is there a mobile call encryption solution for absolutely untechnical people?
January 27, 2011 12:08 AM   Subscribe

is there a mobile call encryption solution for absolutely untechnical people?

a few friends of mine have a small company. they build a certain kind of equipment and install it in companies around the world. things are working pretty well for them but their competition is trying everything they can to catch up. they recently caught a dumpster diver and another employee was caught trying to walk out with internal documents. now they are worried about their other weaknesses. phone conversations with their engineers in the field is one example.

the engineers in the field have iphones and they call in if they need help setting up the equipment they're supposed to install. everyone assumes a person with questionable ethics and enough technical knowledge could probably eavesdrop on their conversations. they also know that most often they have wifi somewhere on site.

is there a solution that would work with a pc, mac and iphone that could encrypt voip calls? something where you could at least be reasonably sure the conversation is just a little bit too difficult to listen in on to make it worth the effort?

complicating factors:
- these guys are not big enough to shell out six figures on this.
- not every person involved is "great with computers." imagine a 55 year-old guy who has trouble programming his ancient vcr. he needs to be able to get this going.
posted by krautland to Computers & Internet (9 answers total) 2 users marked this as a favorite
It seems pretty unlikely that the calls are going to be eavesdropped on iphone-to-iphone. The attack model for this is kind of complicated and would either involve having physical access to the phones or possibly attacking them via a wifi network to which they are attached. It seems much more likely (easier and more economical) that the physical phones in an office would be tapped or that the office itself would be bugged.

If you shift to encrypted VOIP calls, you can use Skype (available for iPhone), but then you have other attack vectors; the computer with Skype installed can be attacked (windows? no problem!) and the sound data potentially recorded, the office could still be bugged, etc.
posted by beerbajay at 1:25 AM on January 27, 2011

3G calls have pretty strong encryption. You can break GPS calls with off-the-shelf equipment these days, but you'd have to be pretty hardcore to get hold of it & doing so would be a criminal offence.

I'd be more concerned about the competition getting hold of a field installation and extracting the information they needed out of that.

(Also, the best defense against copycats is to keep moving product development forward so that they're always playing catch up even if they do get hold of your stuff.)
posted by pharm at 2:24 AM on January 27, 2011

pharm: "pretty strong" seems generous.
posted by stuph at 5:26 AM on January 27, 2011

The odds are several orders of magnitude higher that trade secrets will be leaked by an employee.

Regarding GSM, previously.
posted by pjaust at 7:06 AM on January 27, 2011

Mod note: folks if you can't answer the question without strongly implying other people are stupid, please come back when you can. This is true even if their answers are wrong or misinformed. MetaTalk and email are your options.
posted by jessamyn (staff) at 7:33 AM on January 27, 2011

Skype is encrypted, simple, and runs on all platforms. Combined with using Skype over a protected (WPA2) wifi connection, the effort and sophistication necessary to decode the Skype audio would be extraordinary. Even over an unprotected connection it would be better than standard VOIP stuff.

See the "Flaws and potential flaws" section in the article I linked above to get a sense of the risks.

Also, make sure you use very good, unguessable Skype passwords, so they can't get in that way.

Now, someone is going to jump on me, saying WIFI/GSM/DES/XYZ CAN BE CRACKED OMG and SKYPE IS PROPRIETARY AND UNSECUR3 OMG. But the fact of the matter is, given your parameters (lack of sophistication, iPhones, wifi) it is among the simplest and easiest ways to increase security. Not a panacea.

After you implement something Skype-like, you're back to pjaust's wisdom: The employees become the weak point.

Now, I also know that someone here reads some comsec blogz and is going to say "OMG SKYPE has been hax0red but the fact of the matter is that's a long way from the protocol decoding necessary to listen to calls.
posted by fake at 8:05 AM on January 27, 2011

That should be GSM, not GPS obviously. Sigh.
posted by pharm at 8:23 AM on January 27, 2011

It's not very efficient for a business to spend limited resources trying to conquer a perceived weakness that is prohibitively difficult or expensive to implement in the wild, like GSM eavesdropping. They should possibly consider a good security consultant to prioritize their policy agenda. Given recent issues, they should consider reviewing physical security, document retention and internal policies before technical ones. They should also strongly think about talking to a lawyer to improve their ability to recover from a loss through NDAs and other legal protections.
posted by Hylas at 10:55 AM on January 27, 2011 [1 favorite]

I do infosec and wanted to second Hylas' point - the real remedy for your worries is, ultimately, legal. Technology is advancing quickly enough that technological means of protecting your IP directly (obfuscation, encryption of documentation, reliance on tamper-proof construction, unique business approach, ad nauseum) will not be enough in the long-term. You want signed NDAs, and patents if applicable.
posted by TheNewWazoo at 11:42 AM on January 27, 2011

« Older Around the electronic shag-carpet campfire.   |   Mentally exhausted by my professional situation... Newer »
This thread is closed to new comments.