Spat over test for mobile encryption

The infosecurityguard.com at the centre of the controversy German vendor Securstar is accused of having had a hand in supposedly independent tests of encryption solutions for mobile devices in which its product was one of the few to be classed as secure. The test is purported to have been carried out by a previously unknown hacker by the name of Notrax, who claimed to have tested 16 solutions to see how they fared against eavesdropping attacks by locally installed trojans such as Flexispy.

Notrax published his results on infosecurityguard.com. However research by Fabio Pietrosanti, founder of Securstar competitor KHAMSA, appears to show that Notrax' internet connection originates from the Securstar company network. Pietrosanti stumbled upon this information when analysing his server log after having left a comment on the test on infosecurityguard.com. Notrax appears to have followed a link in Pietrosanti's comments and as a result left his IP address in Pietrosanti's server log – an IP address that was found to belong to Securstar.

This IP address alone does not prove a connection, but the log entry also includes the referrer, http://infosecurityguard.com/wp-admin/edit-comments.php, which is a link to the administrative module for the WordPress blog comment from which Notrax came. Since access to this particular WordPress module is usually restricted to administrators, this appears to indicate that someone from the Securstar network has administrative access to the infosecurityguard.com blog. Surprisingly, Pietrosanti was able to use this IP address to access Securstar's PBX, which seems to be directly connected to the internet with no security measures. Securstar's web server is currently out of action and the mail server is not accepting e-mail.

Securstar director Wilfried Hafner has spoken to British media and denied any connection with Notrax, claiming that Notrax must have been using Securstar's SurfSolo anonymisation solution, which causes users messages to appear to originate from Securstar's IP address. However, SurfSolo proxies actually use a different IP address space.

The disputed tests date from early January, but came to wider attention late last week as the result of Securstar issuing a press release via media agency Sprengel & Partner. This stated that "nearly all well-known programs are insecure" – including the Secusmart solution soon to be deployed on 5,000 mobiles used by the German Chancellor and German government employees. It stated that few of the solutions so far tested had been found to be impenetrable, but that Securstar's PhoneCrypt software had been one of the best products tested.

Sprengel & Partner has since distanced itself from the press release and terminated its work with Securstar with immediate effect, stating that it appeared to have been fed deliberate misinformation. Sprengel is not the only one to cut ties with Securstar – back in September anonymisation service provider Privacy.li terminated contracts with Securstar due to "unethical behaviour".

Hafner has previously drawn attention to himself and Securstar with Rexspy, an obscure mobile trojan which is reportedly able to infect mobile devices via a simple text message. The vulnerability was, however, only ever demonstrated under controlled conditions in dubious meetings with journalists. It attracted similar allegations[icon:pdf} (Gernan language) from critics that it was simply a marketing stunt.

(djwm)