Don’t Trust Anyone. That used to be something only the paranoid said, but then something happened along the way. We became informed. We learned that people could listen on on the telephone’s party line, so we paid the extra for a private line. Then we knew our kids or our parents could overhear us on the phone on the wall, so we got multiple lines for our home. Then we could suddenly get a cellphone and have our own private phones anywhere we wanted. Total privacy! Or so we thought, as our words and information went flying through the air. First it’s word of warrantless wiretapping, then it’s word of newspapers, lawyers, insurers and more hacking your communications, who’s next? How do we stop this? Unfortunately, laws are very after the fact, so you need to take some measures right now. This is where we look at how to secure your smartphone communications to make cherry-picking your information a lot harder.
Change the Medium of Communication
To paraphrase Marshall McLuhan, the medium is the type of warrant needed. Typically the older the form of communication, the greater the legal protection it has. According to the Electronic Frontier Foundation, “…only 20 court orders authorizing oral intercepts were reported in the 2007 wiretap report, compared to 1,998 orders authorizing wiretapping of “wire communications” or voice communications.” That’s in the United States of America. The contents of letter mail (snail mail) is also highly legally protected, however anyone can read the envelope, and the US Postal Service tracks that information too. Land-line phone conversations are almost equally protected compared to letter mail, yet your phone records are available to the government as well. Once you step up to voice calls on a cell phone, the laws preventing the government from listening in tend get more lax. Text messaging even more so again. Because these cellular and WiFi communications fly through open air space, courts may find that there isn’t the reasonable expectation of privacy that governments afford land-line conversations.
The biggest issue with text messages and security, is that the whole conversation is stored on your phone, and likely stored on your service provider’s servers, for at least a little while. With a normal cell call, all that is stored is the metadata, like who you called, when, for how long, and from where you called. The point here – don’t text stuff you don’t want leaked. Especially if you are a senator or congressman.
Cell phone and WiFi communications are out in the air as radio signals, so the technology needed to grab them isn’t that far removed from what it takes to grab a commercial radio signal. If you suspect that your phone may be compromised, compare your symptoms with Steve Campbell’s, 6 Possible Signs Your Cell Phone May Be Tapped. This video may be a little old in the telecommunications world, yet it shows the basic hardware needed to grab a massive amount of cellular traffic. Aside from the computer, you’re looking at about $1500 worth of stuff. That’s not a huge investment.
Check Your Apps
Possibly the easiest way to compromise smartphone communications is to write an app that allows you access to everything on the phone, and then get people to download it. This is not quite as much of a problem for iPhones as Apple has final say on whether an app makes it into their store or not. With Android though, Google doesn’t have the same strictness. Plus there are those that will root their Android device and download apps from just about anywhere.
For more detailed information, Chris Hoffman’s, How App Permissions Work & Why You Should Care is mandatory reading. Warnings about what an app can do with your phone are almost as universally ignored as EULAs. If you are in the process of installing an app and a warning comes up saying this app will have access to your contacts, phone state and identity, send SMS or MMS, and so much more. Does the app really need this kind of access? If not, don’t install it. Review the apps you do have installed and uninstall those that overstep their needs. You may even consider doing a factory reset on your phone to ensure there is no lingering spyware on it.
Encrypt the Communication
With all these laws in place, it is still terribly unlikely that anyone will listen into your communications. Really, you’re a great person, but you’re just not that exciting. What you’ve had for dinner, and how many miles you did on the elliptical is boring, and already all over Facebook. Who is going to break telecommunications laws and buy a bunch of expensive equipment to find out you hate kale, but hey, look what it did for Jennifer Aniston? Fine, let’s assume that your conversations are really juicy stuff for spies and private investigators. Let’s look at how we can make our smartphone communications less useful to eavesdroppers, even if they intercept them.
Encryption takes something that is meaningful to the average person and makes it gibberish that can only be made meaningful again through a complex mathematical process. That’s about the shortest description that I can come up with. If you’re looking for an explanation of how encryption works, read the How Does It Encrypt My Drive? section of this How Bitlocker Works article. The same principles are at work in most encryption.
Kryptos – iOS, Android [No Longer Available], Blackberry – Free App, $10/Month Service
Kryptos is, at the simplest level, an encrypted Voice over Internet Protocol (VoIP) service. If you want to understand VoIP better, peruse Stefan Neagu’s article,
How Does Skype Work?. This allows for it to function over cellular and WiFi connections. Be warned – VoIP which does not go over WiFi uses your data plan. What the app does is encrypt your voice call using the 256-bit AES standard with a 2048-bit RSA key exchange. Because it is a VoIP connection and both people need to have the app and the service, the call is almost a true peer-to-peer connection, except for the fact that the key has to be validated by a certificate authority. A Man-in-the-Middle attack is theoretically possible. I wouldn’t say that it is terribly plausible though.
