Are mobile calls as secure as you think?

It’s been an interesting week in the world of mobile security, with news emerging that UK tabloid Sunday newspaper News of The World is allegedly involved in a rather serious phone ‘hacking’ incident. Whilst the papers have been busy claiming this is ‘wiretapping’, and actual mobile calls have been intercepted, it seems more the case that someone rather mischievous has been breaking into voicemail boxes and retrieving subscribers messages.

So is calling over GSM really secure? Yes and no. Yes as in your call is encrypted between the handset and the network, so its not just a case of someone with a scanner ‘tuning in’ like the old days with analogue cordless phones – but no as there’s so many other places it can be tapped. Plus the encryption standard used by GSM was cracked in theory about 10 years ago, so anyone with a suitably large amount of technology could in theory break the code. Last year two researchers – Steve Muller and David Hulton – claimed they’d come up with a method of doing it quite quickly without the need for silly amounts of computing power you’d normally only associate with a government.

Then there’s the theoretical possibility of a physical ‘wiretap’ within the mobile network or public telephone system. Let’s take a call between a 3 mobile user in the UK and someone in Germany on T-Mobile. It’s quite possible that call will go from 3 to BT, across BT’s international network to Deutsche Telekom in Germany, off Deutsche Telekom’s transit network to the actual T-Mobile network, and then onwards to the other end. Across that path it’s more than likely that call has passed through not only four different networks but quite a few exchanges – as an unencrypted digital stream. Pick an exchange that call happens to pass through, find a disgruntled and persuadable (with a nice brown envelope of cash) switch engineer and voila – one wiretap.

Of course this is all theoretical, and I’m not suggesting it happens all the time. However with increasing concerns about the security of phone calls, many companies are beginning to use encryption technology you’d only see spooks and the military using five years ago.

One company to offer such technology is British-based CellCrypt. Their software-based offering can be installed on Nokia, BlackBerry and Windows Mobile smartphone. With just a few clicks you can make a secured call over the 3G/2G or Wi-Fi data network to another CellCrypt-enabled device (or office PBX if you’ve got the relevent hardware installed) and not only completely bypass the voice network but also secure your conversation with something called Encrypted Mobile Content Protocol (EMCP). Here’s a little diagram of how it works:

So how secure is secure? Not wishing to get too techy about it, but CellCrypt uses RSA 2048 bit and AES 256 bit encryption, DH and RSA algorithms for key exchange, SHA512 and MD5 for hashing and DSA and RSA to authenticate data.

Does it work? Is it simple to use? Yes, in a word. I had the opportunity to have a play with the CellCrypt technology a few weeks ago, and it seems quite straight forward. Select a contact from your CellCrypt phone book, hit the button, and within 10 seconds its placed the call, secured it, and you’re ready to rock and roll. As the call does go over your operators 2G or 3G service it can be a little delayed, but to be honest its not really noticeable – and not that much worse than a normal mobile to mobile call.

Even if you don’t think CellCrypt – or similar technology – is for you, here’s CellCrypt’s CEO Simon Bransfield-Garth with some top tips for mobile safety. Obviously he’ll want you to place an order for his service, but quite a lot of this is common sense and simple to do.

• Never assume that voice calls are secure – like fax or email, never discuss confidential or sensitive issues on the phone, or use phones with voice encryption
• Never leave confidential voice messages or send confidential texts
• Make sure you use your mobile phone PIN and protect it in the same way as your Bank Card PIN –  voicemails can be accessed from any phone with the PIN
• Be vigilant to prevent malicious use of your phone – be wary of texts, system messages or events on your phone that you did not ask initiate or expect; turn off Bluetooth if you are not using it and don’t leave your phone lying around
• Think about the value of the conversation and then choose the right communication means for the call – if you are discussing something very valuable, such as a business deal, don’t leave information lying around or use communications means that can be intercepted

You can find out more about CellCrypt at http://www.cellcrypt.com – and watch out for an interview in the coming weeks.