Mobile voice encryption gets cheaper, easier to do

By Shamus McGillicuddy, News Editor 16 Jan 2008 | SearchMobileComputing.com

Mobile advice Digg This!     StumbleUpon     Del.icio.us

Next month, KoolSpan Inc. will release the TrustChip, a $300 encryption chip in an SD memory card form factor that end users themselves can slide into any Windows Mobile or Symbian device with an SD card slot.

The TrustChip automatically encrypts voice data when an end user calls another TrustChip-enabled phone.

"It creates a secure encryption key session between two devices with chips," said Tony Fascenda, CEO of KoolSpan, a Bethesda, Md.-based vendor of embeddable encryption technology.

The market for voice encryption on mobile devices has been limited so far in the United States. Experts say the technologies on the market tend to be expensive and unwieldy. And U.S. businesses don't yet perceive a risk in allowing their workers to use unsecured phones.

A KoolSpan-sponsored survey of 219 IT managers published last August revealed that 44% of respondents were aware that voice communication on mobile and cellular networks is not secure, but only 8% had actually deployed a secure voice solution.

"There's a general trust for carriers in this country," said Jeff Stern, vice president of business development for KoolSpan. "There is a well-defined process by which the government can tap a phone if it wants to, and the bad guys generally don't have access to carrier networks. In other countries, the lines are blurred."

Enterprises outside the United State are much more aware of the vulnerability of mobile voice conversations to eavesdropping.

In Italy, for instance, government officials, celebrities and members of the royal family have all found the details of private mobile phone conversations leaked to the public recently. And two years ago, Greek citizens were shocked to learn that the mobile phones of about 100 people, including the country's prime minister and his cabinet, had been tapped for more than a year by unknown parties, possibly foreign intelligence agencies.

"Many of the same attacks that occur overseas can occur here," Stern said. "A lot of tools for committing these attacks may be illegal here, but they can be obtained online."

Nick Selby, senior analyst and director of enterprise security at The 451 Group, said the TrustChip is more affordable and easier to use than other mobile device voice encryption technologies on the market, which could mean a huge market opportunity in the United States.

"It would first be of interest to vertical markets that are highly regulated or highly competitive and so subject to industrial or corporate espionage," Selby said. "Also, if you're a CEO going into China or going to Europe, you want to have encrypted voice capabilities."

There are several specialized vendors that modify mobile phones with embedded encryption, but these "spook phones" don't measure up, Selby said. To begin with, they can talk only to similarly modified phones, while TrustChip phones can call anyone. The TrustChip encrypts voice only when the phone calls another TrustChip phone. The user will see an icon on his display that informs him that the call is encrypted.

"If you were to go with spook phones, those are in the neighborhood of $1,500. They tend to be older hardware, '90s-era Nokia phones," Selby said. "They are extremely expensive, and they are limited in functionality."

Other vendors offer software-based encryption services for mobile devices. Selby said one leader in this method is the German whole-disk encryption vendor Utimaco Safeware. Selby described the Utimaco approach as effective but daunting.

"You have to have an enterprise that is standardized on a certain kind of device," Selby said. "Then you take the corporate image of the operating system for that device and send it to [Utimaco]. They reprogram it so that it has encryption models. Then they send it back to you and you flash it onto everyone else's handsets, but you loose the address books and calendars and everything else because you're reflashing everything onto their phones."

The TrustChip platform consists of three main components, Fascenda said. The chip, with its embedded encryption software is the first piece. The second piece is TrustCenter, a Linux-based management server that allows enterprises to manage chips, create groups and set policies. The third piece is the TrustChip software development kit (SDK), which will allow third parties to connect the encryption technology to other mobile applications.

Selby said the SDK will allow third-party developers to extend the chip's software to encrypt mobile email, instant messages and other business applications. The SDK could also allow developers to extend use of the TrustChip into other devices that accept an SD card, such as laptop and desktop PCs.

"If you can push it to email and other applications, now you're talking about mainstream adoption, such as the financial industries, insurance, healthcare," Selby said. "This would have widely horizontal legs."

A management feature of the platform, known as TrustGroups, will also spur new interest in mobile device encryption, he said.

"TrustGroups totally reduces scale. Rather than having an encryption key unique to each user, what we've done is assign a TrustGroup a very large collection of keys. That collection is given to all users that belong in a TrustGroup," Fascenda said. "So if you're in an organization, say an oil company, everyone in that enterprise would have the same TrustGroup key. The enterprise could create a second group to secure communication with suppliers and partners. And only the members of the enterprise that have to deal with those suppliers would be in a TrustGroup with those suppliers."

"This sets up granular control over which groups trust which groups," Selby said. "Let's say you have 12 people in a company. Three are in management but just one guy in management talks to the company's venture capital firm. The venture capital can talk to his contact with the company, and no one else in the company can hear that. And those three guys in management can talk to each other, but the rest of the company can't hear those conversations."

Tags: Mobile Authentication and Encryption,  Mobile Device Security,  Mobile Access,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Mobile Authentication and Encryption Sybase offers enterprise-ready iPhone solution on the App Store Two-factor authentication: Mobile security at your fingertips RIM makes hostile takeover bid for encryption vendor Certicom In-the-cloud defenses for mobile malware Podcast: The truth about network security and mobile device access iPhone encryption is a must for the security-conscious enterprise Sybase iAnywhere launches productivity suite that tunnels critical business apps through email Avoiding data breaches through mobile encryption Mobile device security: Improving mobile authentication Mobile management: Advice for mobile managers Mobile Authentication and Encryption Research Mobile Device Security Establishing secure mobile communication Managing mobile authentication methods Smartphone insecurity: There's a smartphone app for that Fingerprint recognition and mobile security Traditional security threats coming soon to mobile device near you Securing your Windows Mobile devices Mobile security: Protecting your data, not just your devices Prevent mobile malware: Learn how to protect your enterprise and devices Podcast: The truth about network security and mobile device access Protecting data on your BlackBerry Mobile Device Security Research Mobile Access Mobile application strategy: Rich mobile platforms vs. mobile Web-based services Femtocell solutions: Key questions to ask before you invest Mobile unified communications products Mobile applications: Making anywhere access a reality Defining mobile IT solutions Hospital chain boosts indoor cellular with distributed antenna system Cost-effective mobile connectivity Mobile devices not so open when carriers' bottom line is threatened Motorola Good offers smartphone users NOC-based VPN Sybase iAnywhere brings SQL Anywhere to BlackBerry devices

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CCMP  (SearchMobileComputing.com) drive-by spamming  (SearchMobileComputing.com) LEAP (Lightweight Extensible Authentication Protocol)  (SearchMobileComputing.com) Open System Authentication (OSA)  (SearchMobileComputing.com) SIM card  (SearchMobileComputing.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary