At the onset of July, a code library for encrypted VoIP calls was found to have security flaws. Security firm Azimuth Security researchers discovered serious vulnerabilities in the open-source library ZRTPCPP, which is used by several applications to offer encrypted phone calls. PGP creator Phil Zimmermann designed ZRTPCPP specifically for the implementation of the ZRTP cryptographic key agreement protocol for VoIP communications.
The Azimuth Security researchers say these flaws could be leveraged to perform denial-of-service attacks or arbitrary code execution. Apps that no longer get updates could also contain the vulnerabilities ad infinitum. Though not the first time security bugs are found in a code library, the ZRTPCPP problems serve as a somber reminder that security bugs can have widespread repercussions in a popular library.
The apps that were affected by this security flaw include Twinkle, CSipSimple, SilentCircle, and LinPhone. This also includes anything that uses GNU ccRTP with ZRTP enabled. Luckily, the problems in the ZRTPCPP library were fixed almost instantly. SilentCircle was also quick to take action, updating all its apps on both the App Store and Google Play.
Comments