Chris Kranky

Recent Posts


Encrypted Communications Trending

Chris KoehnckeChris Koehncke

Hideman-VPN-IconThe entire art of spying is to take relatively mundane information and assemble it with other mundane information to form intelligence. Two engineers at Caterpillar in Peoria, IL having a phone discussion about a problem with a 3406B impeller for a turbocharged diesel engine may have you falling asleep. But to a competitor this could be vital information in a pending deal, a stock broker a potential short trade, to a distant 3rd party a problem may mean a project delay with cascading effects to be profited from.

The current telephone network is horribly insecure and me trusting AT&T to be the right choice is definitely not in the cards.

Years ago while working at a lawful intercept company, some nice people from the FBI visited along with a gentlemen who had offered neither a card or a name. They wanted to know all about how to install our lawful intercept solution and most particularly the dimensions the actual box had and what markings it had on it. The next day, they called requested a price and asked if they could show up late Friday afternoon with a cashier check from some LLC company in Northern Virginia as payment. Cash works too. So Friday evening, a dark van showed up, pulled up to the loading dock and in under 3 minutes, we had our money and off they rode into the night. Destination unknown.

Ease dropping on communications used to be hard. Today, you need a USB key.

Your traditional telephone call is generally not encrypted and after years of work – it’s all IP now, the result it’s pretty trivial to listen in on a phone call. A true Internet hacker made quick mincemeat from GSM mobile signals and blogged here about it. The SS7 network (used for SMS and signaling) was never designed for heavy security and at this recent hackathon a bunch of 20-somethings took the task of attacking it. It’s hard to secure a system that was never meant to be secured.

In short, traditional voice and chat is a bomb waiting to go off and plenty of companies are now lining up to capitalize when D-Day arrives. Like early virus protection, the end user will initially be left to defend themselves and this means enterprise customers.

Let’s look at some of the new companies in the mix …

Symphony (Palo Alto) is focused on created a secured communications application for voice, video and chat. They raised an initial “seed” round of $66 million. Must have been a big seed. The investors are an assortment of big name financial concerns. Leading Symphony as CEO is David Gurle who was involved in the very early days of VoIP while at Microsoft.

Symphony is focused on effectively being a secure alternative to Bloomberg Chat. Bloomberg screwed up in 2013 by using some metadata from customer chats and violating their trust thus creating an opening for Symphony.

Silent Circle (all sorts of locations, in theory Switzerland) has a long history in encrypted communications with well known industry encryption expert & co-founder Phil Zimmermann (he is known for the creation of PGP). Silent Circle has kicked around for years within various government and “folks with something to hide” circles. But the entire Snowden events have raised their profile. Bill Connor, former CEO of Entrust (the PKI folks), has come onboard as CEO and promptly raised $50m to float the boat higher. The target broader enterprises concerned about communication security.

Silent Circle is about encrypted communications for enterprise and has a strong mobile voice tilt.

Open Whisper Systems (San Francisco) has developed RedPhone and TextSecure which are two Android applications that provide an Apple iMessage capability for that security lacking in Android. Open Whisper publishes their open source code. The company is really dot.org and denotes these apps are not commercial projects.

Clementine.io (San Francisco) is a start-up funded in part by homebrew.co working on a mobile and associated desktop application. Clementine is targeting the compliance function (security you see in all sorts of financial concerns monitoring customer-to-employee communications). Their apps provides the accountability compliance departments ask for. Clementine uses WebRTC as a core component of their offering.

These firms are targeting primarily vertical applications,  basically where people have a need and willingness to pay. As the shockwave moves out though other vertical and functional groups may quickly have interest. The good news the cost to provide these services is much lower than from year ago and affordability will lower the business case for deployment.

Security is not about what happened, but what you don’t want to happen.

WebRTC plays a supporting role and an onramp into these systems for both mobile and desktop. The question is the audio encryption solid enough for typical secure communications (good enough may be enough). With no signaling component in WebRTC (an area subject to hijacking and manipulation), developers are free to implement their own solution to Defcon 1 if needed.