Business espionage and cybercriminals listening in on potential deals makes the business landscape a place where digital security can make or break a company. With 15 years under his belt consulting or running his own businesses, Stephen Carnes, president of Kryptos Communications Inc., knows this well.
While working on big deals, clients would often ask to meet in person, flying halfway across the country to relay sensitive information rather than tell it over the phone. Carnes said, “So many times it can be just a two-minute part of the conversation they just didn’t want anybody to hear. So I thought, well gee, shouldn’t there be a better way of doing this?”
A quick look at the market was all it took to reveal a need. Options are limited for anyone wanting secure phone calls—typically falling to specialized phones costing more than $1,000 that only work after users exchange secure serial numbers. The problem is, not everyone owns one of these phones and most companies would rather not have a business deal hanging on the post office delivering a special phone.
The idea was simple and would not rely on special equipment. Growing use of smartphones opens new doors—particularly their ability to download software at the press of a button. So Carnes decided to build an app that he dubbed Kryptos.
Put simply, when a cell phone calls another phone, it wraps the audio information into a packet and bounces it off a cellular tower to reach its target. The problem is that while the towers check to make sure cell phones are from paying clients, the phones themselves have no way to tell if a tower is real or not. Criminals thus set up fake towers to steal data as it is transferred.
Kryptos gets around this by bypassing regular cell signals altogether and goes through wireless Internet 3G, 4G, or WiFi networks. It also uses peer-to-peer communications, speaking directly to another cell phone without needing a server in the middle, as “the server would be vulnerable to attack and eavesdroppers,” Carnes said.
To top it off, even if the data is intercepted, Kryptos scrambles it with military grade encryption. If a criminal gets their hands on it, the data will just be an unusable mess nearly impossible to decipher.
Although it stands as one of the lesser-acknowledged evils of cybercrime, intercepting cell phone calls is about as easy as it gets. Most cell phones use GSM, a mobile phone network designed in 1982 that is riddled with security holes.
By intercepting cell phone calls, criminals can grab not only the contents of a call, but also data about a user.
The vulnerabilities have been exposed, but many cell phones still run on the GSM network. The problem is that in order to close the gap, cellular providers would need to redesign the GSM system, change every phone, change every cell tower, and change every network behind them, according to ethical hacker Chris Paget.
Using a laptop and a $1,500 homemade device, Paget intercepted 30 cell phone signals from a live audience during a July 2010 Defcon hacker conference in Las Vegas in an attempt to raise concern around the problem. His hack worked on both GSM and 2G signals.
“I can sit here for the next 20 minutes, half an hour, and every AT&T cell phone in the room will gradually hand over to my network, gradually start giving me all your traffic,” Paget said in a Defcon recording of his speech, after he set his computer to pose as an AT&T cellular tower.
His system, an IMSI (International Mobile Subscriber Identity) catcher, tricks cell phones into thinking it is a legitimate cell phone tower, which they then gladly pass all user data and conversations to.
“The reality of it is there really is no good solution. GSM is broken,” Paget said, adding that cellular providers will need to upgrade to 3G and 4G signals and eliminate GSM and 2G services to fix the problem.
The gaps were also noted in Feb. 2008 in a report from a Black Hat Briefing security conference, “Intercepting GSM traffic.” It states that by using easily attainable software and a $5 cell phone from eBay, cybercriminals are able to listen in on GSM calls.
“Commercial interception equipment is available on the Internet,” states the report.
A Welcoming Market
With the initial iPhone and Android apps already available, and a BlackBerry app on the way, Kryptos has so far found a welcoming market.
Even the federal government is showing interest in the technology, as it can work as a quick backup if their own systems ever go down. Although the service does come at a monthly fee, it also gives users free long distance since it uses the Internet to make calls, rather than cellular signals.
Carnes says he and his company have set out to become “the Henry Ford of secure communications.” Although Ford did not invent the automobile, his use of mass production brought one to every family. Likewise, Carnes found a way to bring secure communication to every smartphone.
“We didn’t invent phone encryption. That’s been done for years,” Carnes said. “What we set out to do was to provide a quick, efficient way for anybody to have secure communications for an affordable price.”
In order to prove the system works, Kryptos is currently undergoing third-party testing by independent labs.
“It’s a very interesting project,” said Jordan Edelson, president and CEO of Appetizer Mobile LLC, the developers of Kryptos.
“To have that peace of mind, having an application that’s commercially distributed could be very popular,” Edelson said. “We’re doing something that a lot of people could use and utilize and hopefully it will save people from bigger headaches in the future.”