Finspy warning!

General Privacy & Security
1

I sell high-security phones online and my premium vendor just sent me a FinSpy-FinFisher warning about 90 days ago. Also, I recently experienced a hack that “appears” to have read my recent file list, then exported those files over the internet. I “think” this is what FinSpy does. I’m using a Debian variant, with MATE DE. I have since disabled my “recent-file-list” in MATE. This was a royal PITA! I think I need a different DE, that’s not so easy to exploit and “very” easy to lock down. Can anyone suggest a MATE alternative that might satisfy this requirement?

My understanding is that FinSpy can read data files directly from memory (RAM Heap). HDD/SSD encryption is a good thing; but, it doesn’t prevent data that is stored in RAM, in the clear, from being read. I don’t know if it checks the recent-files-list first, before reading RAM data contents; so, disabling the recent-file-list, may not prevent another attack. In any case, I think what needs to happen, in addition to HDD/SSD encryption, is to store file-data in RAM in encrypted form, then only decrypt the data, as it is being displayed.

The ports that FinSpy-FinFisher use are 8999 and 8899. These should obviously be disabled by default. I can do it using “iptables;” but, the setting doesn’t persist. Does anyone have a script that can set individual ports with “persistence?” Maybe, this is just coincidence; but, the ports chosen have significance in “triad” numerology.

I’m leaving the text of the warning I received below, with the vendor information redacted. I hope this is useful to the dev’s.

Cheers, Candy

Sent at: 8/7/2019 10:01 :34 AM
Combing the monitoring worlds of G3, GSM, CYBER, Wi-Fi,
OSINT & GEO LOCATION
From : ******************************************
To: **********************************************************

AUGUST 07, 2019: ISSUE #856
THE HYDRA 2020

THE NEW HSS HYDRA 2020

An all-encompassing platform
combining the monitoring worlds of
3G, GSM, CYBER, Wi-Fi, OSINT & GEO LOCATION
A most advanced, proprietary ombudsman of counter terrorist solutions
featuring intercepting, monitoring, decrypting, geo-location, data analysis
plus so much more.

In one comp lete multi-headed p latform you can now Intercept, monitor,
collect and analyze data from …
WhatsApp, FB Messenger, Viber, Signal and other social media platforms
Satellite telephone communications.
Cellular communications via Active GSM Field Intercep tion and IMSI/IMEICatchers and passive GSM Intercept Cell traffic, VOICE and SMS and perform Remote Phone Manipulations

ADDITIONAL FEATURES
RF Detection, intercepting and jamming phone, drone, + RF signals
Intelligence gathering utilizing GSM and WIFI Tactical
Interception.

Geo Intelligence; video to 3D mapping solution with OSINT, Big Data
analysis & Geo-location Vehicle direction finding
Personal GSM finder and locator; track targets around the country
Collect MAC for WIFI tracking, phone numbers for OSINT, Voice
Print & Gender IDs

DONT MISS OUT ON THE FEATURED
WhatsApp DEMONSTRATION KIT
Looking for a powerful solution to capture WhatsApp messages?
Penetrate cellular defenses
Generate effective access to Target devices
Perform interception of their data communications
Operate in ‘new’ locations, without requiring any integration
Extract data from phones
Capture cell phones and windows 10 remotely
Unlimited infections/intercepts
Can control 10 phones at any one time

For trial rental to authorized law enforcement agencies only
CONTACT ME. JOE PORTER

Questions?
Contact us today

ABOUT

*** designs and builds advanced RF solutions for both Law Enforcement and Defense industries. For
more information, demonstrations, or Reseller O pportunities, Contact Us.
Some of the technologies mentioned herein may be restricted to Government Agencies only, and
are mentioned for informational purposes. Contact us for more information.
Legal Notice: This email is intended only as a proprietary notice and does not constitute and offer to sell surreptitious intercept devices or technologies. Such information or offer can only be made by an official Homeland Security Strategies pro-forma invoice signed by an authorized agent of *** and furthermore, in the United States, must be a Law Enforcement Agency or political subdivision of the United States Government; in compliance with the US code Title 18 Section 2512. Available to authorized agencies and their authorized vendors only.

