I caught a piece in today’s Guardian about Cellcrypt. Now, before you do anything and assuming you haven’t come across the company before, what do you think they do?
Encrypt your mobile calls? Aye. You’re right!
I immediately started thinking of special black-boxes taped to mobile handsets, but no, that’s not their service at all. In fact it’s all VOIP — that way, they can, I suspect, control everything end-to-end from your handset.
If securing your telephone calls is important to you then do take a look at Cellcrypt’s offering. They’ll give you secure voice calls over 3G, WiFI and GPRS with RSA 2048-bit and AES 256-bit encryption. Nice.
It won’t be much of a surprise to you to find that you can’t download Cellcrypt from their site. You can buy it, but you need to register first to find out how much it costs. Presumably if security is an issue to you, cash isn’t.
So, I haven’t tried it out but it looks pretty usable:
Cellcrypt is on the hunt for venture funds to expand it’s service offering, reports Richard Wray of The Guardian:
Cellcrypt, founded only three years ago, is run by Claes Bergstedt, a former sales head of the British electronic organiser firm Psion. It has been operating in “stealth mode” while it perfects its technology and gains security clearance from the UK and US authorities. Having raised initial financing from Porton Capital, the company, which has only a dozen staff in London and Woking, Surrey, is in talks with investors about raising more cash to launch its sales and marketing efforts.
Hmmmm….when was the last time you read a story about someone's mobile being evesdropped on?
Squidgygate?
The only reason modern mobile works *at all* is that it's already encrypted – by one of the heaviest algorithims known to mankind.
With up to 6-way soft handoff at once, your call is simultaneously going over many different radio code channels, using different codes, to different cellsites. Oh, along with the hundreds of other simultaneous calls. 3G mobile is – literally – way more complicated than rocket science.
Adding yet more encryption to an already encrypted service is a solution looking for a problem (and, er, a pile of cash too.)
If I wanted to know what you were talking about, i'd just video you and find a lipreader to interpret. Or bug you. Or use one of them bionic ear thingys.
Next.
/m
Excellent perspective Mike
It probably is easier to eavesdrop on someone, but GSM is far from uncrackable
http://radar.oreilly.com/archives/2008/04/crack…
http://www.blackhat.com/presentations/bh-dc-08/…
Having said that, if the Police or Security Service get a warrant (or not in the US) they can tap your call at the exchange. End-to-End encryption is useful in that scenario.
Hmmm….so their business model is: please give us money to develop a service we can only sell to those wishing to avoid the legitimate, court-order backed attentions of the police or security services.
Where do I sign? 😉
Note the business is run by a salesman. Surprise.
…Anyway, how long has it taken for this to eventuate? GSM has been around for 15 years, and they are only just making it (apparently) within the grasp of a moderately well-heeled, tech-savvy criminal to break, assuming it all works perfectly (note that if you are moving at the time, frequency hopping and cell handoff will require a re-lock onto your call etc etc etc).
Within a few years most calls will be on 3G / LTE, which has far tougher levels of encryption and synchronisation required just to work in the first place.
I'm not loosing any sleep over this one. If The Man wants to get you, he just slips something into your Sushi, or pushes your wheelchair off the cruiseliner, or arranges some Paparazzi to…er…oh, never mind. it's getting all a bit The Express around here 😉
Heh have you got any Princess Di rumours as well, Mike?
Agreed – the only value I can see here would be caller authentication where by the certificate exchange gives confidence over who is calling / being called (as long as you trust control of physical access to the devices by other means such as tokens / PIN codes).
It's going to need some serious inspection by the powers that be (CESG in the UK, NIST in the US) to allow any kind of government / law enforcement sensitive information to be discussed over it and being internet-based won't help any… Look at RIM's huge list and imagine the investment that took! http://na.blackberry.com/eng/ataglance/security…
The crash happened when Dodi tried to wrestle the chauffer's RAZR away from him…
Hi,
I am one of the founders of the company. The focus of Cellcrypt is to provide end-to-end security for packet switched voice (VOIP) as opposed to using unsecured circuit switched voice, the mobile client being only one of the products we are developing. The assumption is that your corporate traffic outside your perimeter is already secured but voice calls are not and we are closing this gap.
