Tales from the Cellcrypt

The next frontier for mobile cybercriminals is not through smart phone viruses and hacks, but rather the interception of voice calls, according to a U.K.-based mobile encryption firm Cellcrypt Ltd. But according to some industry observers, Cellcrypt’s solution to this problem has more than a few flaws.

Cellcrypt CEO Simon Bransfield-Garth said that while vendors have done a good job of bringing worthwhile data security features onto mobile phones, the same can’t be said about tools that protect voice traffic. Voice security is different, he said, in that it’s not really an issue related to the mobile phone, but rather an issue of mobile network security.

“The handset vendors really can’t do very much about conventional voice security, because the issue is what happens to that signal when it goes out of the phone, where it goes, and whether it is secure,” he said. “There’s been a number of instances in distant and recent press where we’ve had proven examples of people intercepting voice calls.”

Bransfield-Garth added that as the technology used to intercept mobile calls becomes more readily available, the security of voice calls is certain to become a growing issue. He also said that the scare stories around mobile viruses have yet to take hold in the same way they have on PCs, because smart phones have been built with the hindsight of how desktop and laptop computers have been designed.

To address this, the company developed Cellcrypt Mobile, an encryption tool which requires only a small download on a user’s device to protect voice calls from being intercepted. The offering is compatible with Nokia and BlackBerry devices and costs US $1,000 per user, per year for the encryption capability.

But despite Cellcrypt’s cautions, David Senf, director of infrastructure solutions at IDC Canada Ltd., dismissed the severity of the issue.

“Yes, there is relatively weak encryption on cellular communications, but the way cell communications propagate this is not a real threat,” he said. “Security by obscurity actually works here.”

Senf argued that data loss from a misplaced or stolen device represents a much larger issue.

Mark Tauschek, lead analyst with London, Ont.-based Info-Tech Research Group Ltd., said that while it’s relatively easy to eavesdrop on a call, he doesn’t view this as a growing threat to enterprises anytime soon.

Additionally, for the Cellcrypt model to work there has to be a client on both mobile devices involved in a call. “Let’s say you put this on all your smart phones. What if (your employees are) talking to someone outside of the company?” Tauschek said.

“This is an issue with any encryption method and its part of the reason why public Wi-Fi is really challenging,” he said, adding that encrypting the data stream over the air would require a client or configuration on the client side to secure the connection.

Tauschek said that these limitations, coupled with the tool’s incredibly steep price, will probably keep the product from seeing widespread adoption.

“In fact, this type of encryption won’t be widely adopted until it’s at the carrier level,” he said. A good solution would be for wireless carriers to deploy encryption mechanisms into all of the smart phones they carry, he said.

And despite Bransfield-Garth’s claim that mobile viruses really haven’t materialized into a serious threat, others have recently argued that a new wave of mobile attacks is just on the horizon.

Derek Manky, a security researcher at Fortinet Inc.’s Canadian office in Burnaby, B.C., said that over the next couple of years mobile threats will, in fact, head down the same path that malware did on desktop PCs.

“Right now, we’re seeing record detection levels, with the majority of threats that we see coming on Symbian OS,” he said. The mobile platform has the highest adoption rate in the world, which makes it a natural target, he said.

While most of the mobile viruses today are circulated through SMS messages, a recent threat called Symbian OS/Yxes.A was using SMS to send malware-infected URL links.

“This is sort of a bridge that is going to be created between the mobile landscape and the public Internet,” he said. “This becomes a very real threat as we move forward, because we have the traditional phishing attacks that we see on PCs, which will now be possible through telecommunications.”