Legal Notice: This email is intended only as a proprietary notice and does not constitute an offer to sell RF Jammer and or Bomb Jammer TM systems - equipment. In addition, all Jamming devices in part or whole are strictly regulated by the US Department of State in accordance with the guidelines in the International Traffic in Arms (!TAR) per title 22, Code of Federal Regulations (CFR), Parts 120-130 . Any such offer can only be made by an official HSS proforma invoice signed by an authorized agent of *** conforming to US code Title 22, Parts 120 - 130 … Available to authorized agencies only. You are receiving this message because you have inquired with one of our 4 web sites containing Law Enforcement systems at either **** Technologies or *** or have specifically been referred to us. Please expect one to two messages per month with timely information about our technologies and applications. Should you choose not to receive future messages, please follow the iContact instructions below.

Manage Your Subscription
This message was sent **************** from ***************************Defense News
Homeland Security *****************

FINSPY

FinSpy is a field-proven Remote Monitoring Solution that enables Governments to face the current challenges of monitoring Mobile and Security-Aware Targets that regularly change location, use encrypted and anonymous communication channels and reside in foreign countries. FinSpy provides access to information such as contacts, SMS/MMS messages, calendars, GPS location, pictures, files in memory (recent file list) and phone call recordings. All the exfiltrated data is transferred to the attacker via SMS messages or via the internet. Personal data including contacts, messages, audios and videos, can be exfiltrated from most popular messengers.

According to information on its official website, FinFisher, among other tools and services, provides a “strategic wide-scale interception and monitoring solution”. This software (also known as FinSpy) is used to collect a variety of private user information on various platforms. Its implants for desktop devices were first described in 2011 by Wikileaks and mobile implants were discovered in 2012. Since then xxxxx Technologies has continuously monitored the development of this malware and the emergence of new versions in the wild. According to our telemetry, several dozen unique mobile devices have been infected over the past year, with recent activity recorded in Myanmar in June 2019. Late in 2018, experts at xxxxx Technologies looked at the functionally latest versions of FinSpy implants for iOS and Android, built in mid-2018. Mobile implants for iOS and Android have almost the same functionality. They are capable of collecting personal information such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, files in memory (recent file list), phone call recordings and data from the most popular messengers.

Malware features

The Android implant is capable of gaining root privileges on an unrooted device by abusing the “DirtyCow” exploit, which is contained in the malware. FinSpy Android samples have been known for a few years now. Based on the certificate data of the last version found, the sample was deployed in “June 2019.”

FinSpy

The Android implant’s functionality is unlikely to change much, based on the fact that most of the configuration parameters are the same in the old and new versions. The variety of available settings makes it possible to tailor the behavior of the implant for every victim. For example, operators can choose the preferred communication channels or automatically disable data transfers while the victim is in roaming mode. All the configuration data for an infected Android device (including the location of the control server) is embedded in the implant and used afterwards, but some of the parameters can be changed remotely by the operator. The configuration data is stored in compressed format, split into a set of files in the assets directory of the implant apk. After extracting all pieces of data and building the configuration file, it’s possible to get all the configuration values. Each value in the configuration file is stored after the little-endian value of its size, and the setting type is stored as a hash.

FinSpy
For example, the following interesting settings found in the configuration file of the developer build of the implant can be marked: mobile target ID, proxy ip-address, proxy port, phone number for remote SMS control, unique identifier of the installed implant.

As in the case of the iOS implant, the Android version can be installed manually if the attacker has physical access to the device, and by remote infection vectors: SMS messages, emails and WAP Push. After successful installation, the implant tries to gain root privileges by checking for the presence of known rooting modules “SuperSU” and “Magisk” and running them. If no utilities are present, the implant decrypts and executes the “DirtyCow” exploit, which is located inside the malware; and if it successfully manages to get root access, the implant registers a custom “SELinux” policy to get full access to the device and maintain root access. If it used SuperSU, the implant modifies SuperSU preferences in order to silence it, disables its expiry and configures it to autorun during boot. It also deletes all possible logs including SuperSU logs.

The implant provides access to information such as contacts, SMS/MMS messages, calendars, GPS location, pictures, files in memory (recent file list) and phone call recordings. All the exfiltrated data is transferred to the attacker via SMS messages or via the internet (the C2 server location is stored in the configuration file). Personal data, including contacts, messages, audios and videos, can be exfiltrated from most popular messengers. Each of the targeted messengers has its own unified handling module, which makes it easy to add new handlers if needed.

