Rólunk bővebben

Az interjú eredetileg angol nyelven készült.

Why we built the company: the growing erosion of personal privacy

Hardly a day goes by without some new revelation of a company hack. Carphone Warehouse in the UK, security dealings in Germany or Ashley Madison in Canada may have got the attention of the press in the summer of 2015. But, in fact, the recent hacks into the US Office of Personnel management are information breaches on a much larger scale. Ironically, these leaks are many times more serious than the revelations from WikiLeaks.

It all goes to prove that we have to take our own measures if you want your calls and data kept safe from eavesdroppers. This recent 60 Minutes Special Investigation from Australia exposes the vulnerabilities that insiders in the telecom business have known for years.

In February 2015, fresh revelations by US whistle-blower Edward Snowden renewed a global discussion about cell phone privacy. The breach, detailed in a secret 2010 GCHQ document, claimed the surveillance agencies had the potential to secretly monitor a large portion of the world's cellular communications, including both voice and data. They did it by hacking into the internal computer network of one the largest manufacturer of SIM cards in the world and stealing encryption keys.

In May 2015, a new French law designed to strengthen intelligence-gathering gained a comfortable majority as it was fast-tracked through the French National Assembly. Does that allow spying on opposition movements in other countries? Or what about "industrial and scientific interests"? Would that allow agents to eavesdrop on journalists investigating major French companies? It is all still extremely unclear.

Industrial Espionage is on an exponential rise

Just as people have the right to buy a virus scanner to keep out the bad guys attacking your home computer, CryptTalk, an independent European high-tech company believes you have the right to ensure your phone calls cannot be eavesdropped by anyone.

We believe that your personal privacy matters a great deal.

The more someone knows about you, the more power they can have over you. Knowledge of personal information can affect reputations, influence life-changing decisions and shape your behaviour.

Whilst the mainstream media has focused on the importance of encrypting offline technologies, like USB sticks or email, very little attention has been given to keeping live voice calls secure. Yet the demand from initial customers for a secure phone system, secure from eavesdroppers, has never been greater. So we've made it so much easier to make fully secure, encrypted calls on both mobile and tablets.

We've heard too many accounts of business situations where important information leaked because the conversation happened over an unencrypted mobile phone. One client said he'd been participating in a very large international request for proposals. He had been discussing a final bidding offer with internal colleagues over a cellphone - and was astonished to discover later that what he thought was a "secret bid" was being leaked to their direct competitors. There are numerous types of cellphone monitoring equipment for sale if you do a simple Google search on the web. And just look at the live maps of Internet attacks going on right this minute, and you see the urgent need for a secure solution.

Building a secure answer, independently verified

For the last year we've been validating our end-to-end system called CryptTalk, winning national awards as well as recognition from international industry bodies such as the Wireless Association (CTIA). We were also spotted by EIT-Digital, a leading European innovation network. They have been assisting us as we scale up our operations. At the end of June 2015, we received the results of an independent security assessment from one of the world's most authoritative information assurance specialists, the NCC Group based in the UK. They found no practically exploitable vulnerabilities and concluded that our application was secured to a very good standard. The NCC security specialists said there was clear evidence of proactive security measures and the product's design is very well thought-out. This extensive report clearly shows that CryptTalk is really doing what it is supposed to be doing.

Our team has spent the last 15 years on securing real-time data for telecom companies all around the European Union. We've been working with the largest call centres and IP-telecom companies, developing a secure Voice-Over-IP engine to process voice calls. So when we decided to form our company to bring CryptTalk to market, we already had 90% of the technology needed for a secure calling and messaging solution.

The secret lies in telecom not in encryption

Most people outside the industry don't realize that 80% of the work involved in building a secure telecom service is understanding and implementing the right telecom infrastructure. The encryption part is also important, but we decided not to attempt to "make a better mouse trap." So CryptTalk uses tried and tested encryption technology and IT best practices that have never failed. The industry of IT security, including telecom, banks and governments already trust these encryption systems. It's pointless to reinvent the wheel.

The real problem is that most IT encryption systems are far too complicated for most people to use.

So our approach has been the other way round. We've focused on putting proven encryption technology into an easy-to-use and affordable application that gives you end-to-end secure communication. It sounds easy. But it is actually very difficult to do well.

A Common Misconception: Wiretaps work

Many people believe that security agencies like the NSA or GCHQ are able to overhear conversations because they tap into the open network and intercept the data packets. Actually, this turns out to be nonsense.

If I am a government hacker, I know that decoding an encrypted data package without the keys is nearly impossible. You're going to need a huge amount of computing power and maybe a million years to crack the sophisticated encryption systems already in use today. So what hackers do is to steal the encryption keys by attacking the end device. That's why you should change the encryption keys after every call. So, once the call is over, you wipe the encryption key from the memory.

