Monday, July 2, 2012

Gear Review: Encrypted Cell Phone App

I'm more than a blunt instrument in most cases however, put me in a room of technophiles and I start playing with a Zippo as to be fascinated by fire rather than attempt a foray into geekspeak. That being said I appreciate the modern age we live in, it just also comes with personal privacy. When I was a kid I had this conspiracy minded cousin who was convinced that the C.I.A. listened to everyone's phone calls. Some years later I was working alongside....someone..who was in the know about such things.

"That's ridiculous" he said, "everyone knows that's the NSA's job".

Humor aside he wasn't wrong and prior to 9/11 even the NSA didn't do this because there was this little problem of mass storage for all that data. Hence, if you read about that new NSA building in Utah and a few other places that got less media attention recently that is largely the idea there. Storage.

But take "The Man" out of it.

There was a brief and fleeting time when you didn't have to worry about privatized spooks and fifteen year old hackers eavesdropping on you. When we abandoned cellular and went digital with our "cell phones" calls where basically secure from prying ears in the private trade. If you were intent on listening in on someone badly enough it took roughly $5000+ to buy the American made equipment and a solid contact in Europe to buy it for you and get it back to you in the States (or so I heard).

Then came the "Smart phone"....which is akin to Military intelligence in the way of irony. That which makes it the most useful tech tool of the age is also it's Achilles heel: the Apps.

Whether the spyware comes in via a strange and random text, piggy backed from a known number or surreptitiously uploaded when you aren't in the briefest moment of possession of your phone; once on your calls are open to interception by whomever has access to that backdoor...that my friend is that.

Here is the deal, should you be less conspiratorial minded than others.

Everyday I encounter clients who will tell me "yeah but I don't think my business partner, competitor, future-ex-wife, legal team for this merger I'm apart of, is going to 'break the law' for this".

 They will and they do.

Here is the point in which you should focus upon. It is not about using that information in court. It is about how to use that information for strategy, for planning, for tactical response.

Yet you still doubt.....

Despite the guns, the Dark Arts series, and all the rest, the end game is this I'm in the private intelligence business. Everyday of the week I sit in on phone calls, meet in hotel rooms, law offices, airport lobbies drinking copious amounts of coffee while my new found Client lays out information they have but don't necessarily know what to do with. Hence, it gets in front of me.

So a good portion of my work is laying out a response or planning for one. Eventually I end up on the phone with everyone. Having had my own information relayed back to me from other sources in what I shall refer to as "bad timing" on occasion makes the job more difficult.

Enter Kryptos

Kryptos is a voice encryption app for your smart phone that runs $10 a month that utilizes military grade 256 bit AES (Advanced Encryption Standard) encryption and, operates as a VoIP Peer to Peer comm.

As it was explained to me by the folks at Kryptos since it is a VoIP it does not fall under the FCC nor the telecommunications act hence it can't be warranted nor subpoenaed....and even if it could they couldn't. There is no recording and the system has no backdoor. As my point of contact there said "we can't even hack ourselves".

"Sure sure" you say "Nice sales pitch".

As of this writing (according to the folks at Kryptos) AES security is strong enough to be certified for use by the US government for top secret information...i.e. the Alphabet gang and the homies from homeland included are using it.

Call quality isn't bad at all. In fact its rather impressive. I've had three phone calls where we had to essentially stop contact because of bad signal connections (one person was at a indoor pool the other was....well not at an indoor pool). It does require a WiFi, 3G or 4G connection but, you can talk between the iPhone, Blackberry and Android platforms.

The other advantage is once I am able to secure comms between parties I know where intelligence IS NOT being leaked. That means it is a human factor and traceable. One new standard operating procedures with clients is to ask for their phone at our initial meeting, install the app, bill it to my account and simply take it out of the retainer.

Right out of the gates we are off to a strong start.

So what about you? Why would you need it?

Maybe you're a cop running an C.I., a spouse going through a nasty divorce with an uber tech savory future ex. Maybe you're just someone who has family overseas and Skype is the cheapest way to talk but, are tired of arranging schedules.

Is it the greatest app ever?????

Guess it depends on who you talk to.


ParatrooperJJ said...

I'm somewhat unclear on one of your statements. I know AES is certified for TS info, but are you suggesting that NSA has approved Kryptos for secured classifed calls?

Matthew said...

I am not suggesting that nor was I ever told that.

What was told to me by the folks at Kryptos, it was being used by a variety of Government agencies and/or agents for secure communications and that it AES was strong enough to be certified for TS use.

It's safe to say whatever the NSA uses for such things I would never know about.

Hartley said...

Um, I don't think AES is certified for ANY classified comms - only "sensitive". Check the FIPS listings.
And your phone? It's still "cellular", it just uses digital modulation, not analog, with it's radio. (yes, it's still a radio inside there)

And as to whether the communications could be subject to legal requirements, making the communication VoIP makes no difference - if they can subpoena your email, they can do the same for a VoIP call (assuming you or they record it) - yes, you could be legally compelled to reveal your key/password.

Assuming that the folks marketing a cool new device are actually telling the whole truth is fraught with peril.

Matthew said...

No one would question the fact that records or password could not be subpoenaed. However if nothing is recorded then there is nothing to be compelled to be produced. And once inside there is only a contact list.

But again the point was not to use a broad legal situation but rather about the fact the FCC has no regulatory powers over anything involving the internet.

Thanks for clearing that up. You are right phones are still "cellular" my point was you can not eavesdrop on digital calls like you could analog.

Anonymous said...

Key/password may not be able to be relieved depending on key negotiation. If a random key pair is generated and exchanged at the beginning of the call the user has no idea what their key's are.

Odds are those keys will be exchanged in a public private key exchange, again, that can be randomly done each call, see Diffie-Hellman key exchange. If they app does not record or store these keys there is no method of recovery for the user.

How can you be compelled to give information that does not exist?

Next, AES-256 when properly implemented is approved for storage of Top Secret material. The device it is implemented in though needs to seek it's own approval as well. The algorithm though is currently considered secure by the NSA for storage and transmission top secret material, the implementation must be validated (FIPS certified) for a particular device or piece of software to be used.

FYI, the way this stuff works you wrap AES-keys inside a public-private key encrypted message, use those static keys until your CBC rolls over and you generate new keys. This is all without user intervention and you can use a static public private key pair for authentication/verification to exchange a temporary private key only known by the two phones that remains unrecorded.

Borepatch said...

I'll leave aside my surprise that this seems to use a proprietary key exchange rather than Diffie Helman (proprietary is typically A Very Bad Thing Indeed in my experience).

I would point out that this app is very likely illegal in a number of countries - Russia for certain and probably France as well (off the top of my head). I suspect that the personal use exemption in ITAR gives you sufficient room with US export control, but IANAL.

I'd recommend brushing up on foreign crypto laws before any overseas travel.

Tackett9 said...

Good post!I'm part of a five man rotating security detail for a celebrity. We continually bounce between LA and NYC and started using Kryptos about nine months ago. We found that the paparazzi have become notorious for paying for info not only on our client's cells but on ours as well to obtain our numbers. The hacking texts messages have been an ongoing problem.
We've had fantastic success with the app. You would have thought a light switch was turned off.

Keep up the good writing and glad to see you are back at it!

Tackett9 said...

I would also like to add that we found out about it from an FBI agent and people probably should shy away from critiquing something that haven't used.

Anonymous said...

What prevents a hidden app from being installed, which records sound from the microphone SIMULTANEOUSLY?

On a computer, for example, you can run "Sound Recorder" and "Skype" at the same time. You don't have to hack one if you have voice from the other. What prevents this from happening on a smart phone?

Matthew said...

I think the two key things here to realize is...

If you have technical questions, doubts, concerns, etc. Contact the people at Kryptos.

we have this modern problem of bemoaning theories over the net and not picking up the phone and contacting people directly who can answer questions accurately.

Secondly, I've received a few emails telling me this or that about how its not actually possible for this program to work.

Remember the part where I said I wasn't a technophile....

I've responded to each email in the same manner: What is your actual experience with this product that led you to have problems? And what is the solution you are currently using to keep your communications private?

John Read said...

I am head of development, in an smartphone app development agency. Nice + informative article

Mark Steve said...

Thanks for Nice healthy info. shared event management apps