Cyber criminals and terrorists are listening

Cyber criminals and terrorists are listening to our phone calls. From Indonesia, Kuala Lumpur, London, Shanghai and places in between, YouTube videos show how, for a mere $20, they can listen to cells phones with a salad bowl and a TV remote. Even baby monitors can pick up your neighbors’ cellular conversation. Iranians viewed videos from U.S. Air Force Predator drones last year, with just $30 worth of software and a laptop.

Government and private businesses must focus on securing communications, especially within the Voice over Internet Protocol (VoIP) world, as it is the fastest growing form of communication today.

Is there a demand for this?

“Open, unsecure communications when used in all areas of confidential information is no longer a responsible act” says Peter Zarella, Lead Engineer, Technology Insertion, Office of the Chief Technology Officer at the Defense Information Systems Agency, or DISA. 

There are two types of solutions available within the marketplace today. First, there is the top tier, NSA Type 1, solution which is reserved for a Top Secret and above government clearance. These use private secure networks, embed AES 256 bit encryption on the devices, support NSA Suite B authentication and more. The solutions are typically delivered by the top tier defense contractors and their costs range from several thousand dollars for a desk set implementation to more than $20,000 annually for a mobile solution.

The next level solution is Sensitive But Unclassified (SBU). Traditionally, this tier provides desk set encryption solutions using a less complex encryption algorithm and authentication via a hardware device. In the mobile world, the definition is rapidly evolving with new solutions originating around the world.

At the Special Operations Forces Industry Conference 2009 (SOFIC2009), I.D. Rank Security, Inc. identified specific features which it believes should become standards for private and secure communications:

• The solution has to work on existing PC’s and smart phones in order to optimize the economic conditions. The solution should leverage symmetric authentication and, to the largest degree possible, server-less communications. The more servers a solution requires (e.g., for encryption, authentication, conference, messaging, etc.), the more the Total Cost of Ownership (TCO) rises. It should work on the open Internet, via wire or wireless (WiFi, BGAN, GSM, EV-DO, CDMA) networks, regardless of carrier or network type.
• For the highest level of security, at least three forms of authentication should be selected from among the following: Who you are; What you have; What you know; Where you are; and When you are. The solution must also have a shared secret between users to start the communications, and nothing less than AES 256 bit encryption on all audio sessions, including modulating / rotating encryption keys.

Key modulation is critical because the stream of encrypted data changes with the modulation of the key. All voice should be encrypted end-to-end, with no attack vector anywhere the voice data travels. All voice data should be encrypted from the very first packet. The encryption key should never be sent with the voice packets. If the device is lost or stolen, the ability to terminate identification and use from a central command station is critical.

Target cost should be less than $90 per month or less than $800 in capital cost. All of the above should then be applied to Internet chat, SMS text, file transfer and Push To Talk (PTT).