The headquarters of CryptTalk are in Stockholm. Research and development are done in Hungary. We meet up with Co-Founder and CEO Szabolcs Kun in Amsterdam.
He’s part of a scale-up program organized by the Dutch node of EIT-Digital based in Eindhoven. “Our small Eastern European country turns out to have a pool of brilliant telecom security experts – as well as being a healthy skeptical market for anything as disruptive as this. Now we’re scaling up across Europe, watching how personal privacy and security is becoming a serious issue in the Netherlands and other countries in Western Europe.”
Understanding the Threat of Eavesdropping
Hardly a day goes by without some new revelation of a company hack. Carphone Warehouse in the UK, security dealings in Germany or Ashley Madison in Canada may have got the attention of the press in August 2015. But, in fact, the recent hacks into the US Office of Personnel management are information breaches on a much larger scale. Lists of former and active CIA agents and those in witness protection programmes are suddenly out in the open. Ironically, these leaks are many times more serious than the revelations from WikiLeaks.
It all goes to prove that we have to take our own measures if you want your calls and data kept safe from eavesdroppers. This recent 60 Minutes Special Investigation from Australia exposes the vulnerabilities that insiders in the telecom business have known for years.
Perhaps the clearest explanation of this was in the recent TED Talk by the principal technologist at the American Civil Liberties Union, Christopher Soghoian. During the short, sharp intervention at TED 2015, Soghoian points out that solutions are coming from smart-phone manufacturers not the telecom carriers.
“For more than 100 years, the telephone companies have provided wiretapping assistance to governments. For much of this time, this assistance was manual. Surveillance took place manually and wires were connected by hand. Calls were recorded to tape. But, as in so many other industries, computing has changed everything. Our telephones and the networks that carry our calls were wired for surveillance first. First and foremost!
So when you're talking to your spouse, your children, a colleague or your doctor on the telephone, someone could be listening.
Now, that someone might be your own government; it could also be another government, a foreign intelligence service, or a hacker, or a criminal, or a stalker or any other party that breaks into the surveillance system, that hacks into the surveillance system of the telephone companies.
But while the telephone companies have built surveillance as a priority, Silicon Valley companies have not. And increasingly, over the last couple years, Silicon Valley companies have built strong encryption technology into their communications products that makes surveillance extremely difficult.
Tim Cook, heads one of those Silicon Valley companies that cares about security. Apple recently posted a personal message from Cook, following a speech delivered to the Epic Champions of Freedom Meeting in Washington DC (as reported by Techcrunch).
“Like many of you, we at Apple reject the idea that our customers should have to make tradeoffs between privacy and security,” Cook began. “We can, and we must provide both in equal measure. We believe that people have a fundamental right to privacy. The American people demand it, the constitution demands it, morality demands it.”
European Solution Starts to Scale Up
A few days before the Apple iOS-9 launch on September 9th 2015, StartupDelta’s Jonathan Marks has been speaking with the CEO of CryptTalk, Szabolcs Kun. He began by asking him whether their encryption app for Apple is still needed, bearing in mind Apple’s recent statement about security and the launch of the latest version of the iPhone’s operating system.
“Both efforts are needed – and are complementary” explains Szabolcs. “Apple encrypts what is stored and handled on the phone itself. CryptTalk encrypts data that leaves the phone, i.e. both the voice conversations and messages. Likewise, the CryptTalk app is able to decrypt voice conversations and messages coming into the same iPhone. We know that standard GSM calls are poorly protected from eavesdropping. Using Skype or Apple's FaceTime does provide a certain level of protection, but this cannot be compared to the security of the CryptTalk solution.”
Active Malware Detection
I wondered if the CryptTalk app is completely self-contained within the Apple iPhone. Suppose the iPhone has downloaded a piece of malware which records the microphone, listens to the speaker and sends the file to someone without me knowing? Can CryptTalk detect that the phone has been compromised or “jailbroken”?