The full hardcoded list of supported messengers is shown below:

Package name Application name
com.bbm BBM (BlackBerry Messenger)
com.facebook.orca Facebook Messenger
com.futurebits.instamesssage.free InstaMessage
jp.naver.line.android Line Messenger
org.thoughtcrime.securesms Signal
com.skype.raider Skype
org.telegram.messenger Telegram
ch.threema.app Threema
com.viber.voip Viber
com.whatsapp WhatsApp

At first, the implant checks that the targeted messenger is installed on the device (using a hardcoded package name) and that root access is granted. After that, the messenger database is prepared for data exfiltration. If necessary, it can be decrypted with the private key stored in its private directory, and any required information can simply be queried:

FinSpy

All media files and information about the user are exfiltrated as well.

FinSpy

Infrastructure
FinSpy

FinSpy implants are controlled by the FinSpy Agent (operator terminal). By default, all implants are connected to FinSpy anonymizing proxies (also referred to as FinSpy Relays) provided by the spyware vendor. This is done to hide the real location of the FinSpy Master. As soon as the infected target system appears online, it sends a heartbeat to the FinSpy Proxy. The FinSpy Proxy forwards connections between targets and a master server. The FinSpy Master server manages all targets and agents and stores the data. Based on decrypted configuration files, our experts were able to find the different relays used by the victims and their geographical location. “Most of the relays we found are concentrated in “Europe,” with some in “South-East-Asia” and the “USA.””

Conclusion

FinSpy mobile implants are advanced malicious spy tools with diverse functionality. Various configuration capabilities provided by the spyware vendor in their product enable the FinSpy terminal (FinSpy Agent) operators to tailor the behavior of each implant for a particular victim and effectively conduct surveillance, exfiltrating sensitive data such as GPS location, contacts, calls and other data from various instant messengers and the device itself.

The Android implant has functionality to gain root privileges on an unrooted device by abusing known vulnerabilities. As for the iOS version, it seems that this spyware solution doesn’t provide infection exploits for its customers, as their product seems to be fine-tuned to clean traces of publicly available jailbreaking tools. That might imply physical access to the victim in cases where devices are not already jailbroken. At the same time, multiple features that we haven’t observed before in malware designed for this platform are implemented.

Since the leak in 2014, the FinSpy developers have recreated significant parts of its implants, extended supported functionality (for example, the list of supported instant messengers has been significantly expanded) and at the same time improved encryption and obfuscation (making it harder to analyze and detect implants), which made it possible to retain its position in the market.

Overall, during the research, up-to-date versions of these implants used in the wild were detected in almost 20 countries, although the total number could be higher.

FinSpy developers are constatly working on the updates for their malware. At the time of publication, xxxxx Technologies researchers have found another version of the threat and are currently investigating this case.

2 Likes
2

Our response

FinSpy Annihilator

FinSpy is bypassing 40 regularly tested Antivirus Apps. Hence, no point to install an anti-virus. xxxx Technologies have opted for another effective solution to circumvent malware and harmful software install. There is a FinSpy detection algorithm installed deep on XROM firmware that will not only detect any intrusion attempt, but will block any code execution. Local HTTP ports used by FinSpy have been blocked: :8999 and :8899.

So, xxxxx users should have no fear regarding government grade monitoring software. xxxxx Pro will be even more secure, giving user access to FinSpy Annihilator control panel.

Thank you,
Support Team | xxxx Technologies

Legal Disclaimer: The information contained in this message and any attached files can be confidential and may be legally privileged. This correspondence is covered by law, and may contain privileged and confidential material. It is intended to be read ONLY by the named recipient(s). If you have received this message in error please notify the sender and discard immediately. Any dissemination, distribution or copying of the communication is strictly prohibited.

friend on Facebook | forward to a friend
Copyright © 2019 xxxx Technologies, All rights reserved.

