Since Silent Circle users are limited to calling only contacts with the same paid software installed, its practicality for non-business users has been limited. Tho’ Signal and Redphone users similarly can't make encrypted calls to users without Open Whisper Systems apps installed, they can make secure calls from one app to the other, a feature that will make both Android and iOS-encrypted calling apps vastly more practical. Marlinspike notes that journalists hoping to communicate privately with a source, for example, would have a difficult time persuading them to shell out for an expensive subscription app. "If you want the capability to, in principle, call anyone securely, it indeed has to be free," says Christine Corbett Moran, one of the lead volunteer coders on Signal.

Instead of taking the for-profit startup route, Open Whisper Systems will instead by funded by a combination of donations and government grants. Marlinspike says the project has received money from the free-software-focused Shuttleworth Foundation and the Open Technology Fund, a U.S. government program that has also funded other privacy projects like the anonymity software Tor and the encrypted instant messaging website Cryptocat.

That government funding is ironic given the last year's boost in encryption interest from the Snowden Effect: Open Whisper Systems argues, like other encryption projects, that the eavesdropping countermeasures Signal and its Android counterpart provide are more significant than ever in the wake of Snowden's year of revelations of blanket spying by the NSA. "When I call the United States I’m hearing more and more self-censorship—relatives in the U.S. telling, 'I’d rather talk about this in person,'" says Moran, who is pursuing a PhD in Astrophysics at the University of Zurich. "That’s not a climate anyone should have to live in."

Open Whisper Systems' founder Marlinspike has been a fixture of the security and cryptography community for years, demonstrating groundbreaking hacks like ones that exposed vulnerabilities in the Web encryption SSL and Microsoft's widely used VPN encryption MS-CHAPv2 . He co-founded the San Francisco-based startup Whisper Systems in two thousand ten with the intention of hardening the security of Google's Android and providing instruments for encrypted communications. But that work took a hiatus when Whisper Systems was acquired by Twitter in late two thousand eleven .

While Marlinspike worked a stint as a Twitter security engineer, however, Whisper's apps were open-sourced and increasingly adopted around the world. Today, he says Redphone and Whisper's encrypted text messaging app for Android called Textsecure have been installed on hundreds of thousands of phones, the majority of which are outside the United States. Users in China, Iran, and the Middle East have adopted the services to evade their intrusive governments' surveillance mechanisms. The apps got another boost when Whatsapp, which has an especially large user-base in Europe, was acquired by Facebook, spooking many of its privacy-conscious users. "For people around the world, providing credible alternatives to not be spied on by their governments is very significant for freedom," says Moran.

Whisper's iOS app is intended to be identically global. The group has set up dozens of servers to treat the encrypted calls in more than ten countries around the world to minimize latency.

In fact, Marlinspike says that call quality and ease of use are two of the top priorities for Open Whisper Systems: Clunky encryption programs like PGP, no matter how secure they may be, don't get used. "In many ways the crypto is the effortless part," he says. "The hard part is developing a product that people are actually going to use and want to use. That’s where most of our effort goes."

As Moran says, the best encrypted app is one where the security is almost invisible. "You don’t want to have to think about whether to use cryptography," she says. "You just pick up the phone."

Your iPhone Can Ultimately Make Free, Encrypted Calls, WIRED

Your iPhone Can Eventually Make Free, Encrypted Calls

Your iPhone Can Eventually Make Free, Encrypted Calls

If you're making a phone call with your iPhone, you used to have two options: Accept the notion that any wiretapper, hacker or spook can listen in on your conversations, or pay for pricey voice encryption software.

As of today there's a third option: The open source software group known as Open Whisper Systems has announced the release of Signal, the very first iOS app designed to enable effortless, strongly encrypted voice calls for free. "We're attempting to make private communications as available and accessible as any normal phone call," says Moxie Marlinspike, the hacker security researcher who founded the nonprofit software group. Later this summer, he adds, encrypted text messaging will be integrated into Signal, too, to create what he describes as a "single, unified app for free, effortless, open source, private voice and text messaging."

Signal encrypts calls with a well-tested protocol known as ZRTP and AES one hundred twenty eight encryption, in theory strong enough to withstand all known practical attacks by anyone from script-kiddy hackers to the NSA. But WIRED's test calls with an early version of the app, after a few false-starts due to bugs that Marlinspike says have now been ironed out, were indistinguishable from any other phone call. The only sign users have that their voice has been encrypted is a pair of words that show up on the screen. Those two terms are meant to be read aloud to the person on the other end of the call as a form of authentication. If they match, a user can be sure he or she is speaking with the intended contact, with no man-in-the-middle eavesdropping on the conversation and sneakily decrypting and then re-encrypting the voice data.

