Company Makes Inconspicuous Secure Cellphone

dponce80 writes "With concerns over privacy at an all-time high, it's refreshing to hear that Swiss company VectroTel is making a secure mobile phone. The X8 encrypts secure calls (the unit is also able to make regular calls) with a virtually unbreakable 128-bit key, itself generated through a Diffie-Hellman exchange. While transmission does get somewhat delayed, communication is secure."

What does this mean for eavesdropping?

Does this mean that Government agencies cannot listen to our oh-so-important phone calls? Typical. Millions if not billions of our tax money wasted if this technology becomes widely adopted.

Re:What does this mean for eavesdropping?

Somehow I fail to feel harmed if someone hears my conversations.

would you be happy then if the "government" listened in on your phonecalls with your lawyer? or your tax attorney? or your doctor? or your psychiatrist? or your stockbroker? or your mistress? or your wife? or your election campaign manager? or any of a myriad of things you would rather not get out into public or potentially be used against you?

Re:What does this mean for eavesdropping?

In other words, live a good clean life, ignore outside influences, pay your taxes on time and you will have little to worry about; Like me :)

In other words, be completely boring, never upset the status quo, never fail to kow-tow to any government officials you meet (just in case) and be insignificant enough to escape notice and you're fine. Yeah, great plan. You'd do just fine as a serf in medieval europe too.

Who cares if the lord can fuck you in the ass whenever they want, so long as you are ugly and unimportant they won't bother.

Re:What does this mean for eavesdropping?

So, let's say you're chatting with a friend, and he mentions how bad he things random wiretapping is.
That gets flagged as a potential terrorist conversation.
Since he's talking to you at the time, you both get investigated.
They find out that that one weird cousion of yours recently travelled to Italy, and by concidence a known terrorist contact was also in Italy.
You now look like the perfect cover, and warrant a REAL investigation... ie, asking your neighbors and employer questions.
Since they've been asked, and "they wouldn't be asking if there wasn't something to worry about", you are now suspected by your neighbors.
So, they've talked to you boss as well, who recalls that you were late coming back from lunch awhile back. (You're wife's prenatal checkup ran a little long) That story checks with the gov't, but they, naturally, never call your boss back to tell him.. so he's now a little suspicious.

You can't guarantee none of this could ever happen. (And you know the old byline... with the government, any possible abuse is a guaranteed abuse at some point. Do you want to be THAT guy?)
However, if they didn't pick up on the original conversation, that completely removes the most probable vector for something like this happening.

Can you hear me now??

Verizon Guy: Can you hear me now?
NSA analyst: No

Re:Can you hear me now??

Now if there were just a handful of these cell phones being used, the NSA could (probably) handle that and decrypt them.

It's unlikely they could. Assuming the key exchange works properly, and assuming they're using a known good algorithm (such as Rjindael aka AES), the NSA has no shot. Assume they use AES. Default is 128 bits and 10 rounds. Then the following little blurb from Apple's website applies:

AES gives you 3.4 x 10^38 possible 128-bit keys. In comparison, the Digital Encryption Standard (DES) keys are a mere 56 bits long, which means there are approximately 7.2 x 10^16 possible DES keys. Thus, there are on the order of 10^21 times more possible AES 128-bit keys than DES 56-bit keys. Assuming that one could build a machine that could recover a DES key in a second, it would take that machine approximately 149 trillion years to crack a 128-bit AES key.

(To put that into perspective, the universe is believed to be less than 20 billion years old.)


Now, that assumes you can crack a DES key in a second. The fastest successful crack by Deep Crack [wikipedia.org] was just shy of 24 hours, or, 86400 seconds.

Re:Can you hear me now??

Which in NSA speak means, yes... most definitely.

Obviously.

If he truly hadn't heard the Verizon guy, he wouldn't have answered anything at all, hehe.

This sounds like a really good idea

Except anyone who uses one would probably be labelled a terrorist.

Re:This sounds like a really good idea

So label me.

I'm willing to defend my freedom to death. If necessary, against my government.

And I bet, the US founding fathers would be proud of me.

