Skip to main content

Verizon's 'Secure' Voice Cypher App Comes With Pre-Installed Government Backdoor

After all the Snowden revelations, many tech companies have worked to improve the security of their products. Some, such as Google, did it in part because it wanted its users to be more secure, but also because its executives and security employees were angry with the U.S. government for hacking its internal networks.

Google has already implemented many security improvements to its systems, but some of the most noteworthy are the announcements about the end-to-end encryption for Gmail (not yet implemented) and about default storage encryption on devices that come pre-installed with Android 5.0.  

Yesterday, Verizon announced that it's also entering this post-Snowden "secure communications" market with an app of its own called "Voice Cypher," which it built in partnership with a security company called Cellcrypt.

On its site, Verizon claims that the app has "end-to-end" security, which normally means that users should be able to communicate directly to each other, with no other middleman, and the encryption key is stored locally. If the encryption key is stored with anyone else, then some other party is involved in the communication and can decrypt it, so it wouldn't be "end-to-end" anymore.

Despite Voice Cypher's claim for end-to-end security on the marketing materials, it seems Verizon admitted to Bloomberg Businessweek that the U.S. government can access the data. This means one of these two things: either the app is not end-to-end secure, because someone else can intercept the call, or the app is end-to-end secure, but Verizon has some kind of built-in backdoor for the government's benefit.

Either way, the app is not as secure as Verizon claims, and it can at the very least be accessed by U.S. authorities, or even by other hackers once they discover the vulnerability. Cellcrypt, Verizon's partner, stated that the weakness exists only for the government, but many security experts believe that when such a loophole exists, that never turns out to be true.

"Requiring software vendors to build intercept functionality into their products is unwise and will be ineffective, with the result being serious consequences (PDF) for the economic well-being and national security of the United States," wrote security experts in a report earlier this year, when evaluating CALEA 2, a new FBI-proposed law mandating backdoors in tech products.

Individuals or organizations who want real end-to-end secure voice applications already have at least two strong options: the open source Signal (iOS)/RedPhone (Android), or Silent Circles paid security suite.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.