Security flaws found in code library for encrypted VoIP calls
An open-source library used by a number of applications to offer encrypted phone calls has been found to contain serious vulnerabilities. The problems were discovered by researchers from security firm Azimuth Security, who say it could be leveraged to perform arbitrary code execution or denial-of-service attacks.
The library in question is called ZRTPCPP, and was designed by PGP creator Phil Zimmermann to implement the ZRTP cryptographic key agreement protocol for Voice-over IP communications. You can read more about the trio of flaws in this blog entry here by Mark Dowd, Azimuth Security's co-founder.
While this is hardly the first time that security bugs have been discovered in a code library, it is a somber reminder of the widespread repercussions that security bugs in a popular library can have. In addition, apps that are no longer being developed or updated may contain the vulnerabilities ad infinitum--even as hackers are given a leg up based on information found in published advisories.
In this case, affected apps include SilentCircle, CSipSimple, LinPhone and Twinkle, as well as anything using GNU ccRTP with ZRTP enabled. For now, the problems have already been fixed in the ZRTPCPP library, and SilentCircle at least has already updated its app on both the Apple (NASDAQ: AAPL) App Store and (NASDAQ: GOOG) Google Play.
- check out this article at Computerworld