This email was sent to xxxxxx@xxxxxx.ch
why did I get this? unsubscribe from this list update subscription preferences
xxxx Technologies · Geneva 1207 · Switzerland

Email Marketing Powered by Mailchimp

Security weakness in popular VPN clients

Numerous enterprise VPN clients could be vulnerable to a potentially serious security weakness that could be used to spoof access by replaying a user’s session, an alert from the Carnegie Mellon University CERT Coordination Center (CERT/CC) has warned.

Connecting to an enterprise VPN gateway made by a specific company usually requires a dedicated application designed to work with it. So far, the issue has only been confirmed in applications from four vendors – Palo Alto, F5 Networks, Pulse Secure, and Cisco – but others could be affected.

The problem is the surprisingly basic one that applications have been insecurely storing session and authentication cookies in memory or log files which renders them vulnerable to misuse. CERT/CC explains:

If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.

Which, if it were to happen on a network imposing no additional authentication, would be like handing over the privileges of an enterprise VPN to anyone able to get their hands on the vulnerable data.

The weakness manifests in two ways: cookies stored insecurely in log files and cookies stored insecurely in memory. The clients suffering both weaknesses:

– Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows

– Palo Alto Networks GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)

– Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2

– A range of F5 Edge Client components including BIG-IP APM, BIG-IP Edge Gateway, and FirePass (CVE-2013-6024)

Additionally, Cisco’s AnyConnect version 4.7.x and earlier stores the cookie insecurely in memory. However, the alert lists 237 vendors in total, only three of which are definitely not affected. Consequently:

It is likely that this configuration is generic to additional VPN applications.

That should be taken as a warning with red flashing lights on it that many more VPN clients might suffer the same problems.

Mitigations?

Exploiting the security flaw still requires that the attacker is using the same network as the targeted VPN in order to carry out the replay attack. It’s not clear whether additional authentication would be a defence against this.

A defence that should work is to log out of sessions, thereby invalidating the stored cookie and making them worthless to anyone looking to steal them.

Beyond that, admins should apply patches where they are available. In the case of Palo Alto Networks GlobalProtect it’s version 4.1.1, while Pulse Secure has yet to respond. Cisco suggested users should always terminate sessions to refresh cookies, before adding:

The storage of the session cookie within process memory of the client and in cases of clientless sessions the web browser while the sessions are active are not considered to be an unwarranted exposure.

F5 Networks said insecure log storage was fixed in 2017 in version 12.1.3 and 13.1.0 and onwards. As for the memory storage:

F5 has been aware of the insecure memory storage since 2013 and has not yet been patched.

Admins should consult F5’s online documentation regarding this.

xxxx response to VPN weaknesses

Our approach is pretty much straight forward: no VPN, no security flaws.
MLSP® technology has been added on xxxxx Pro. No need for Internet connection and 3rd party servers in order to send 100% secure messages.

If you are either super important, super paranoid or a super spy, there are times when you need to be able to use a cell phone and not leave a trace or any chance for anyone to intercept your calls and text messages, including law enforcement and intelligence agencies.

Secure = encryption? Well, think again…

Nowadays, interception issues affect most of people, even if they are not aware of it. Not to mention so called “off air GSM interception systems” or also known as “IMSI-catchers”, “GSM Interceptors” or “StingRays”, it has been known since 2014 that using the legacy SS7 (Signaling System No. 7) protocol SMS based traffic text messages can be easily intercepted by using diameter based networks independently of device or OS type. Signaling System No. 7 vulnerabilities are easy to be exploited even by hackers, being a 50-year old protocol that is probably part of a majority of cell phones and text messages in the world.
Generally speaking, most users believe that using encryption solutions will secure their calls and text messages. Is encryption a real solution? Let’s see…

Law enforcement, homeland security and other related actors have plenty of methods to intercept messages and read text content, even when using encryption. Ranging from SS7 exploit, encryption backdoors or intentionally weaken popular encryption algorithms to lawful hacking that circumvent encryption and high-tech decryption technology, all are there at their fingertips.

Encryption will not protect your privacy, At all

Recent headlines warn that the government now has greater authority to hack your cell phones, inside and outside the US. Changes to federal criminal court procedures known as “Rule 41” are to blame; they vastly expand how and whom the FBI can legally hack. But just like the NSA’s hacking operations, FBI hacking isn’t new. In fact, the bureau has a long history of surreptitiously hacking us, going back two decades.