“Yes it can.” Szabolcs explains. “If we were speaking now on CryptTalk, the app securely takes over access to both the microphone and speaker on the iPhone handset.”
“Suppose I now start the native Apple Voice recorder on the iPhone, which is a piece of software from Apple – it is not from a third party. Being an Apple product, the Voice recorder has extended rights and privileges compared to non-Apple software.”
“Once CryptTalk detects that another app is trying to access either the microphone or the speaker, it immediately shuts down and drops the call. That's not going to happen if you are using FaceTime, for instance.”
Maximum Possible Security When Compared to Others
“Let's say there is a scale of security from zero to 100. Most of the Apple iPhone applications like FaceTime reach just over 80 points on that scale. We would score 99 because we're delivering the maximum possible security – and we keep working to ensure it stays at that level.”
“We know what to expect when iOS-9 is launched on September 9th 2015. Many people are playing with the public beta versions that Apple has released. Of course, as a developer, we have been examining the new operating system in depth. We don't see major changes to the security aspects of iOS-9 – it is already much better than any other mobile platform. But there are some useful changes to the graphical user interface which make some features in CryptTalk even easier to use.”
Quantum Computing Proof
This is a theoretical challenge on the horizon of smartphone security.
“At the moment, it can take decades to hack the type of encryption algorithms that CryptTalk uses. So, even if you have recorded the encrypted call, without having access to the encryption keys, brute force (i.e. randomly guessing the password) is not going to work. As computers get very much faster, some argue that a couple of decades could be reduced to a few days.”
“Nevertheless, we need to be prepared for the era of what’s being called quantum computing.”
“Thanks to the basic architecture of the CryptTalk encryption engine, we are able to deliver a quantum-computing proof solution should the market demand this. We have already the technology working in our labs and we're looking for ways to turn it into a commercial product. Expect a public release of this software next year.”
Two versions of the same app
ln the Apple App store, there are two CryptTalk apps available. Is the enterprise version safer?
“All versions use the same algorithms and offer the same maximum level of security. Let me stress that they are equally safe.”
“One version is designed for personal use. Private individuals only want to purchase one account, and they want to sign-up in a similar way to opening a subscription to the New York Times.”
“But companies have completely different requirements. They may want to have several hundred subscriptions, and they want to be able to manage these at the corporate level.”
“In the mobile world, a company goes to a telecom provider. They sign a contract and the telecom provider gives them, say, 350 SIM cards. So if companies purchase the CryptTalk enterprise version, CryptTalk PRO, they can expect volume discounts and additional services to administer the accounts. We also offer Service Level Agreements tailor-made to the needs of each company. Some need access to the CryptTalk Business Services desk as part of their business continuity strategy. And so, we offer different levels of support depending on each customer’s needs. Being a software company makes it easy to adapt accounts as the customer's business scales up. “
Scaling up Starts Now
“We have done a lot of market research and validation in Hungary and this has been very useful for preparing our global roll-out, which is starting now. EIT Digital, from their node in Eindhoven, is helping us scale. And we have been transparent by publishing the results of independent audits of our solution.”
Often Ignored: The Threat from the Inside
“We are different because our approach in developing CryptTalk is very different from others in this market. Most security companies are trying to prevent hackers from getting into their systems from the outside. That's important, but in our talks with large corporations, we realized that security breaches often originate from inside the security provider. The weakest link is always the human-factor. Think of bad guys or a national security agency bribing employees, somehow putting pressure on an individual to create a back-door. It has happened.”
“We wanted to build a service where this is impossible – so even if you could gain access to the CryptTalk source code or you have administrative rights to our servers, even then it is impossible to eavesdrop on clients’ calls. We have learned from the mistakes made by the early players who were often compromised – we took a different approach and built a solution designed to reassure clients that we have no back door. Never. It means that we can sleep at night knowing the trusted reputation we have built with our customers will always be secure. “