
The possibility of phone calls being intercepted is something that financial firms in particular cannot ignore, according to Cellcrypt, which is betting that the need for encryption will become more widespread as communication comes to depend more and more on IP-based infrastructure.
“There are two aspects to the problem: first, the mobile voice infrastructure was never designed for privacy; and now everything is converging on IP as a platform,” said Cellcrypt chief executive Rodolfo Rosini.
“Today, you would not make a data connection to the corporate LAN from outside the company without using a VPN, but if you make a phone call, it goes across a network over which you have no control,” Rosini explained.
The problem is exacerbated by IP-based infrastructure because of the possibility of capturing information using a man-in-the-middle attack, whereby an eavesdropper arranges to have traffic routed through their systems as if it were part of the infrastructure of the wider internet.
It may seem unlikely that anyone would attempt to intercept your mobile business calls, however, and Ovum analyst Graham Titterington expressed his scepticism.
“While IP calls can be intercepted in the network, you would have to be pretty desperate to hear a call to sift through all the irrelevance and re-sort the packets into order. The main risk comes at the two endpoints, and this is no different from traditional PBXs,” Titterington said.
Cellcrypt accepts that this is currently a niche market, but Rosini said that if the potential gains are high enough, someone will attempt it.
“The encryption used for GSM calls was cracked back in 1999. It requires kit costing about £100,000 ($231,000)to break it, but the guys in the finance world move billions of dollars around all the time. They are paranoid because they have to be,” Rosini said.
Cellcrypt’s current product, Cellcrypt Communicator, runs on Symbian OS and offers end-to-end encryption of a call to another handset equipped with the same software. It integrates with the handset’s address book and lets the user make a secure or standard call to their contacts, failing if a secure call is attempted to a phone without the Cellcrypt client.
The vital part of the configuration is that it does not change the functionality of the phone from a user’s standpoint, according to Rosini. “In security, you don’t ask the user to do anything, because you have to assume that they will get it wrong,” he said.
The firm is planning to release a version of its client for Windows Mobile handsets in February 2008, and expects to have a BlackBerry version in April. Support is also planned for leading IP PBX and telephony products, such as Cisco, Avaya and Asterisk. This is vital in order to let customers make secure conference calls, Rosini said.
While Titterington points out that there are no laws or regulations requiring telephone calls to be scrambled or encrypted, Rosini believes that firms working in the financial services industry will run into compliance issues in the future.
“You buy security products for compliance, and most companies will buy from the market leader. We’re hoping to get in there first and become the security partner of choice for unified communications,” Rosini said.