The company Cellcrypt released an application on Tuesday for mobile phones running Android that encrypts voice calls, addressing increasing concern that voice traffic over cellular networks could be intercepted with off-the-shelf equipment.
Cellcrypt built the application after seeing an increase in the number of Android users, said Ian Meakin, Cellcrypt's vice president of marketing. The company already has voice encryption applications for Nokia E-Series and N-Series devices running Symbian S60 and BlackBerry devices.
GSM (Global System for Mobile Communications) phone calls are encrypted, but researchers have warned for years that the equipment and software tools needed to break the A5/1 stream cipher used to encrypt those calls are widely available and cheap, costing as little as US$5,000.
As recently as three years ago, computer security researchers showed they could break the encryption on GSM networks in 30 minutes or less and intercept voice calls from up to 20 miles away from a base station. In December 2009, a table of the GSM encryption keys was released on the Internet by A5/1 Security Project researchers, providing pieces of data that could be used by hackers to intercept and decrypt calls.
That spells bad news for executives, celebrities and others who don't want to be snooped on. Plus, once a call has been intercepted, the intrusion is hard to trace.
"Voice has always been the poor cousin of data security," Meakin said. "It's a perishable communication method. Once someone has intercepted it, there's very little trace of it having happened."
The product, Cellcrypt Mobile, is a software-only application that is downloaded to an Android device. To make an encrypted call, the caller and recipient both must have the software installed, although they can use different OSes, such as Symbian, Android or BlackBerry.
Cellcrypt Mobile is essentially a VOIP (voice over IP) application that uses either Wi-Fi or an operator's data channel on either GPRS, EDGE, 3G or satellite networks to transmit voice.
The software uses public key cryptography. Each phone installed with Cellcrypt Mobile generates its own private key that is only stored on the device, not on a central server, which is a more secure method of storing keys, Meakin said. When a call is started, a secret session key is exchanged, which is then erased after the call has ended and not reused.
The voice data is then double encrypted using a 256-bit RC4 algorithm and then again with a 256-bit AES algorithm, Meakin said. The heavy encryption can cause up to a 1.5 second delay using the slower GPRS networks, varying somewhat depending on available bandwidth and network traffic. Over Wi-Fi, latency can be as low as 150 milliseconds, which is unnoticeable to callers.
Meakin said Cellcrypt has also partnered with operators such as Telef
Cellcrypt Mobile runs in the background on a mobile phone. Users can pick an alphanumeric string to identity themselves, although Cellcrypt encourages people just to use their normal phone number for simplicity. When a call comes in, users see the message "Incoming secure call" and press a green button to answer, Meakin said. Calls over Wi-Fi are free using, although people making calls over cellular data networks may incur a charge depending on the user's service agreement.
Cellcrypt Mobile meets the U.S. government's 140-2 Federal Information Processing Standards, which means it can be used by government employees for certain classifications of information.
CellCrypt Mobile for Android costs $1,500 per user per year. Meakin said Cellcrypt's customers tend to not be very price sensitive, as security takes priority for people in industries such as mining or who are celebrities.
Send news tips and comments to firstname.lastname@example.org