Last week, AT&T announced that it is providing a hardware-based, two-factor encryption service for smartphones used by its government, law enforcement, financial institution, and international business customers. This is the first carrier-provided encryption services for smartphones, according to the company.
The product combines KoolSpan’s TrustChip, which is a hardened chip inserted into the smartphone’s microSD slot, and SRA International’s One Vault Voice interface.
“Year over year, the cost of...security threats has increased dramatically,” said Pat Burke, SRA senior vice president of offerings and products. “These threats have elevated cyber security as a strategic priority for both business and government organizations worldwide.”
The AT&T encryption product, which supports the BlackBerry smartphone and the Windows operating system, is designed to address these requirements, the company said.
While carriers are just realizing the need for voice encryption, a number of companies already provide software-based voice encryption for smartphones. For example, Cellcrypt provides encryption software that can be downloaded over a wireless network by a smartphone user.
“This is a software only downloadable solution. This is a real distinction between ourselves and what was announced by AT&T,” said Kathleen Peters, vice president for business development at Cellcrypt.
Peters told Infosecurity that voice communication security has been underserved in the smartphone market. “It is the last area where it was recognized that this is a risk….There are a lot of companies out there to secure data, but voice was pretty much left to specialized equipment,” she said.
“The workforce is more mobile than ever before, so the risks are increasing like never before. People expect to be able to communicate and maintain the confidentiality of their business even while they are mobile….Smartphones have the processing capability to download software and run security in a very efficient and real-time way”, she added.
Peters noted that, unlike data, voice encryption needs to happen in real time. “When you are encrypting an email message or SMS, you have the ability to store the data, add encryption, and forward it. When you are talking about voice, you need to go real time. The most secure encryption and decryption happens at the end points; that way you are not relying on having to secure the entire network pipe between users,” she said. “It provides a unique challenge.”
Moxie Marlinspike, founder of Whisper Systems, a supplier of the RedPhone software-based encryption system for the Android smartphone, expressed concern about the AT&T announcement from a privacy perspective. “I approach this announcement with some skepticism given that AT&T has this long-history with wiretapping. That is a reason to look at this a little more closely,” he told Infosecurity.
Marlinspike explained that AT&T is serving as a third-party authenticator for its smartphone encryption system. “There is no reason anymore to be designing systems that require a third party. AT&T is announcing yet another system that requires us to trust a third party, and in this case, the third party is AT&T. They do not have a history of inspiring trust,” he said.
Whisper Systems’s RedPhone can be downloaded to a smartphone. RedPhone uses an open standard developed by Phillip Zimmermann to setup an SRTP stream between two devices, which provides encrypted security from one end to the other, Marlinspike said.
“The system does not require the user to trust anyone else. All of the trust comes down to the person making the call and the person they are talking with,” he noted. He added that RedPhone is currently available for the Android smartphone, but his company is working to expand it for use on other smartphone models.