GSMK Head of Sales and Marketing discusses mobile phone insecurity, and chats about the movie, Möbius in which Cryptophone’s feature heavily.

Article translated from: bz-berlin.de

Möbius Movie features GSMK Cryptophone“Its an secret-agent thriller between Moscow, Monaco and Montreal, its about secret funds, brain-washing, poison.”

“Their just wanted it to look real”, says Konstantin König. For the french movie “Möbius”, starring academy-award winner Jean Dujardin, his company GSMK delivered the most important prop: a unhackable mobile phone, a so-called Cryptophone, which the main-character uses to communicate.

This technological wonder is manufactured in Berlin behind steel doors with combination locks.

 

From here, GSMK delivers its products into the whole world. “We have customers in 60 different nations around the world”, says König. He looked tired and unshaven, when we met him on a Friday afternoon. König had just came back from the Gitex technology week in Dubai.

GSMK is one of the global players in the market of secure telephony. The company was founded by, Frank Rieger spokesman of the hacker-collective CCC (Chaos-Computer-Club). His motivation was the German Constitution (Grundgesetz):

Paragraph 10 – “The privacy of correspondence, posts and telecommunications shall be inviolable.(sic)”

Since the latest eavesdropping-affair, its exposure has never been as clear as it is now.

“We are experiencing a dramatic increase of enquiries”, says König.

Among the customers are embassies, high-tech and oil-companies, as well as the financial industry. They all know that losing information, means losing money.

[pullquoteright] They all know that losing information, means losing money.[/pullquoteright] Konstantin König refuses to tell who exactly those customers are, and won’t discuss the production conditions in Berlin.

But as the man responsible for all this security, he also has an insight into where spy’s could have attacked Merkel’s mobile phone. König describes the weak points in just two minutes, using a pen and paper.

Mobile Attack Vectors

Dead easy. His drawing depicts two GSM-base-stations, two call-participants with their mobiles, and three places where an attacker could intercept the conversation.

Eavesdropping via hardware or software?

Last year, the American warned everyone of Chinese suppliers whose products are built into many devices around the world. Dr. Christoph Erdmann whose company Secusmart produced the secured mobile phone used by German chancellor Angela Merkel, told German a newspaper, “The main problem is, nowadays nearly all phone-software comes from America, and it’s hardware from Asia. Those are regions where economic and government espionage is at an all-time high.”

Trojans?

Espionage-applications, which can get into a mobile-phone via a faked software-update, or malicious app. From there, they can easily intercept connection-data, content and/or contacts and can send your data anywhere they want, without notice.

“Over-The-Air Eavesdropping”?

Intercept devices for the standard GSM phones can be bought for as less as $2000 on the internet. A common IMSI-catcher (IMSI = International Mobile Subscriber Identity) mimics a GSM Base-Station and forwards the connection to itself to initiate the intercept.

Dr. Erdmann talks about another likely way the eavesdropping of Merkels mobile phone took place: “Every mobile-provider nowadays must provide the authorities access to it’s mobile network. We have to assume that the NSA and others have access to every mobile network worldwide. Knowing someone’s mobile number allows all their connection-data and calls to be easily intercepted.”

Is their any protection that works?

Konstantin König said, “We offering a 360-degree solution.” The current GSMK Cryptophone’s (built into a HTC-Mini, and Samsung Galaxy S3) have a hardened operating-system in which every small bit of software has been modified. Trojans are not able to get into those phones anymore. SMS messages can automatically be deleted after receiving them. The second significant step is encrypting calls. This requires the call to be made between two GSMK Cryptophone’s.

GSMK Cryptophone Examples

GSMK developed a unique voice-protocol called, Cryptophone-IP. The encryption keys are regenerated for every call. The length of those keys is 2 to the power of 4096, which means uncrackable by todays standards, and should stay that way for the foreseeable future. The security provided by GSMK also ensures the metadata is masked. Recent revelations have shown the call metadata to be often even more useful to an attacker than the actual call content.

For added security, König also recommends using device password of at least 10 alphanumeric characters.

But is this amount of security is really necessary?

“That is a personal question everyone must decide on their own.”

 

Menu