More

        

          

    HomeInsightsSilent Circle makes big security noise

    Silent Circle makes big security noise

    -

     “You can’t encrypt stupidity”

    A company that is offering fully-encrypted communications has said that somebody with $170 to spend on the right equipment and the right know-how could “easily” intercept mobile calls and texts from out of the air.
     
    As a result, the company argues, sensitive personal and commercial data and information is at risk as it is transmitted over the air, and requires extra protection. The company is offering a suite of encrypted comms products on IoS and Android (December) from $20 per month to address that need.
     
    Silent Circle has been formed by an alliance of ex military staff and veteran cryptography experts. CEO Mike Janke is an ex Navy Seal sniper while Paul Wood, Special Projects Director and in charge of the UK and European business, was formerly employed by the SAS, the company said. Philip Zimmermann, founder of Pretty Good Privacy, is the company’s chairman, while CTO Jon Callas was also a PGP cp-founder and creator of hard disk encryption products such as Apple’s Whole Disk Encryption.
     
    The service uses Zimmermann’s ZRTP and PGP encryption software to provide peer to peer encryption of calls and texts, as well as video calls. The software detects when a call starts and initiates a cryptographic key agreement between the two parties and then encrypts and decrypts the voice and data packets on the fly. The keys are destroyed at the end of the call.
     
    The Silent Circle network compresses data to such an extent, that it can provide encrypted Video calling over EDGE networks, or between a user on WiFi and a user on 3G, with very low latencies.
     
    Other features include a burn notice on messages, so that a message automatically “self-destructs” after a certain time. The company also offers a secure calling plan that lets users “call out” form a Silent Circle number to a non subscriber. The part of the call between the subscriber and the company’s servers in Canada remains encrypted, while the leg of the call from Canada to the other party remains open, Janke said.
     
    Silent Circle claims it is the first and only company to offer peer to peer encrypted voice and text communications, without retaining data or keys on server infrastructure. Cellcrypt, which provides an encrypted communications service, declined to comment on the differences between the two companies’ approaches.

    TRANSCRIPT OF EXCERPTS OF MOBILE EUROPE INTERVIEW WITH SILENT CIRCLE:

    (MJ = Mike Janke. PW = Paul Wood)

    MJ: We set out creating this service, we call it curated crypto, we’re doing something that nobody else does and that is peer to peer encryption. We were able to create products that can truly do P2P but you don’t have to think about it. It should have no Diffie–Hellman key exchange – it has to be user friendly. We spent millions of dollars on our own network, SIP services and codexes so that we can do encrypted video walking down a street on EDGE, 3G, 4G, completely encrypted. Facetime can’t even do mobile video now without 4G. We do it on EDGE.
     
    When I speak to you it leaves your phone encrypted so even if the government or the Chinese grab it out of the air it’s just encrypted gobbledegook. That means nobody has to trust us, you have the keys but when the call is done the key is deleted.
     
    I can send you a text, video, location and put a burn notice that says you can only look at this naughty picture for five minutes. If I want to send location, a snapshot of Apple maps comes up [this is a planned future feature] and I can even burn that. 
     
    There are apps that are out there that are VoIP or texting apps that say they are secure and yes up to a point they are, but what people don’t understand is that it’s a TLS VPN tunnel up to a server that holds keys on it, and then down to another server. So yes it’s more secure than iMessage but if a Government wants to come in and coerce them they hold the keys to that server, so they can turn over everything. They can decrypt it. The Chinese can crack a VPN TLS tunnel in like 30 seconds if they want to. 
     
    Look, I’m not a businessman. we’ve got three former SAS guys here in the office and two former SEALs, combined with some of the all stars of security and crypto, but what we came to is understanding this huge issue that came about with BYOD. People think of Iraq and Afghanistan and war type stuff, but a lot of the job and the mission is you find yourself in blue jeans and a backpack flying into all these other countries, you got your own device, you get educated to the unfriendly telecommunications networks, you know, monitoring systems in other countries, and I’m not talking the Iran’s and China’s. I’m talking France, I’m talking Italy, places like that that grab every transmission of their citizens out of the air. So we bring a side of what we call non-permissive everyday communications environments.
     
    It’s not as if we’re creating some secret sauce, everybody peer reviews the encryption, we open source the client, governments and businesses and privacy people have tore it apart for years and they know it’s true peer to peer. What we did was polish it and make it relevant. 
     
    ME: How easy is it for non government entities to pull calls out the sky, as you mentioned. 
     
    MJ: Laughs. We could spend $170 and put something together for you and scan the cellphone conversations going on down the street. We could suck the address book out of your phone, and we could pull your texts out of the air. It’s proven every day. 
     
    You’re in your flat and calling, that call goes to the cell tower, it can be intercepted before there. They’re talking their GSM and all those things. We’ll show you that low level use of encryption can be tapped all day. 
     
    Our job isn’t to point out the vulnerabilities of regular cell [telephony]. 
     
    (CUT)
     
    I wish I was smarter on how people can listen to my cell, I don’t have the technical background …but I just know they can.
     
    ME: So what does it do, how does that work? 
     
    MJ: There’s two mechanisms, I’ll let Woodie…
     
    PW:  I’d rather not go into the details… 
     
    ME: This is the problem, there’s man in the middle stuff… 
     
    MJ: Well, man in the middle’s very expensive. But the criminal guys who are smart tech people, can go down to a RadioShack and go buy certain things that are able to attract a cell band as your calls go into the cell tower or come in off a cell tower. They now have mechanisms and stuff you can get off the internet that will brute force attack an encryption, and can literally record conversations that are happening up the street in under twelve minutes. So, I mean, we never want to be in a position where we’re poking our eye at the big telecoms, that’s not what we’re doing but everybody knows that’s able to happen and is happening. And I don’t know if they can protect that cost effectively.

     
    THE DIGITAL COLD WAR:
    People are worried about the aggregation of data, it’s not just abut GSM crypto and can criminals grab it? They’re worried about a combination of things. The new reality is what we call the digital cold war. You’ve got corporations that make up a huge part of GDP of their countries, so now they bring their secret services to bear to steal trade secrets from other companies, because the new prize is GDP. We didn’t build this for that, we built this for private citizens and all of a sudden this came on us. Average citizens are concerned about wiretap friendly laws and the data aggregating that’s going on, they’re being pulled into a fish net and their data’s being held. You’re not the customer, your data is. And there wasn’t anything that was accepted or trusted peer to peer that anybody could use to bring back privacy to what they’re doing.
     
    We did not have an understanding of this huge demand that has come on us from enterprise. We did not know that BYOD was such a big liability. Away from work people are talking work and emailing work on personal devices. Everybody understands if you work in BP and it’s “Here’s your IBM brick and your Blackberry”, and they say, “Thank you very much” and put it in a drawer because they know it’s discoverable. They’ve got their own device, they can pull up webmail and do company email on it, they’re doing a video call on a hotel WiFi out of Jordan and it’s being snagged and collected. 
     
    ME: Is the main BYOD concern interception or somebody losing a device?
     
    MJ: They’re concerned about both. We don’t harden your device. Like we try to tell people, we’re not the solution to everything.
     
    PW: We can encrypt a lot of things, but if you leave your phone in a cab, we can’t encrypt stupidity.
     
    MJ: We want to get a T-shirt made with that…