Back-doors provided for law enforcement

Encryption back doors remain largely viewed as weakening everyone’s protections all the time for the sake of some people’s protections on rare occasions. As a result, workarounds like the FBI found are likely to be the most common approach going forward. Indeed, in recent years, law enforcement agencies have greatly expanded their hacking capabilities.

Many reputable encryption developers and companies have chosen to retain the ability to read and use their customers’ content, or perhaps they decided there is not a sufficient business case to add end-to-end encryption or user-controlled encryption. Their users’ encrypted content is more readily available to law enforcement because they hold the decryption keys. The same companies offer their services in a way that their encryption does not preclude their ability to hand over the content to law enforcement in response to a warrant. Are those services as secure?

Forget Warrants. All the big telecom players give users’ info on the basis of a LER (Law Enforcement Request). Failing this, NSLs (National Security Letters) and “Blackmail” are used.

Lawful hacking

Most national security agencies have been shown to have immense surveillance capabilities actively deployed on a massive scale, especially in those countries where the functions of law enforcement and national security overlap. Besides encryption master-key and built-in back doors that provide law enforcement “exceptional” access to everyones’ secrets and privacy, they now have unprecedented access to information through open-source intelligence, collection of metadata, sophisticated traffic analysis tools and data analysis algorithms. Many local and international laws are mandating “insecurity” by requiring government access to all data and communications and permits lawful hacking (otherwise known as encryption circumvention).

Encryption vendors and law enforcement work together to solve the access “problem”. One suggested fix is one way information sharing where vendors make law enforcement aware of unpatched exploits, allowing the government (and anyone else who discovers it) to use these vulnerabilities to gain access to communications and data. It’s a horrible suggestion - one that puts vendors in the liability line of fire and encourages continued weakening of device and software security.

Several individuals with backgrounds in security and systems have begun to explore possible technical mechanisms to provide government exceptional access.

Response: MLSP

Our approach regarding SMS encryption and protection

At xxxx Technologies we are serious about mobile security, bringing you the most advanced SMS security solutions. Concerns about government mass surveillance and their ability to decrypt anything by using given master-keys, back doors, lawful hacking or effective decryption solutions were the factors driving us to develop a brand new and 100% secure SMS communications which use not only strong military grade encryption but adding a new security layer by exploiting GSM network via MLSP®, to make sure there is no way to intercept text messages or metadata, even in encrypted mode. All above overlaping existing commercial-encrypted apps, services, devices, and also law enforcement access to your sensitive info.

GSM provides by default only a basic range of security features to ensure adequate protection for both the operator and customer. Over the lifetime of a system threat and technology change, and so the security is periodically reviewed and changed here at xxxx Technologies, and then applied on our products.

Taking advantage of GSM network architecture and SMS Transport Protocol, our SMS encryption technology is capable to send/receive encrypted and non-interceptable messages.

Our SMS encryption application called xxxxx uses a groundbreaking multi-layer technology to protect SMS from being intercepted and decrypted. As a unique encryption application, besides strong military grade encryption, xxxxx uses a brand new patented technology in order to send/receive encrypted messages: discrete GSM channels or Multi-Layer Security Protocol®. That will protect not just encrypted text messages but also metadata which is not encrypted.

xxxxx concept. An insight into techniques used for 100% secure text messages

Definitions

“A-Party” phone is the sender phone which send encrypted messages via MLSP®
“B-Party” phone is the receiver phone that will decrypt and display received messages.
Plain text message: a standard text message that can be read by anyone. Can be intercepted and read with no effort.
Encrypted message: an encrypted text message that can be read only by using the right password. Can be easily intercepted in encrypted mode but cannot be read. A password is required in order to read the message.
Metadata: data about data. SMS metadata is not encrypted because is not contained by the encrypted text itself, but law enforcement agencies are collecting unencrypted metadata to characterize the encrypted data. SMS metadata contains data about sender, receiver, message encoding (UTF8, UnicodeX etc.), date/time and length.

Non-interceptable message: a text message (plain text or encrypted) which cannot be intercepted by “any” means.
Real end-to-end encryption: no Internet and 3rd party servers involved.
xxxxx software application that uses MLSP® in order to send/receive ultra-secure messages.