Nice

Not only you are Anonymous, but these were spoken like a true Coward!!!!

Virtually unbreakable?

I think it's asking to be broken, and I bet it will be.

Useless

While transmission does get somewhat delayed, communication is secure.

This is of course useless for phone sex.

Me: "So, what are you wearing?"
Gf: "..."
Me: "What are you wea*"
Gf: "A hot small negli*"
Me: "Sorry, please continue"
(...)
Gf: "A hot small neglige and nothing else"
Me: "*grunt* and then?"
(...)
Gf: "I didn't hear you. What did you say after then?"
Me: "Uh nothing, I was just asking, what do*"
Gf: "Is this thing on? Oh wait now I hear you. Can you repeat?"
Et cetera.

Official product page

Their products page [vectrotel.ch] reveal that they have two models (both with encryption). Of course, this is something you _could_ build yourself on top of an ordinary mobile phone, but naturally, it's convenient to just buy one. (On a side note, one of the models is bloated with a camera.)

unbreakable?

virtually unbreakable 128-bit key,

isn't WEP also 128 bit?

Re:unbreakable?

isn't WEP also 128 bit?

WEP isn't insecure due to its 128 bits, but due to other problems [wikipedia.org]. As I understand it, anyway.

Feasibility for US Market?

This may sound like an asinine question, I know, but I don't have much experience with cell phones at all.

Since this cellphone is made in Switzerland, a country that presumably has differing cell phone communication standards than the US does, is it possible to buy and use this cellphone in the US with a normal US carrier? Or would we have to wait and hope for a company to build something similar for the US?

Thanks, and sorry for the ignorance.

Re:Feasibility for US Market?

Not quite. The 900 and 1800MHz bands are used by different service providers. In the UK, 900MHz is used by Vodafone and O2, and 1800MHz is used by Orange and T-Mobile. Before the advent of the venerable Nokia 3210, most phones were single-band and were built using two PCBs: one for the main processor, audio circuitry, keypad and display, and one for the RF stuff {which would be made in 900 and 1800 versions and the phone assembled accordingly}. The 3210 used a single PCB capable of doing both RF bands. The cost saving associated with the single-board design {no expensive multiway connectors, and a better process hit rate} outweighed the cost of the extra components.

A phone connected to a base station will always us one or the other band. But within each band there are several channels; the phone and base station automatically select the best channel continuously throughout a call {if another subscriber disconnects and the channel they were using is better, your conversation will switch to that channel}. The whole process is kept seamless because both phone and base station change at the same time, between data packets.

need to ask Bruce on this one..

To protect you from misuse by a third party we secured the crypto functions by a user-determined PIN code

There goes all that security. What is the point of trying to break a 128-bit session key if there is just a simple PIN code to break instead? Looks like someone should have read Bruce Schneier.

-molo

Re:need to ask Bruce on this one..

Uhm... you should realize the pin code is on the phone, securing access to the crypto functions of that specific phone... if you want to listen in without being a part of the conversation you will still have to break the session key.

What about authentication?

DH is a way to exchange an encryption key over a public network, but it doesn't tell you who you are talking to. GSM calls are never point to point, so there is always a "man in the middle".

I'm not saying it's necessarily snake oil, but the lack of any details certainly doesn't inspire any confidence.

Re:What about authentication?

This is how it's supposed to work: Alice calls Bob. Bob answers. Alice generates a key pair and sends one of the keys to Bob, keeping the inverse. Bob also generates a key pair and sends one to Alice, keeping the inverse. Alice encrypts everything she sends against the key she received from Bob. Bob decrypts it using the inverse key he generated. Bob sends everything to Alice encrypted against the key Alice sent him. She has the inverse key and can decrypt everything Bob sends.