For personal use I would compare it to http/https, where most of your traffic is in clear and you are not terribly concerned about it, but when you use your online banking you have an expectation that the transaction will be encrypted end-to-end.
We are not just trying to secure the current infrastructure but provide the tools to have secure calls where it will all have migrated to a fully IP world.
Hope this gives more clarity.
Rodolfo
Thanks for taking the time to contribute, Rodolfo!
3G/LTE only encrypts the radio traffic (i.e. between handset and base station) and nothing else
http://news.bbc.co.uk/2/hi/europe/4881668.stm && http://wiki.thc.org/gsm
Hmmm…'Unsecured circuit-switched voice'.
So, for a mobile-to-mobile call, you agree that the air interface is encrypted. That leaves the horrifically insecure bit in between, consisting of, er, the MNO's Node B-RNC-MSC and interconnection circuits. Which, because they are required to be used for legal intercept, have to meet some pretty darn tasty security standards.
Why, just last week I attached a pair of dogclips to the Voda-O2 link and listened in to a few cabinet ministers bagging some Scottish bloke.
If you can show me a feasible way to hack a mobile-to-mobile 3G call (without being the NSA or MI6) I'll buy you lunch. Anywhere.
As for mobile-to-landline calls, yup, you could easily dig up someone's front yard, clip onto the wires and listen away. But that's not your product AFAIK.
No government worth its comsec salt will touch this. There are sooooo many potential gaps in the implimentation it's not funny. Truly secure comms is done over TEMPEST-certified gear, using cyphers that go a tad beyond what's on offer here.
Oh, and 3G VoIP has zero QoS. Good luck there convincing corporates to adopt en mass. How many CEO's use Fring eh?
Likely purchaser: An uber-paranoid CTO with James Bond delusions and visions of his secretary swooning over his encrypted E61 (not even an E61i).
(Sorry to be all negative, but 10yrs 2G/3G RF engineering + 5yrs military RF/cypher engineering = sceptical Mike42)
01101000 01100001 01100011 01101011 00100000 01101101 01100101 00101100 00100000 01100010 01100001 01100010 01111001 00100001
<pedant>It's GCHQ that do SIGINT (http://en.wikipedia.org/wiki/Sigint) not MI6</pedant>
But otherwise Mike42 is spot on.
There may be some places in the world where access to the points of interconnection may be less controlled, but wouldn't any normal VOIP system prevent this anyway?
Goodness knows how many alarms your post has triggered at various Government
and military listening posts around the world, Mike…
James Whatley (or is that Bond…) will be first against the wall when the mobile espionage revolution comes. Anyone that connected is plainly up to no good.
They'll all be Twittering about it on Spyku. Maybe pop over to GCHQ's FB page….
It says “while … it gains security clearance from the UK and US authorities”. You can bet Cellcrypt won't get this clearance until they have agreed to installa special backdoor for the NSA to eavesdrop on our calls.
I would not trust it.
Why not simply use Truphone with an https connection ?
It says “while … it gains security clearance from the UK and US authorities”. You can bet Cellcrypt won't get this clearance until they have agreed to installa special backdoor for the NSA to eavesdrop on our calls.
I would not trust it.
Why not simply use Truphone with an https connection ?
It says “while … it gains security clearance from the UK and US authorities”. You can bet Cellcrypt won't get this clearance until they have agreed to installa special backdoor for the NSA to eavesdrop on our calls.
I would not trust it.
Why not simply use Truphone with an https connection ?
CELLCYPT HAVE JUST COPIED A PODUCT FROM GERMANY BUT HAVE NOT DONE A VERY GOOD JOB OF IT WE HAVE TRIED IT AND IT IS HIT AND MISS AND NOT 100% SECURE YET THE BABYLON NG BY SAFE-COM IS 120% SECURE TRY BABYLON ITS IS THE BEST