โYou canโt encrypt stupidityโ
A company that is offering fully-encrypted communications has said that somebody with $170 to spend on the right equipment and the right know-how could โeasilyโ intercept mobile calls and texts from out of the air.
As a result, the company argues, sensitive personal and commercial data and information is at risk as it is transmitted over the air, and requires extra protection. The company is offering a suite of encrypted comms products on IoS and Android (December) from $20 per month to address that need.
Silent Circle has been formed by an alliance of ex military staff and veteran cryptography experts. CEO Mike Janke is an ex Navy Seal sniper while Paul Wood, Special Projects Director and in charge of the UK and European business, was formerly employed by the SAS, the company said. Philip Zimmermann, founder of Pretty Good Privacy, is the companyโs chairman, while CTO Jon Callas was also a PGP cp-founder and creator of hard disk encryption products such as Appleโs Whole Disk Encryption.
The service uses Zimmermannโs ZRTP and PGP encryption software to provide peer to peer encryption of calls and texts, as well as video calls. The software detects when a call starts and initiates a cryptographic key agreement between the two parties and then encrypts and decrypts the voice and data packets on the fly. The keys are destroyed at the end of the call.
The Silent Circle network compresses data to such an extent, that it can provide encrypted Video calling over EDGE networks, or between a user on WiFi and a user on 3G, with very low latencies.
Other features include a burn notice on messages, so that a message automatically โself-destructsโ after a certain time. The company also offers a secure calling plan that lets users โcall outโ form a Silent Circle number to a non subscriber. The part of the call between the subscriber and the companyโs servers in Canada remains encrypted, while the leg of the call from Canada to the other party remains open, Janke said.
Silent Circle claims it is the first and only company to offer peer to peer encrypted voice and text communications, without retaining data or keys on server infrastructure. Cellcrypt, which provides an encrypted communications service, declined to comment on the differences between the two companiesโ approaches.
TRANSCRIPT OF EXCERPTS OF MOBILE EUROPE INTERVIEW WITH SILENT CIRCLE:
(MJ = Mike Janke. PW = Paul Wood)
MJ: We set out creating this service, we call it curated crypto, weโre doing something that nobody else does and that is peer to peer encryption. We were able to create products that can truly do P2P but you donโt have to think about it. It should have no DiffieโHellman key exchange โ it has to be user friendly. We spent millions of dollars on our own network, SIP services and codexes so that we can do encrypted video walking down a street on EDGE, 3G, 4G, completely encrypted. Facetime canโt even do mobile video now without 4G. We do it on EDGE.
When I speak to you it leaves your phone encrypted so even if the government or the Chinese grab it out of the air itโs just encrypted gobbledegook. That means nobody has to trust us, you have the keys but when the call is done the key is deleted.
I can send you a text, video, location and put a burn notice that says you can only look at this naughty picture for five minutes. If I want to send location, a snapshot of Apple maps comes up [this is a planned future feature] and I can even burn that.
There are apps that are out there that are VoIP or texting apps that say they are secure and yes up to a point they are, but what people donโt understand is that itโs a TLS VPN tunnel up to a server that holds keys on it, and then down to another server. So yes itโs more secure than iMessage but if a Government wants to come in and coerce them they hold the keys to that server, so they can turn over everything. They can decrypt it. The Chinese can crack a VPN TLS tunnel in like 30 seconds if they want to.
Look, Iโm not a businessman. weโve got three former SAS guys here in the office and two former SEALs, combined with some of the all stars of security and crypto, but what we came to is understanding this huge issue that came about with BYOD. People think of Iraq and Afghanistan and war type stuff, but a lot of the job and the mission is you find yourself in blue jeans and a backpack flying into all these other countries, you got your own device, you get educated to the unfriendly telecommunications networks, you know, monitoring systems in other countries, and Iโm not talking the Iranโs and Chinaโs. Iโm talking France, Iโm talking Italy, places like that that grab every transmission of their citizens out of the air. So we bring a side of what we call non-permissive everyday communications environments.
Itโs not as if weโre creating some secret sauce, everybody peer reviews the encryption, we open source the client, governments and businesses and privacy people have tore it apart for years and they know itโs true peer to peer. What we did was polish it and make it relevant.
ME: How easy is it for non government entities to pull calls out the sky, as you mentioned.
MJ: Laughs. We could spend $170 and put something together for you and scan the cellphone conversations going on down the street. We could suck the address book out of your phone, and we could pull your texts out of the air. Itโs proven every day.
Youโre in your flat and calling, that call goes to the cell tower, it can be intercepted before there. Theyโre talking their GSM and all those things. Weโll show you that low level use of encryption can be tapped all day.
Our job isnโt to point out the vulnerabilities of regular cell [telephony].
(CUT)
I wish I was smarter on how people can listen to my cell, I donโt have the technical background โฆbut I just know they can.
ME: So what does it do, how does that work?
MJ: Thereโs two mechanisms, Iโll let Woodieโฆ
PW: Iโd rather not go into the detailsโฆ
ME: This is the problem, thereโs man in the middle stuffโฆ
MJ: Well, man in the middleโs very expensive. But the criminal guys who are smart tech people, can go down to a RadioShack and go buy certain things that are able to attract a cell band as your calls go into the cell tower or come in off a cell tower. They now have mechanisms and stuff you can get off the internet that will brute force attack an encryption, and can literally record conversations that are happening up the street in under twelve minutes. So, I mean, we never want to be in a position where weโre poking our eye at the big telecoms, thatโs not what weโre doing but everybody knows thatโs able to happen and is happening. And I donโt know if they can protect that cost effectively.
THE DIGITAL COLD WAR:
People are worried about the aggregation of data, itโs not just abut GSM crypto and can criminals grab it? Theyโre worried about a combination of things. The new reality is what we call the digital cold war. Youโve got corporations that make up a huge part of GDP of their countries, so now they bring their secret services to bear to steal trade secrets from other companies, because the new prize is GDP. We didnโt build this for that, we built this for private citizens and all of a sudden this came on us. Average citizens are concerned about wiretap friendly laws and the data aggregating thatโs going on, theyโre being pulled into a fish net and their dataโs being held. Youโre not the customer, your data is. And there wasnโt anything that was accepted or trusted peer to peer that anybody could use to bring back privacy to what theyโre doing.
We did not have an understanding of this huge demand that has come on us from enterprise. We did not know that BYOD was such a big liability. Away from work people are talking work and emailing work on personal devices. Everybody understands if you work in BP and itโs โHereโs your IBM brick and your Blackberryโ, and they say, โThank you very muchโ and put it in a drawer because they know itโs discoverable. Theyโve got their own device, they can pull up webmail and do company email on it, theyโre doing a video call on a hotel WiFi out of Jordan and itโs being snagged and collected.
ME: Is the main BYOD concern interception or somebody losing a device?
MJ: Theyโre concerned about both. We donโt harden your device. Like we try to tell people, weโre not the solution to everything.
PW: We can encrypt a lot of things, but if you leave your phone in a cab, we canโt encrypt stupidity.
MJ: We want to get a T-shirt made with thatโฆ