All clear now? Well, this is how it might work in practice, with a malicious interloper we'll call Mallory:

Alice tries to call Bob. Mallory intercepts the call, pretending to be Bob; gets the key Alice sends, and in return sends her a key {which Alice thinks is from Bob}. A fraction of a split second later Mallory places a call to Bob, pretending to be Alice, and sends Bob a key. Bob thinks Mallory's key is really Alice's key and sends a key to "Alice". Whatever Alice says is encrypted against the key sent to her by Mallory, who -- having the opposite key -- can decrypt it, re-encrypt it against the key which Bob has, and send it on to Bob. Mallory has a nice, fast computer that can do decryption and re-encryption in real time; in reality, it only has to be twice as fast as the processor in either of their telephones. Whatever Bob says is encrypted against a key sent to him by Mallory, who can decrypt it and re-encrypt it against Alice's key. Mallory has both sides of the conversation, in the clear, and neither Alice nor Bob are any the wiser.

PCS

The funny thing is that when PCS technology first emerged, the same claims were made. It was encrypted, and each signal was overlaid with 19 other conversations to make it near-impossible to clone, or eavesdrop, unlike normal digital cell phones.

However, what most people don't know is that the Marine Corps invented PCS technology back in the Viet Nam era, and no doubt the government can listen in if they so decided.

Man in the middle

Just in case you didn't RTFA, the phone displays a hash on the display. As long as you read this one to whoever you're talking to, you more-or-less foil a man-in-the-middle attack.

I'm more worried about the proprietry algorithm for the encryption, and how it's implemented. Any conspiracy theorists will still think there's a back door for the government (or swiss secret service?) to listen in.

Anyone with anything really important to say would use GPG on an MP3 and maybe a lashing of stenography on top.

Why not get one from cryptophone.de?

Cryptophone is a company that has been making phones like this for some time already.

They employ some of the smartest crypto people, use well-known algorithms and publish their sources so you can check them yourself.

Some points...

Reading the comments made me cringe, so here goes....

Some points;

- 128 bit keys are probably good enough, depending on the nature of the conversation. Diffiehellman generates a per-session master secret. To this you would then apply a KDF ( Key Derivation Function ) in order to produce your session key for use with your symmetric cipher, most likely AES or 3DES, maybe even TwoFish. A new master secret is generated every time you make a call, hence the session key changes per call, this is UNLIKE your WEP key, which is constant or one value selected from a set. The consequence of this is that although it is practical to break an 128 bit symmetric key, it is NOT practical to do so in the time interval in which the call is taking place. Hence the encryption applied is strong enough for protecting calls in the short term, although if someone captured the call they could possibly decrypt it at a later date.

- GSM does feature limited cryptography. Unfortunately, and rather amusingly this encrypting is only carried out on radio traffic. Once the data reaches the base station / cell, it is sent in the clear around the cable cellular netork's backbone infrastructure.

Its a good as your surroundings

This is all great but can you trust the person sitting next to you on the bus? The stranger behind you? How many of us have eve's dropped on other peoples conversations?

Big question is

Does it work with a foil hat?

Sectra Tiger

A Swedsh company called Sectra has made secure cellphones for years. Their latest model is the only cellphone certified to the security level NATO SECRET by NATO.

http://www.army-technology.com/contractors/navigat ion/sectra/ [army-technology.com]

Regular-use crypto

This seems like a neat little gizmo but I doubt I'll be able to convince my girlfriend, father, sister, friends, etc. to buy one too -- so the encryption feature would actually do something. As nice as the idea is, you still need two of these phones for it to work.

There's a parallel problem with GPG or the like. Since very few people have or want to use it, sending unencrypted e-mail is the only way to communicate with most of the world.

This phone is worse than that, though, since I can download GPG/cyrpto-software-of-your-choice and even install it for someone and show them how to use it -- but I'd have to persuade them to spend money on new hardware (and then convince them to actually use it with the crypto on!) in order to use the features of this phone.

Apathy/Laziness: 1
Discerning Citizens: 0

No use for terrorists

Even if what you are saying over the phone is 100% secure (No matter ig it is scrabled or you just say a series of numbers)
a terrosist won't be able to use it. Because the first important thing is not what is being said, but to whome you are using.

As cellphones are easy to listen in on to, this is already a good use of the average business man and CEO who is afraid of industrial espionage.

Unfortunatly these are the same people who won't use gpg on their email, because it is too difficult to use.

Drugdealers and such might find it mildly usefull, although buying a (smaller) phonecompany so you know when they start listening in might be a better idea. Just switch numbers at that moment.

President Logan must have one of these

How else could he make all those long cellphone calls to his fellow conspirators in which he openly admits to involvement in terrorist activities without somebody at NSA going, "Jeez, is that who I think it is?"

Too bad it didn't protect him against his wife's secretary using a $30 digital recorder from Radio Shack to tape a conversation incriminating him in the assassination of a former president, but then, *everybody* was having a bad day.

How about backdoors

I vaguelly remember some investigatory documentary on Discovery or some other such channel where they were investigating how information on a bid by an European company for the rights to explore an oilfield somewhere in Asia had been intercepted by NSA and provided to the competing US companies.

The interesting (not to mention relevant) detail here is that they (the Europeans) where using a supposedly safe mobile phone (made by a Swiss company i believe) which turned out to have a backdoor that allowed NSA to decrypt the calls.

Why should we expect these guys to be any more honest than those other ones where (assuming they're actually not the same ones)?

As i see it, the best way to make sure you have a backdoor free safe phone is to have a generic open-mobile solution, a bit like a mini-PC but for a mobile phone, with an open communications API that allows development and deployment on such a mobile of software which provides the safe communications.

As long as the encryption layer is implemented by the provider and cannot be checked by any independent 3rd party, there is no guarantee whatsoever that it ain't filled with backdoors/weaknesses put there on purpose to allow the sig-int agencies (of one or more countries) to be able to spy on calls made via those mobile phones.

Easy to defeat

This is silly. The phone can employ all the secure tricks it wants, 128, 256, 1024 bit keys, exotic custom stuff, etc. Makes no difference.

If somebody wants to know what you are saying, they just bug the handset. They have to really want to listen pretty badly and come up with a way to get the phone long enough to mod it, but it can be done, has been done, and been used against assorted targets around the world.

As long as people have to speak into the phone and hear sound from the earpiece, there will be plain old bugs in phones.

Convenience

How much faster do current generation Cell Phone CPU's have to be to do this without a delay and seamlessly. If this was an option that the phone could negotiate transparently AND IF (big if) they made some good looking phones (omg pink ponies) they may have a chance of gaining larger market share but beyond a significant percentage of people using these they wouldnt help with the blanket surveillance problem (none of the people you talk to would be using it)

Only 128 bits?

If you want your calls to be secure, you're going to need more than that. Sure, 128 bits is enough to keep someone from decrypting the call easily within a few minutes, but give them a few hours and a small server farm... I'm surprised the phone doesn't come with the options to bump it up to 256 or even 512. 128 bits just doesn't seem like enough anymore.

Maybe I'm just paranoid, and IANACE, but still... The Other Guys have money and resources too, you know.

Concerns over privacy at all time high?

Really? I'm not aware of any particular events that are going on at the moment that would make people especially worrried about privacy.

unbreakable?

virtually unbreakable 128-bit key

for now... quantum computing promises the ability to break these virtually unbreakable keys while i'm getting a cup of coffee. if it can be made, it can be broken. it's a universal truth. if we can't break it now, we'll be able to break it later - and you better believe the NSA will be able to break it before you know they can.

Can some phone-geek clear something up please?

My understanding of how cell phones work:
  a) Alice calls Bob
      + results in a SS7 data message sent accross the PSN (publicly switched network - aka. legacy phone excahnges) to establish a ring on Bob's set.
      + If they're both cell phone users, then there is additional routing accross each users' cellphone networks.
  b) Bob answers the call and talks with Alice
      + Cell phones often use u-law [wikipedia.org] for voice/data compression. The PSN transmits at a lossless (unless it's VOIP) 8 sample at 1khz See here [cf.ac.uk]

With u-law compression (and other regions of the earth use different compression schemes to account for different intonations of the languages used) how can you reliably send lossless data using these phones?

Read "Black" by Whitcomb

exerpt from amazon:

The key issue surrounding her case is her opposition to a new, encrypted cell-phone technology that is virtually impossible to tap. Since 80 percent of U.S. intelligence is gathered via intercepted communication, the new technology could be devastating to national security. Is Beechum being framed, and if so, by whom and why? Whitcomb, a former FBI agent and author of the nonfiction best-seller Cold Zero: Inside the FBI Hostage Rescue Team (2001), uses his insider knowledge of the bureau and the Beltway to create a compelling context--character assassination taken to the next level--for a political thriller.

Without giving too much away, suffice it to say all is not as it seems.

Why DH is wrong for phones

While I actually think that having MitM vulnerabilities for phones isn't necessarily terrible (since it requires active participation by an attacker), it's also just not necessary to leave this hole open.

The thing I have noticed about my own phone usage is this: I mostly call people that I know in the Real World. A PKI would work perfectly, because there are many opportunities for secure key exchange.

And with time, even PK becomes obsolete. As phone storage increases, OTPs would work. Just let my phone sit next to my girlfriend's phone all night, and let the two devices negotiate a few gigs of random pad over a low-power IR link. Why is this team, and also my hero PRZ, using DH when better stuff is around? I mean, maybe DH is good as a backup plan when you don't have someone's public key, but it shouldn't be usual way to get the job done.

How about a secure headset instead?

It seems a way to circumvent all the regulatory concerns would be to produce a wired headset with the encryption hardware right on the wire. Let the end users buy two or more at once and program the shared key list via USB before deploying them. That way, any phone could be used, even cordless house phones and rentals.

The Templars are at it again

OK, so why does it not surprise me that a Swiss company is the first to do this (at least in public)?

Please don't put a camera in it!!

And I'll buy one. I HATE Cameras in phones, because it means I'm forced at times to leave it in my car (some of the places I work do not allow cameras).

But I like the idea of encrypted calls, just like I like the idea of encrypted email. Yeah maybe I don't have anything secret to talk about, but my conversations aren't anyone else's business! Period.

DH is no protection against NSA/AT&T spying

Diffie-Hellman key exchange is pathetically vulnerable to man in the middle attack. Most times, an assumption is made when using a protocol like DH for key exchange that getting "in the middle" would be hard for a malicious party. But when that malicious party is your ISP/Verzon/AT&T, you have absolutely NO protection. They will simply initiate DH key exchange with both you and your terrorist mom when you pick up your "secure phone" and call her. You, mom, and NSA are the only parties that will understand what is being said. It doesn't matter about 128 bits or 973262 bits or bugging the phone or listening over your shoulder. Bottom line: If you need to exchange your key over the network before you can trust that person then you are already pwned by your telco/ISP befor you say another word.

One thing I can guarantee

Whoever has the job of listening to my phone calls has a worse job than I do and a worse life. The only thing worse than having issues is being forced to listen to someone else's issue that you can neither control, nor bring yourself to care about...g-men, are you listening? I'm going to the gas station to fill up my SUV, then I'm going to get milk on my way home...at which point I'll change my daughter's diaper, eat, and go to bed at 9:30...enjoy your job of listening to my laundry list. Listen closely, lest you miss the scorching details of my trip to Bed Bath & Beyond and maybe Home Depot if we have the time.

2003

See also NAH6 [slashdot.org]

Re:Are people really this paranoid?

Belts and braces? Prehaps every little bit helps. If someone really want to hear you won't stop them but it will add an extra bit of armour to you

Re:Are people really this paranoid?

To paraphrase the saying, "it's not paranoia if you're actually being watched."

The reason to encrypt is not to make it impossible for investigators to hear you -- because, as you said, they can bug you in some other way. The reason is to make it impractical to do widespread monitoring of innocent people. When all calls are encrypted, investigators have to do a little actual work to bug a call, so it's impossible to instantly tap all the innocent callers as they'd like.

And if you've been following current events at all, you'll notice that a large portion of America isn't nearly as "paranoid" as it should be.

Re:Cryptography?

You assume wrong; the encryption is end-to-end. It will be pretty easy for anyone eavesdropping to tell you're having an encrypted conversation though. And the eavesdroppers can still tell where you are and what numbers you are calling...

Re:Cryptography?

If this is not the case and if I were some terrorist, I'd like to have one of those phones and service!

Or, as it turns out, a reporter with confidential sources, or anyone in general who is opposed to current government policy.

Re:Are people really this paranoid?

What is it with the adolescent moderators? Anyone who dares disagree
slightly with the line taken by the article gets modded as a troll??
Wtf is going on here??! How excatly was I trolling you amateur hour
moron moderator?

Re:Are people really this paranoid?

if you want to stop the government listening in to your conversations then you're out of luck anyway , since they'll just bug you some other way.

It's far, far easier for the government to bug all the phone lines (as they're currently doing, I might add) at a central point, and then plug in to someone's conversations at will. If you're using an encrypted phone, then Echelon / Carnivore / AT&T / Dubya's Latest Secret Illegal Wiretap can't listen in. The government have to break in to your house, take a screwdriver to your phone and physically bug the thing.

Can the government spy on everybody by bugging the telephone exchange? Yes, easily, and they're doing just that. Can the government spy on everybody by secretly bugging every last individual phone? No, it would be prohibitively expensive. Have the NSA burgle every single house individually and fiddle every single phone? Impossible.

Encrypting phone calls makes it enormously more expensive and difficult for the government to spy on you. That's got to be a good thing.

Re:Honeypot?

So pay with cash and put a pay as you go SIM card in it. They'll more than likely be able to tell that you are using one of these phones by looking at the packets it's sending and from there they can find out the details of the SIM card and the phone's IMEI (serial) number, but if the SIM and the handset are then just linked to 'Random cash purchase' when they start digging there's not much they can do.

What the point is

Regular GSM is encrypted, as you say, although weakly. The GSM encryption encrypts the link from phone to cell tower. This will, in no way, prevent a government wiretap or telco employee with greased palms from intercepting your call after it has been decrypted and put on the network.

This, on the other hand, provides end-to-end encryption, and stronger encryption at that.

Re:They should have used SSL

In the article, it says they show you a "hash" on your cellphone display. A hash of what? A hash of the temporary session key? are you supposed to verbally communicate this to the other person to make sure they agree? That wouldn't make any sense.

That is exactly what they mean, and it makes perfect sense. It's a cheap and simple solution, which does not require any smart cards or certificates, which would make the whole thing inconvenient enough to be nearly unusuable.

But hey, maybe you're right, I'm sure Joe Q. Slashdot can think up a much better solution in five minutes than any group of cryptographers can over the whole developement cycle of an actual commercial product.

Actually, no, they're not encrypted...

They've got crypto in the protocols and network- but to the best of my knowlege, they don't have it turned on for some reason. They're relying more on the spread spectrum features of the various different PCS/GSM services to make it difficult for the average person to snoop- and since you're signalling back to a central point nearby you that hooks you into the network, they don't need to intercept the cryptoed conversations if they ARE encrypted- they can intercept at at different point in the system without worrying about your keys.

Re:Ummm....

There is some information here [vectrotel.ch]. It says that they're using 1024-bit DH to negotiate a 128-bit AES key, then they XOR the output of the AES algorithm with the voice data.

Frankly, I don't trust it.

First of all, neither 1024-bit DH nor 128-bit AES actually give you 2^128 complexity. For AES, you need at least 256 bits of key material to get 128 bits of security [windowsecurity.com]. I don't know specifically about diffie-hellman, but it's very similar in structure to RSA, and experts have been recommending at least 2048-bit keys for RSA [schneier.com] for years now.

The "XOR" part of the description, while somewhat scary-sounding, might actually be counter mode [wikipedia.org], which is considered secure for AES and is actually recommended by Bruce Schneier in his book, Practical Cryptography. Or, it might just be XORing the output of a single AES ciphertext block with the entire plaintext datastream. We really have no way of knowing.

Have a look at the Vecrotel FAQ [vectrotel.ch]:

VECTROTEL IS BASED ON WHICH SW PLATFORM? IS THERE A SECURITY RISK?
The software is proprietary. There is no security risk.

... KNOWING AND CHECKING THE SOURCE CODE IS VERY IMPORTANT. IS EVERYBODY ABLE TO REVIEW THIS OURCE CODE?
No, we do not release the source code. Too much know-how would be at stake.