MLSP®

Multi-Layer Security Protocol - MLSP® consists of:

  1. Physical layer: encrypted text message.
    The phone will encrypt text messages by using following protocols:
    • RSA
    • AES 256
    • Elliptic Curve (ECIES) 256
    • SHA256
    • Protected by ITSEC Evaluation level 3

  2. Multi-layer routing and transport protocol. Encrypted SMS data is randomly segmented and distributed in bursts by Application Port Addressing Technology, via discrete GSM channels which usually are not “listened” by mobile interception systems (IMSI Catchers, GSM Interceptors or StingRays), both in air interface (UM Interface in terms of GSM networks) and Abis, A and C-G mobile network interfaces. This way, SMS data which is usually sent over GSM Layer 1 (and widely intercepted on Layer 1) will be sent by using a combination of GSM Layer 1 and GSM Layer 2 (LAPDm). By consequence, no mobile interception systems (as GSM Interceptors) and lawful interception systems (SS7 interception also known as network switch based interception or interception by the help of network operator) will be able to intercept the whole message but only a few bursts which are encrypted anyway.

  3. Metadata protection. Regular SMS metadata is not saved in a separate file (called a metadata file). xxxxx separates metadata and the data it describes (SMS encrypted text), sending metadata file in bursts over the network, by the same Port Addressing technology. Metadata is of little value without the data file (SMS) it relates too. At the same time, metadata makes the data more usable and therefore, more valuable. An encrypted text message with a separate metadata file will reveal nothing about SMS sender and receiver.

How does it work

xxxxx diagram

  1. Phone level

At phone level xxxxx uses a technology called “port-directed-SMS,” which is widely implemented in “J2ME MIDP” on mobile devices. The concept is basically that when a user sends an encrypted SMS message to “B-Party” phone, a particular port number will be specified along with encrypted message, so only the device which is “listening” on that particular port will be able to receive an encrypted message. When a message is received on a port that the application is listening on, the message gets directly routed to secure Inbox instead of going to the standard message Inbox.

xxxxx will locally encrypt text messages at military level, then by “message-segmentation and Port-Addressing” will send randomly split bursts (bit streams) along with certain port-address-data by adding redundant bits to information binary strings, to “B-Party” phone. Along with encrypted split message, the application on “A-Party” phone will send “Port-Addressing-data,” which will trigger opening certain Port Addresses on “B-Party” phone. This way, encrypted messages will go through, avoiding standard phone Inbox and arriving directly on secure Inbox.

All these steps are transparent on receiving (“B-Party”) phone, which also requires user interaction to allow messages to be routed to secure Inbox and decrypted by inserting the right password.

On “B-Party” phone, by port destination address, encrypted bursts will be selectively received, concatenated, decrypted and displayed only on “B-Party” phone which uses the same xxxxx application that “listens” on certain receiving ports.
If on the “B-Party” (destination phone) the xxxxx app is not also installed, then received messages will not be delivered nor displayed by the phone (not even in encrypted/unreadable mode) due to Port-Addressing technology which filters messages by ports.

When encrypting SMS, metadata files will be generated separately from text messages and not as an integral part of the message as regular SMS’s do. Metadata file will be then truncated and sent in bursts over GSM network, by Port-Addressing-technology. This way no metadata can be intercepted by SS7 means.

At this level, handset vulnerability refers to forensic grade hardware and software that intends to extract system files and private data off the phone, including decrypted messages stored on xxxxx secure Inbox. xxxxx phones are protected against forensic procedures by USB volatile filters which do not permit any unauthorised USB connection, “triggering motherboard self-nuke.” Moreover, xxxxx runs on Sandbox partition which is 100% encrypted and protected against file extraction by “self-delete” mechanism.

  1. Um level

Um interface (the radio link between the cellular network and the subscriber handset) is the most vulnerable and exploited part of the GSM network by “MItM” attacks (IMSI Catchers, GSM Interceptors and StingRays), since no network operator help or target consent is needed. xxxxx will make use of GSM network architecture and SMS Transport Protocol in order to protect (already) encrypted messages to be intercepted even in encrypted mode. After encryption, the modulation signal has a carrier wave using GMSK (Gaussian Minimum Shift Keying) modulation. GMSK is a two-state modulation technique based on the frequency keying stroke.

