What Happened With ZRTP This Week
On Monday, June 24, Mark Dowd of Azimuth Security contacted us because he found some bugs in Werner Dittmann’s Open Source ZRTP library, hereafter called ZRTPCPP. We use ZRTPCPP in Silent Phone, and it is also used in a number of other VOIP systems. Werner consults for us, and we fund him and the development of his library.
Mark is fantastic to work with and we really appreciate the way that he contacted us, worked with us and came up with a remediation plan for ourselves and the other consumers of ZRTPCPP which include a number of VOIP clients as well as some libraries, as thus all the clients of those libraries. Collectively, we put together a notification and update plan so that we could have the family of people using ZRTPCPP library close the inevitable window of vulnerability as tightly as possible.
By Wednesday, we had things pretty much under control and were planning a coordinated release of software and Mark’s article. Somewhere there, we all collectively dropped the ball. I’m not done with an analysis on it, but my present suspicion is that with us stretched across time zones from UTC+10 to UTC–8 we just all crossed our wires.
Fine. We huddled and Mark was gracious enough to take down his article so more software could get in place (including ours). A couple of news organizations agreed to embargo the gory details for a couple days, too. Lots of us scrambled and we got the software out. The Android app got out Thursday (which is the biggest concern, since it runs on Android versions back to Gingerbread), and the iOS app today. We think most other people are okay, too, and when Mark’s satisfied, he’ll have his blog post back up. Almost certainly you’ll be reading this after he re-posts.
On our end, we consider our top priority protecting our users, and given the situation, we decided that first priority is to get the fixed software out there, with as few exploitable details as possible. Again, thank you to Mark for agreeing with this and his help. There have been various people around the net who have said that someone could have decompiled the binary to find out the issue. Certainly they could have. However, these particular bugs in ZRTPCPP have been in GPLed, public source code for six years plus, and Mark was the first one to find them. Moreover, the fixes were in GitHub before any of this happened, which fortunately no one seemed to notice.
Moreover, we’re a privacy company. We don’t keep a subscriber list. Some people have given us contact email addresses, but fewer than you’d think. Our philosophy has been that metadata is bad, and so we know less about our customers than you might expect.
Android usually downloads app updates automatically. The full detail on that is long and complex, so let me just say that if you are an Android person, make sure that anything remotely security related has automatic updates. For us, the automatic app updates was the best way to get information to people who need to know. The Apple App Store worked well for an expedited release, and thanks to them. We appreciate it. If you are an iOS user, please update if you haven’t. Once the uncertainty on delivery through the various app stores settled out, we tweeted it.
It’s now Friday evening and from where I sit, the worst of the storm has passed, and Mark is working with us on re-releasing his blog. The library fixes are also now propagated to the Java versions of the libraries, and the other VOIP clients using the libraries expect to have fixes in their builds before the end of the weekend. I’m not mentioning their names; if you use other VOIP clients that might be affected, check their sites.
To all my customers and those who use other affected software, I am deeply sorry that we fumbled this. We’re even now looking at how to do better next time, while hoping that next time will be long enough from now that we don’t actually acquire skill at handling such problems.
We’ll get the updated sources for Silent Phone onto GitHub soon. I will also write more over the next few days as we do more internal investigations. Thank you for your understanding and forbearance today.