Like any fresh and relatively untested crypto app, users shouldn't entirely trust Signal's security until other researchers have had a chance to examine it . Marlinspike admits "there are always unknowns," such as vulnerabilities in the software of the iPhone that could permit snooping. But in terms of preventing an eavesdropper on the phone's network from intercepting calls, Signal's security protections are "very likely pretty fine," he says.

After all, the technology behind Signal isn't exactly fresh. Marlinspike very first took on the problem of smartphone voice encryption four years ago with Redphone , an Android app designed to foil all wiretaps. Signal and Redphone both use an encryption protocol called ZRTP, invented by Philip Zimmermann, the creator of the iconic crypto software PGP.

Zimmermann has developed his own iPhone implementation of ZRTP for his startup Silent Circle, which sells an iPhone and Android app that enables encrypted calls and instant messaging. But unlike Open Whisper Systems, Silent Circles charges its mostly corporate users $20 a month to use its closed-source privacy app. Signal offers the same services gratis, making it the very first free encryption app of its kind for iOS.

Since Silent Circle users are limited to calling only contacts with the same paid software installed, its practicality for non-business users has been limited. Tho’ Signal and Redphone users similarly can't make encrypted calls to users without Open Whisper Systems apps installed, they can make secure calls from one app to the other, a feature that will make both Android and iOS-encrypted calling apps vastly more practical. Marlinspike notes that journalists hoping to communicate privately with a source, for example, would have a difficult time wooing them to shell out for an expensive subscription app. "If you want the capability to, in principle, call anyone securely, it truly has to be free," says Christine Corbett Moran, one of the lead volunteer coders on Signal.

Instead of taking the for-profit startup route, Open Whisper Systems will instead by funded by a combination of donations and government grants. Marlinspike says the project has received money from the free-software-focused Shuttleworth Foundation and the Open Technology Fund, a U.S. government program that has also funded other privacy projects like the anonymity software Tor and the encrypted instant messaging website Cryptocat.

That government funding is ironic given the last year's boost in encryption interest from the Snowden Effect: Open Whisper Systems argues, like other encryption projects, that the eavesdropping countermeasures Signal and its Android counterpart provide are more significant than ever in the wake of Snowden's year of revelations of blanket spying by the NSA. "When I call the United States I’m hearing more and more self-censorship—relatives in the U.S. telling, 'I’d rather talk about this in person,'" says Moran, who is pursuing a PhD in Astrophysics at the University of Zurich. "That’s not a climate anyone should have to live in."

Open Whisper Systems' founder Marlinspike has been a fixture of the security and cryptography community for years, demonstrating groundbreaking hacks like ones that exposed vulnerabilities in the Web encryption SSL and Microsoft's widely used VPN encryption MS-CHAPv2 . He co-founded the San Francisco-based startup Whisper Systems in two thousand ten with the intention of hardening the security of Google's Android and providing implements for encrypted communications. But that work took a hiatus when Whisper Systems was acquired by Twitter in late two thousand eleven .

While Marlinspike worked a stint as a Twitter security engineer, however, Whisper's apps were open-sourced and increasingly adopted around the world. Today, he says Redphone and Whisper's encrypted text messaging app for Android called Textsecure have been installed on hundreds of thousands of phones, the majority of which are outside the United States. Users in China, Iran, and the Middle East have adopted the services to evade their intrusive governments' surveillance technologies. The apps got another boost when Whatsapp, which has an especially large user-base in Europe, was acquired by Facebook, spooking many of its privacy-conscious users. "For people around the world, providing credible alternatives to not be spied on by their governments is very significant for freedom," says Moran.

Whisper's iOS app is intended to be identically global. The group has set up dozens of servers to treat the encrypted calls in more than ten countries around the world to minimize latency.

In fact, Marlinspike says that call quality and ease of use are two of the top priorities for Open Whisper Systems: Clunky encryption programs like PGP, no matter how secure they may be, don't get used. "In many ways the crypto is the effortless part," he says. "The hard part is developing a product that people are actually going to use and want to use. That’s where most of our effort goes."

As Moran says, the best encrypted app is one where the security is almost invisible. "You don’t want to have to think about whether to use cryptography," she says. "You just pick up the phone."

Related video:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *