Who is Ewan? | About | Advertise | Contact | Services | Newsletter | Feeds | Shop | All Categories
How secure are your mobile calls?
Published by Ewan on Friday 31st July 2009, 13:16 Comments | Filed under: Mobile

Since all the recent controversy about Spinvox and the recent News of the World allegations – it’s got me thinking about security on mobile phones and what we should and shouldn’t discuss via our handsets.

As I’ve pointed out quite a few times, I’ve always been a fan of Spinvox and, as a user, thought the service was pretty wicked. Instead of all that arsing around with voicemail, I very much appreciated the ability to read my message in my SMS inbox (or my email). Brilliant. So I often suggested the service to other people I met and worked with.

Indeed I suggested it to the CEO of one massive financial company I was working with a while back. He reacted with horror.

“No way! Absolutely not!”

This surprised me and it seemed a pretty harsh reaction so I pushed the chap a bit more. It turns out that as I’d explained the service I’d mentioned that the messages ‘might’ be passed to a person for verification/quality control. And that was an issue for this chap and his colleagues. A massive issue. You see sometimes the messages they leave each other are important .. you know, billions of pounds level important. They just couldn’t take the risk that someone would listen in to them. (If that’s the issue, then why doesn’t he have a PIN number on his voicemail?)

I’ve been pondering this notional security issue a bit more. For most people it doesn’t matter if someone hears their message – not much damage can be done if someone knows what I’m planning on seeing at the cinema tonight. But there are some people that CANNOT risk this. No way. Never. Not under any circumstances. Their conversations are just too important, secretive, valuable (as this Tweet by @jebbrilliant succinctly points out). But then I wondered whether they can feel safe using a mobile at all – are mobile comms out of the question completely if you’re that important?

Then I remembered a company Alex had written about called Cellcrypt. They secure calls on your mobile. Not just a bit more secure but SHIT HOT secure – to US Govt standards. And as it’s on a regular mobile (a BlackBerry or Nokia) you’re not making yourself known to everyone by being on a big ugly brick of a ‘security’ phone.

So is this the way forward for the kind of people who’re really concerned about security?

In some of the consultancy I’ve done I’ve seen the ‘dark opps’ teams that some big, multinational companies have. The kinds of teams that are gathering ‘competitive intelligence’. I’m sure these guys wouldn’t hesitate to tap into a call or two if it could help the company – and I’m also sure they could do it no matter what Vodafone or whoever says about it. Indeed some of the chaps I’ve spoken to intimated that they had ‘friends’ at mobile operators. Rather concerning if you’re relying on your mobile to transmit secure information.

Businesses can’t realistically go back to the dark ages of not using mobiles, so will they all need to start using Cellcrypt for those ‘sensitive’ calls? I reckon so. But of course we’ll never really know as they’ll just be talking as normal on their BlackBerry.

Interesting stuff. I’m going to see if I can get a demo of the service and check it out.

Tags:

« Startup? Enter Qualcomm Ventures’s...
Take off your 'dipshit earrings' please »
  • Mike42
    The big problem I have with this is: If a deal IS worth Bn's, and compromising the call could compromise Bn's, then the call better be

    a) over milspec cypher kit
    b) be made in a soundproof, clean (i.e. bug-swept) room
    c) be made out of line of sight of ANYONE or ANYTHING that could record your face and pass it to a lipreader.
    d) The recipient likewise must not be compromised by their environment.

    So - any call made outdoors, or in an office with glass windows, or in a car you don't own / have had debugged, or within earshot of anyone you don't 100% trust, is not secure.

    Plopping an app onto a handset that can also run loads of other apps is not the way. Who's to say while you were at the pool last week that someone didn't crack your locker (£5 combination lock from Halfords) and install a simple audio recording app that then sent the WAV files to a server somewhere? You'd never know - unless you didn't have a data plan (unlikely on an iPhone or BB) and anyway, it could make ghost calls/MMS you weren't aware of.

    If execs believe they are safe because they use CellCrypt, they need re-educating by their own 'Dark Ops' guys.

    Bottom line: if you think you NEED this solution, then by definition of what it's installed on and how it gets used it isn't good enough.

    /m
  • Hi,

    just a quick disclaimer: I'm the co-founder of Cellcrypt.

    Having said that you're 100% right on the soundproof room. I have spoken with customers that they have the same setup for their board meetings or emergency rooms. Pretty much they are protected to everything that requires proximity (lip reading, laser microphones etc) or physical access (bugging)

    What we do address is that you are constrained to that room and that is not always an option. Suppose your board meets once every month to discuss sensitive issues - how are your board members going to communicate the other 29 days? What if it's not a billion dollar deal but just millions. What if it's an emergency and you do not havethe luxury of time? The marginal cost (time and money) of the clean room or even having all team members flying in might be a factor in your decision to switch to encrypted calls.

    Imagine a scenario where you have people deployed in a developing country handling reconstruction projects. Maybe in a deserted area where it's pretty hard to have a secure room. Would you trust the network? You bet I would not.

    More to that point we have seen board members of large companies equipped with military handsets specifically for the reasons I just mentioned. And their usability is atrocious.

    On your second issue re handsets security you are also spot on. We need to be able to trust the device not just have secure communications. Only manufacturers can address this issue and they currently do it by locking down the devices and signing software but it's not a silver bullet.
    I still prefer Cellcrypt to military handsets with 10 year old firmware (which is anyway a civilian solution stripped down of certain functionalities).

    My 0.02
  • Malcolm Murphy
    The issue is not the technology. It's never the technology. How many commercially sensitive conversations have you overheard on a train/in a hotel lobby/etc?

    Super secure phone line/voice mail/whatever will always be defeated by stupid or naive behaviour.

    As Mike42 says, if you're in a multi-bn deal environment, you'd better have your own spooks looking after you. This kind of solution, neat and cool though it is, just can't be good enough.
blog comments powered by Disqus
Powered by Interactive Energy | Sign up to The Application Review newsletter