Totally unacceptable.

If those really are "frequently-asked questions", those responses are simply arrogant. The has clearly adopted a "trust us" mentality, which just doesn't work with people who want strong security. I also don't see any FIPS certifications anywhere.

I smell snake oil [interhack.net].

Mod my previous reply down

[Please mod my previous reply down. It's botched.]

There is some information about the algorithms they're using here [vectrotel.ch]. That page says that they're using 1024-bit DH to negotiate a 128-bit AES key, then they XOR the output of the AES algorithm with the voice data.

Frankly, I don't trust it.

First of all, neither 1024-bit DH nor 128-bit AES actually give you 128-bit security (i.e. 2^128 complexity). For AES, you need at least 256 bits of key material to get 128 bits of security [windowsecurity.com]. I don't know specifically about Diffie-Hellman, but it's similar in structure to RSA, and experts have been recommending at least 2048-bit keys for new designs using RSA [schneier.com] for years, and that's not even to get a 128-bit security level. For a true 128-bit security level, you need something like 6100 bits (if I remember correctly), which most people don't use because it's very slow to do in software.

The "XOR" part of the description, while somewhat scary-sounding, might actually be counter mode [wikipedia.org], which is considered secure for AES and is actually recommended by Bruce Schneier in his book, Practical Cryptography. Or, it might just be XORing the output of a single repeating AES ciphertext block with the entire plaintext datastream, which would be trivially insecure. We really have no way of knowing.

As for authentication, which is often more important than confidentiality [windowsecurity.com] (and which may be required [iacr.org] for confidentiality)? This [vectrotel.ch] is all I could find:

Additional security and integrity is ensured by a calculated HASH checksum that is indicated on the display.

There is no mention of what hash function is being used, nor of what is being hashed. Furthermore, people who talk about "HASH" -- in all-caps, as if HASH is an algorithm itself -- clearly don't know what they're doing. It might just be Vecrotel's marketing department messing things up. Or, it could be a more fundamental lack of expertise within the company. Who knows?

Have a look at the Vecrotel FAQ [vectrotel.ch]:

VECTROTEL IS BASED ON WHICH SW PLATFORM? IS THERE A SECURITY RISK?
The software is proprietary. There is no security risk.

...

KNOWING AND CHECKING THE SOURCE CODE IS VERY IMPORTANT. IS EVERYBODY ABLE TO REVIEW THIS SOURCE CODE?
No, we do not release the source code. Too much know-how would be at stake.

Totally unacceptable.

If those really are "frequently-asked questions", those responses are simply arrogant. The company has clearly adopted a "trust us" mentality. If I was willing to blindly trust other companies, I wouldn't be looking for a secure phone!

Crypto products are like voting machines. If their operation is not independently verifiable, then they simply cannot be trusted.

As an interesting side note, I don't see any FIPS certifications.

I smell snake oil [interhack.net].

Re:Are people really this paranoid?

Well, if you have a government that is itself so paranoid that it believes the Chinese government is implanting bugs in every laptop, that secrets can be kept by a bureaucracy, that laptops aren't a bad place for a bureaucracy to keep secrets, and that bulk monitoring phone call traffic is not only legal but a productive use of their time, perhaps the thought that such a government might just listen in on your calls and get confused about who's who and what's what and think you're talking about some nefarious activity, just ain't so crazy.

Also, suppose some NSA guy listens in on a random phone call and happens to hear a guy tell his lawyer that his company is about to go bankrupt because the CFO ran away with $$$. What's to keep him from immediately going out and selling the stock short? Remember, there are several *secret* organizations (i.e., bureaucratic) out there staffed by people who are trained and encouraged to not tell anyone what they are doing. Don't you think the likelihood that some people within such an organization may have a lack of scruples (a top secret clearance doesn't guarantee they don't), and find it all too convenient to add some of their *own* autonomous secret behaviour that takes advantage of their position? Who is going to "out" them or whistleblow on their activities? Do you trust the administrators of such programs to be able to detect such things, to be spotless in their behavior themselves, and to do the right, fair and honest thing when problems are discovered?