On Um interface xxxxx will use MLSP® technology: encrypted message bursts are not sent only on usual L1 SMS channels - SDCCH (Standalone Dedicated Control CHannel) signaling channels, but also on other available channels which are not subject to SMS interception, forcing Signaling Layer 2 (data link layer based on LAPDm protocol) for SMS Transport.

Since GSM Interceptors are “listening” only on SDCCH physical channels in order to intercept text messages, will catch only a few encrypted bursts sent over SDCCH but not the whole encrypted message which is split and sent over multi-channel by MLSP® technology.

Same for metadata files: Sent over the network in bursts, separately from encrypted message body. No metadata extraction is possible at this level.

  1. Core network level

The four-layer transport protocol stack of SMS (application, transfer, relay, and link) is used at this level and the transfer layer of this stack is the one which secures text messages. GSM core networks consists of “Mobile-switching-center” (MSC), “Home-location-register” (HLR), “Authentication-center” (AuC), “Visitor-location-register” (VLR) and “Equipment-identity-register” (EIR), which are all vulnerable to “network-switch-based” interception, also known as SS7 interception or lawful interception. This kind of interception can be successfully performed only by law enforcement and homeland security agencies, by the help of network provider that allows monitoring hardware installation (SS7 boxes) at their core network, based on “Communications Assistance for Law Enforcement Act” (CALEA). CALEA’s purpose is to enhance the ability of law enforcement agencies to conduct lawful interception of communication by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in capabilities for targeted surveillance, allowing federal agencies to selectively wiretap “any” telephone traffic. CALEA covers “mass” surveillance of communications rather than just tapping specific lines; and “not-all” CALEA-based access requires a warrant. Generally, lawful Interception implementation is similar to the implementation of a conference call. While A and B are talking with each other, C can join the call and listen silently.

At this network level, the main security vulnerability consists of lawful interception. xxxxx is taking advantage of GSM core network, sending both encrypted and non-interceptable text messages by using MLSP® technology. Core network protocols cannot be enforced as the Um interface can. Actually there is no need to manipulate those protocols and transfer layers as long as message bursts that transit this part of the mobile network can be “logically-concatenated” (fit together) by “Port-Addressing” and decrypted only by “BParty” phone which run the same XCrypt application and by knowing the right password. By consequence, no text messages can be entirely intercepted by a third party that uses CALEA - lawful interception. A few encrypted SMS bursts which are eventually intercepted by SS7 “cannot” lead by “any” means to SMS interception. Thus no private data will be collected by this method, phone user privacy being preserved peer-to-peer from “A-Party” to “B-Party” phone.

Let’s face it: most contemporary encryption solutions are only taking care of the text itself, neglecting message metadata which is still sent in plain-text over the network, due to network requirements. Law enforcement and other actors are taking advantage of this, collecting unencrypted metadata to characterize the encrypted data, metadata being a valuable source of information for them.

By using MLSP® technology on both Um and Core network levels, collecting unencrypted message metadata is not possible, thus there is no way to extract any additional info besides the encrypted message.

It has long been said that it doesn’t matter how secure your organization, or personal information and assets are, if you connect them with third parties that are less secure. So take note: servers are third parties.

Real end-to-end encryption requires no third parties involved on the way from “A-Party” to “B-Party” phones.

For maximum security and privacy, xxxxx does not require any Internet connection, third party servers or monthly subscriptions. All processes and protocols run locally on the phones (on Sandbox partition) providing not just real end-to-end unbreakable encryption, but also non-interceptable messages by the reasons explained above.

xxxxx has been already implemented as standard on xxxxx Basic v3 xxxxx Phones, both on Basic and Advanced versions. And now has been implemented on our flagship product, xxxxx Pro.

Thank you for your time.
Support Team | xxxxx Technologies
Copyright © 2019 xxxxx Technologies, All rights reserved.

This email was sent to xxxxxxx@xxxxxxx.ch
xxxxx Technologies · Geneva 1207 · Switzerland

2 Likes
3

This should be a little more structured. It’s (for me) unreadable in this state.
Topic itself is interesting.

3 Likes
4

Perhaps put up on the web somewhere and then simply post a link here.

2 Likes