The 256-bit AES encryption that is applied to your call is the same standard that Windows BitLocker uses and is considered reasonable encryption for communicating Top Secret level documents by the U.S.A. government. Now that sounds impressive, and it is really, just know that Top Secret isn’t the highest security rating.
The 2048-bit RSA key that is used to lock and unlock the encryption on your call adds an extra layer of security. It is the digital key that locks and unlocks the encryption at each end of the conversation. Just like a key for a door, the more little bumps and grooves that are on the key, the harder it is for criminals to duplicate it. 2048-bits means your key for any conversation is a random 617-digit number. To put that in perspective, most lottery tickets use a max of 12 digits, and we all know what the odds of winning the lottery are.
DigiCert, a provider of digital signature certificates for e-commerce, has calculated that it would take, “6.4 quadrillion years” to crack a 2048-bit RSA key. However, RSA Laboratories makes a rough estimate, based on Moore’s Law and how long it took to crack a 56-bit DES key, that the 2048-bit RSA key could become practical to crack around the year 2030. That’s a lot less that 6.4 quadrillion years, but still impressive. By the year 2030 it’s too late to drop in on a call today. However, when there is a key exchange like this, there is the superslim chance of a Man-In-The-Middle Attack. That’s where a person is in the middle of a call, unbeknownst (but beknownst to us) to the other two people. Mark issues his own key to Alice and Bob, when Bob requests Alice’s key and Alice requests Bob’s key. Voila! The call is open to him.
Kryptos does claim that they don’t record calls or anything about the calls. They also claim that they would never allow a government back-door into their communications. Well, they might not really have a choice there under laws such as the U.S.A.’s Communications Assistance for Law Enforcement Act (CALEA). That act aims to force communications providers, even VoIP, to make it easier for law-enforcement agencies to monitor communications in real-time.
So, how secure is Kryptos? For the price of $10 a month, I would say it is reasonably secure.
Silent Phone – iOS, Android – Free App, $10/Month Service
Brought to you by Silent Circle and Phil Zimmerman, the person behind PGP encryption, Silent Phone is a voice encryption service for both Android and iOS devices. Like Kryptos, it works over a VoIP connection either through WiFi or your cellular data plan. It also requires both people to have the application and service for end-to-end encryption.
Unlike Kryptos, it has a proprietary encryption methodology called the Zimmermann Real-time Transport Protocol (ZRTP). This differs from the 2048-bit RSA key in that it generates a key without having to check in with a certificate authority. Each call generates a password which must be spoken into the application in order to continue with the call.
Silent Phone utilizes 256-bit AES encryption like Kryptos does, but this point in the comparison, it doesn’t really matter. The key simply won’t be around long enough to crack and there is no chance of a Man-in-the-Middle attack. You just can’t get into the middle of the voice transmission with the ZRTP method.
Silent Circle swears that they will never bow to government pressure, and that’s respectable, if not a bit misguided. At some point, they may well have to decide if they want to keep the company alive or keep their morals intact. I’m swayed a bit by Phil Zimmerman’s previous tribulations when he brought out PGP – he seems authentic from where I sit, miles away. Yet he isn’t the only one in the company, so we’ll see what happens. Maybe they’ll never be pushed to decide – who knows? Maybe they will cave, but you simply won’t ever know. All in all, for the same $10 a month for the service, I would say that Silent Phone is just that much more secure than Kryptos. Where it gets a lot better is in the availability of other apps to encrypt e-mail, text, and video communications. By having the whole suite, this is the service that I would go for.
The Take Away
By encrypting the data that is already on your phone, as in the article, How To Encrypt Data on Your Smartphone and using the methods in this article, you will have the closest thing to a spy phone that your average citizen can have. Is it too much? That’s up to you decide based on your situations.
Do you feel you need to secure your smartphone communications? Concerned about people listening in? What are you currently doing about it? What are your concerns? Do you have other tips you could share? Let us know, because knowing really is half the battle.
Image Sources: Kryptos Screenshot via Google Play, Silent Phone Screenshot via Google Play, Wife confer privately on the phone via Shutterstock; Young Businessman Via Shutterstock; Girl with a Bag Via Shutterstock