«

»

Silent Circle’s dangerous security gap – and a challenge for all such developers

Screenshot (186)In the first of a two-part series, Simon Davies explains the vulnerability of secure communications services such as Silent Circle. Part two will examine one possible solution.

During recent publicity for the new privacy-themed Blackphone device, you might have noticed references to Edward Snowden’s recommendation that people should use a communications system called Silent Circle (that’s the company that created Blackphone).

Silent Circle (SC) is a communications platform for mobile or desktop that appears to deliver strong privacy protection – to a possibly even greater extent than competing services. Its co-founder is PGP creator Phil Zimmermann, one of the most loved and trusted pioneers of the secure communications field.

At one level, Snowden was right to promote Silent Circle as a trusted product. At another level, his endorsement could be dangerous and misleading.

For the moment, let’s dodge any discussion about the merits or otherwise of Blackphone and focus on Silent Circle’s core software, which is a paid-for Skype-type communications system between members. That software is the heart of Silent Circle.

Conventional caveats aside, analysts generally agree that the system does deliver good privacy. At one level therefore, Snowden was right to promote Silent Circle as a trusted product. At another level, his endorsement could be dangerous and misleading.

Silent Circle might well deliver extremely strong end-to-end privacy at the communications level, but the glaring hole in its security appears to be at the stage of online payment for the service.

In summary, the card payment stage for SC seems vulnerable, so it’s quite likely that government has full access to the identities, bank details and addresses of nearly all Silent Circle customers. This will be equally true of many subscription services for secure products. Any claim to powerful end-to-end security is kind of blown apart unless suppliers can find a way to crack this weak-spot.

I’ll take up this issue in detail with SC and other companies in coming weeks, but for the moment let me just sprinkle my concerns into the ether before outlining a possible solution in Part 2.

To use Silent Circle, you must pay online for membership and for a package. In this respect it’s like any other commercial product that doesn’t offer a “free” basic service requiring simple email verification. Instead, users must proceed through a payment gateway (or Merchant Account Provider). These are typically third party sites that process the card payment as a sort of virtual ATM.

Here lays the problem. Any organisation such as SC using a payment gateway will invariably be issued with a Merchant Number or similar dumb code that identifies the payee so a path can be established and the funds directed to the right destination. The customer is linked to the supplying company. The more focused the activity of the company, the greater the certainty that a snooping agency will know what a customer has bought (if it isn’t already identified in the transaction data, which it usually is).

In summary, the card payment stage for SC seems vulnerable, so it’s quite likely that government has full access to the identities, bank details and addresses of nearly all Silent Circle customers. This will be equally true of many subscription services for secure products. Any claim to infallible end-to-end security is kind of blown apart unless suppliers can find a way to crack this weak-spot.

So now the web merchant provider has a record of precisely who is subscribing to SC – their full name, bank details and address. Because web merchants are part of the banking food chain, they are bound to financial regulations that require the data to be stored – sometimes for years.

At this point it’s irrelevant whether SC itself maintains a list of subscribers that could be grabbed by government. Presumably – at the very least – the company will have a file containing usernames, account status and possibly an email address. That information has relatively limited value to police and security agencies; it’s the bank and identity details that could be the true goldmine – and those details are fully exposed through the merchant company.

Silent Circle obviously is aware of the importance of anonymity and thus introduced a pre-paid code system called the “Ronin Card”, which essentially is a 20 digit number that can be generated once you purchase a particular SC service. That code can then be activated anonymously by anyone else wanting to purchase an SC package. Indeed, an ideal birthday present for the privacy conscious consumer.

Problem: it seems that the only way to purchase a Ronon Card is to go through the same payment gateway you use to directly purchase a subscription to SC. True, the Ronin Code is transferable (so you could buy one and then activate it anonymously by setting up a second SC account) but I question how many people actually use the system in that way. Judging by the almost complete absence of online discussions on the subject, I would imagine very few. Most customers will simply pull out their credit card at the gateway and directly purchase a service for themselves.

It’s one thing in North America or Europe to dismiss this concern as peripheral but quite another if you happen to live under dangerous and intolerant regimes where the use of such technology can lead to sometimes fatal action by the State. And those places are crying out for secure voice communications.

Banks and merchant providers don’t have the most celebrated history of transparency when it comes to their relationship with government. We’re only just now starting to learn about the scale of government capture of financial transaction records, but enough is known anecdotally to indicate a huge data grab.

Some of this activity is covert, as established by the SWIFT affair in which a global association of 9,000 banking institutions secretly and unlawfully handed customer data to the US government. Some of the grab is lawful, for example the Canadian government’s successful bid to force eBay to hand over financial data on its high volume sellers.

It’s for these reasons that supplier companies such as SC should strive to avoid mainstream payment gateways that rely on the major credit and debit cards. But this is easier said than done. Stored value (pre-paid) cards are used in abundance, but they are of limited value to a global online provider. Systems such as Bitcoin have potential, but – for most consumers – are arcane and clunky.

Zimmermann – more than most – will know the importance of creating an elegant product fuelled by a universal payment mechanism. Otherwise, any hope of achieving market traction is largely doomed.

Silent Circle and other such companies are caught between the devil and the deep blue sea. They must either use merchant services to enable a sustainable business model, or they must stay true to the ideal of a fully secure ecosystem by adopting fringe payment methods that risk retarding the development of a fully evolved privacy market.

The third way is to devise a method whereby mainstream financial services can be adopted in a privacy-secure way. This challenge, together with a possible intermediary solution, will be the topic of Part 2, which will follow imminently.