We're using the Elliptic Curve Diffie-Hellman key exchange, which provides what's called "perfect forward secrecy". In a nutshell: the key is generated as a shared secret, it is never sent over the network (not even in encrypted form). Once the call is over, the key is destroyed. It can never be recovered by anyone.

This is important in the case a curious government agency, for example, recorded your encrypted calls and then seizes your mobile phone when you're going through customs. Even in this case, they cannot get anything out of the phone which they could use to decrypt the recorded calls made in the past. That's because the actual key is generated inside the phone, never leaves the device and is destroyed after each call. So without the encryption keys, the contents of the call will always remain encrypted.

CryptTalk and Apple are secure partners

Apple has recently released several statements about its security and also launched its latest version of the iPhone's operating system.

But this does not mean that CryptTalk is no longer needed. In fact, both efforts are needed – and are complementary.

Apple encrypts what is stored and handled on the phone itself.

CryptTalk encrypts data that leaves the phone, i.e. both the voice conversations and messages. Likewise, the CryptTalk app is able to decrypt voice conversations and messages coming into the same iPhone. We know that standard GSM calls are poorly protected from eavesdropping. Using Skype or Apple's FaceTime does provide a certain level of protection, but this cannot be compared to the security of the CryptTalk solution.

Active Malware Detection

The CryptTalk app is completely self-contained within the Apple iPhone. Suppose the iPhone has downloaded a piece of malware that attempts to record the microphone, listen to the speaker and send the resultant data file to someone without my knowing. We designed CryptTalk to detect these types of attempts by malware and other monitoring systems that check if the phone has been compromised or "jailbroken".

So, if I was speaking to you now using CryptTalk, the app has secure and unique access to both the microphone and speaker of the iPhone handset.

Suppose I now start the native Apple Voice recorder of the iPhone, which is a piece of software from Apple - it is not from a third party. Being an Apple product, the Voice recorder has extended rights and privileges compared to non-Apple software.

Once CryptTalk detects that another app is trying to access either the microphone or the speaker, it immediately shuts down and drops the call. This would not be the case if you are using FaceTime, for instance.

Maximum Possible Security When Compared to Others

Let's say there is a scale of security from zero to 100. Most of the Apple iPhone applications like FaceTime reach just over 80 points on that scale. We would score 99 because we're delivering the maximum possible security - and we keep working to ensure it stays at that level.

We don't see major changes to the security aspects in the new iOS-9 - it is already much better than any other mobile platform. But there are some useful changes to the graphical user interface which make some of CryptTalk's features even easier to use.

Two versions of the same app

ln the Apple App store, there are two CryptTalk apps available. Both use the same algorithms and offer the same maximum level of security.

We want to stress that they are equally secure.

One version is designed for personal use. Private individuals only want to purchase one account, and they want to sign-up in a similar way to opening a subscription to the New York Times.

But companies have completely different requirements. They may want to have several hundred subscriptions, and they want to be able to manage these at the corporate level.

In the mobile world, a company goes to a telecom provider. They sign a contract and the telecom provider gives them, say, 350 SIM cards. So if companies purchase the CryptTalk enterprise version, CryptTalk PRO, they can expect volume discounts and additional services to administer the accounts. We also offer Service Level Agreements tailor-made to the needs of each company. Some need access to the CryptTalk Business Services desk as part of their business continuity strategy. And so, we offer different levels of support depending on each customer's needs. Being a software company makes it easy to adapt accounts as the customer's business scales up.

Our plans for 2016 and beyond

We're now scaling-up our technology and entering larger countries. We're in the process of building partnerships. And we're focusing on specific types of clients for whom privacy and confidentiality are paramount.

We've already sparked interest in specific professions including lawyers, accountants, financial advisors, securities and commodity traders, analysts and several different branches of both state and private banking. CryptTalk was also discussed at the recent Global Editors Network summit in Barcelona. Secure communication is vital to both journalists and the news agencies, especially those operating from fragile states.

Closing Remarks: The Threat from the Inside

Most security companies are trying to prevent hackers from getting into their systems from the outside. That's important, but in our talks with large corporations, we realized that security breaches often originate from inside the security provider. The weakest link is always a human. Think of the bad guys or a national security agency bribing employees, somehow putting pressure on an individual to create a back-door. It has happened.

We wanted to build a service where this is impossible - so even if you could gain access to the CryptTalk source code or you have administrative rights to our servers, even then it is impossible to eavesdrop on our subscribers' calls. We have learned from the mistakes made by the early players who were often compromised – we took a different approach and built a solution designed to reassure our clients that we don't have and cannot have a back door. Never. This means that we can sleep soundly at night knowing that the trusted reputation we have built with our customers will always remain secure.