Cellcrypt - An Introduction to Secure Mobile Communications

Secure Mobile CommunicationsINTRODUCTION

‘How Safe Are Your Mobile Calls and Messages?’

Mobile Phone Calls and Messages are Vulnerable to Attack• Many organizations and individuals

falsely trust the safety and security of making calls and sending and receiving texts from their mobile devices.

• However, there are a number of critical vulnerabilities inherent with mobile phones and mobile networks that put our personal privacy and organizations’ confidentiality at risk.

• Understanding and preventing these risks are critical to protect your business, your employees and your clients and customers.

Fake Cell Towers• IMSI Catchers, e.g. Harris

Stingray, pretends to be a cell tower

• Can be used to turn of the standard GSM/3G network encryption on a call

• Undetectable, listens passively to calls

• Used widely by law enforcement and intelligence services, also available at low cost

Network Attacks• 3G networks: weak

encryption on backhaul*

• 4G networks: encryption from the mobile phone stops at the Cell Tower (eNB), leaving the IP traffic in the backhaul unprotected.

• Open to Insider threat from rogue employees

Signalling Attacks• Inter-Carrier Signalling

protocol SS7 is vulnerable to numerous attacks

• Through SS7 calls and SMS messages can be intercepted and the mobile phone tracked.

• Femto cells and Wi-Fi hotspots integrated with cellular networks make attacks easy to carry out.

Device Attacks• Hardware or software

listening/recording device is placed on device to bypass network call encryption

• Requires device access so can be foiled by device management

There are Multiple Threats to Cellular Networks

Fake Cell TowersIMSI Catchers• An IMSI-catcher is a telephone

eavesdropping device used for intercepting mobile phone traffic and tracking movement of mobile phone users.

• They are "fake" cell towers acting between the target mobile phone and the service provider's real cell towers.

• IMSI Catchers grab International Mobile Subscriber Numbers (IMSI) and the Electronic Serial Numbers (ESM) from targeted mobile phones.

• They can force a mobile phone connected to it to use no encryption making calls easy to intercept and can intercept both calls and messages.

Fake Cell TowersA threat to Business and Personal Security• While, to date, IMSI catchers – in

particular the Harris Corp. Stingray -have been used mainly for law enforcement purposes, hostile use of IMSI catchers is increasingly likely.

• Low-cost IMSI catchers are now available for as little as $1400.

• In September 2015, International Business Times reported that the Chinese Government spied on aeroplane passengers using IMSI catchers.

• This highlights the threat to international business travellers and organizations.

Network Attacks

• In 3G networks, the traffic is encrypted from the mobile device, through the Cell Tower to the Radio Network Controller, so both the Radio Access Network and the backhaul portions of the network are ‘notionally’ protected.

• However if a hacker gains access to the Core Mobile Network, the encryption used for GSM and 3G is ineffective. – In 2009, hackers computed and published a

codebook free on the internet to decrypt calls made over GSM networks

– In 2010, A Practical-Time Attack on the A5/3 Cryptosystem exposed the weakness of the encryption used in 3G GSM Telephony : http://eprint.iacr.org/2010/013.pdf

• In 4G networks, the threat is greater as mandated encryption from the Mobile Phone stops at the Cell Tower (eNB), leaving the IP traffic in the backhaul to the operator unprotected.

Gaining access to the core Network is becoming easier due to the higher density and diversity of eNBs.

In particular, residential femto cells – effectively eNBs that can be purchased for around $100, are an ideal target.

Signalling Attacks Signalling System No.7 (SS7)• Signalling System No. 7 (SS7) is a set of telephony

signaling protocols standardized, by the International Telecommunication Union (ITU), a part of the United Nations, that provides the backbone for all cell phone communication everywhere in the world.

• It allows mobile networks to communicate between themselves in order to connect users and pass messages between networks, ensure correct billing, and to allow users to roam on other networks.

• Ever since 2008 it has been widely known that vulnerabilities in SS7 allow cell phone users to be secretly hacked.

• In 2014 the vulnerabilities in SS7 allowed hackers to record an unencrypted phone call between the US ambassador to the Ukraine and US Assistant Secretary of State.

Signalling Attacks SS7 is Easily Hacked• The vulnerabilities in SS7 allow an an

intruder with basic skills to perform numerous attacks including:– IMSI Disclosure– Intercepting and Redirecting Phone Calls– Intercepting SMS Messages– Tracking of a Mobile User– Block a Mobile User From receiving

incoming calls and messages

• SS7 exploits are easily within reach of hostile parties and access to SS7 can be bought from network operators for a few hundred dollars per month.

Some SS7 exploits such as cell phone tracking have been commercialized

Signalling AttacksExamplesIntercepting SMS MessagesThe target is registered with a fake Mobile Switching Center (MSC) and Visitor Location Register (VLR) - meaning that SMS messages can be diverted to an alternative host. This allows the attacker to send fake message received confirmations, and withhold or send new/altered messages. The target sees no interruption of service, and therefore has no reason to suspect anything is amiss. The goal is often to steal passwords for services such as banking, email and social media etc.

Intercepting CallsAs part of a VLR attack, the phone owner’s profile can be manipulated so that when they make a call the billing request and number they are calling are sent to the attacker. This allows the attacker to create a conference call, with themselves unseen, and listen and record the resulting conversation unobserved.

Mobile Threats are not limited to state-actors or high-cost hackers• With nothing more than a browser, an internet

connection and maybe a pre-pay debit card, anyone can spoof SMS messages and Caller IDs.

• The fact that the receiving mobile number recognizes the and displays their name when the call or text arrives is enough for most individuals to trust the authenticity of the message or call.

• Combined with basic social engineering, recipients could give up critical information such as passwords etc.

• More concerning is where a number of organisation use SMS as an emergency alerting procedure, to evacuate buildings or request the location of an employee.

‘What are the Risks for Organizations?’

With the relative ease for standard mobile communications to be intercepted potential threats include:

Economic Espionage• When employees use their mobile

phones for confidential business discussions, particularly when travelling on business, the risk of those texts, images or calls being intercepted is real.

• If that confidential information is intercepted by competitors or interested third parties, the damage can far-reaching.

• Reports on the economic impact of industrial espionage vary, but in the US alone, BlackOps Partners Corporation, which works with Fortune 500 companies on counter-intelligence and protection puts the number at $500 billion in raw innovation stolen every year.

• As far back as 2012, General Keith Alexander, NSA director and commander of U.S. Cyber Command described economic espionage as “the greatest transfer of wealth in history.”

The Risks to Organizations and their Employees

Employee and Personal Safety• For businesses with employees travelling

and working abroad, the risk of interception may be higher as nation states, competitors, terrorists and kidnappers target business travelers

• Cell phones can exponentially increase this risk as eavesdropping and message interception can provide crucial information, while the growing use of IMSI catchers can provide accurate real-time location information.

The Risks to Organizations and their Employees

Crime and Fraud• The criminal targeting of personal cell

phones is an increasingly rich area, with scams growing in complexity and reach.

• Early in 2016, millions of customers of Australia’s biggest banks were targeted in a sophisticated Android attack, using fake log in screens for the banking apps, WhatsApp, Skype, PayPal, eBay and Google services.

• The malware was used to both intercept log-in details and to steal SMS two-factor authentication codes, meaning the bank’s security measures were bypassed.

‘Can I trust consumer Apps for encrypted voice and messaging?’

Signalling (SS7) Attacks can be used against many Encrypted Messaging Apps• It is possible for attackers who have access to the

SS7 network to take control of a victim’s phone number, and then use this number to register the app in the victim’s name. The attacker can then masquerade as the victim to the victim’s contacts.

• Because apps such as WhatsApp, Viber, FaceBook, Telegram, etc. rely solely on phone numbers to verify the identity of users (at least by default), this presents a major security threat.

• Such exploits can be used to write messages on behalf of the victim as well as read all of their the correspondence.

Consumer-focused Encrypted Voice and Messaging Apps have other risksNon-Call and Message Data

• Even when the actual voice call content and messages are encrypted, a great deal of information can be gleamed from other information, outside of the content of calls and texts.

• Personal, account, location and device information can be used by a hostile attacker to build a profile of an individual or group of targets.

• This is obviously a concern for personal privacy, but when organization rely on these services this could put deals, acquisitions and even employees physical safety at risk.

For example:WhatsApp’s recent change to their Privacy Policy states that they will collect and share the following information:• Your phone number, profile name and photo, online status

and status message, last seen status.

• Your e-mail when you communicate with them for customer service

• Device data, such as hardware model, operating system information, browser information, IP address, mobile network information including phone number, and device identifiers. 

• Location data.

• Information on your online status such as when you were last seen online, when you updated your status message, etc.

• Information from third party services that are integrated with WhatsApp, e.g. if you share any article from the web using WhatsApp.

• Information on who is messaging you, calling you or which groups you belong to.

Consumer-focused Encrypted Voice and Messaging Apps have other risksEncryption• Not all encryption is equal. Though difficult to verify, it has

been reported that the majority of consumer apps have already been compromised in a variety of ways.

• For example, The Russian Federal Security Service (FSB) has recently announced that it has the ability to collect encryption keys that enable the creation of a back door for WhatsApp and similar consumer messaging app Telegram.

“Organizations with higher-than-average security requirements and/or regulatory requirements (healthcare, finance, government and energy) should adopt mobile voice and text protection. Certain companies look for a best-effort secure messaging option among a number of freeware alternatives.

Often, the sole presence of an encryption algorithm is not enough to ensure proper enterprise-level security, and we do not recommend relying on such solutions for the use cases described in this note. The way ciphering is implemented, the performance and customer support delivered are all fundamental differentiators.”

Market Guide for Mobile Voice and Texting Protection, Gartner, 22 July 2015.

SECURE MOBILE COMMUNICATION SOLUTIONS

SECURE MOBILE COMMUNICATIONS• CSG’s Cellcrypt and Seecrypt mobile

apps provide secure voice / conference calling and private messaging with file sharing

• The highest level of protection for mobile communications, all calls and messages are protected by military-grade, authenticated, end-to-end encryption

• Secure calls are VOIP-based data calls that are transport and carrier agnostic

• Calls and messages over Cellcrypt and Seecrypt are not susceptible to attack from IMSI catchers, SS7 or other mobile network threats

SECURE MOBILE COMMUNICATIONS• Cellcrypt and Seecrypt are now

available for Microsoft Windows and Apple Mac computers, so that the same secure communication technologies can be utilized on desktops, laptops and tablets

• Coming soon, multi-device support will allow users to switch seamlessly between desktop and their smartphones without compromising security

Military-Grade Encryption for Secure CommunicationStrong Encryption ProtocolsUsing double-layer encryption in an end-to-end configuration with a new key for each and every call and text message.• Confidentiality

Dual-encryption using RC4-384 and AES-256• Authentication

384-bit Elliptic Curve Cryptography

• IntegrityAES-GCM authentication tag (128 bit MAC)

• Perfect Forward Secrecy (PFS)Ephemeral ECDH-384

• Off-The-Record (OTR)PFS + no digital signatures

The Best Crypto StandardsThe CSG Crypto engine is designed to be modular and adhere to best practice cryptographic standards and protocols.

Cellcrypt is FIPS 140-2 certified and Seecrypt is FIPS 140-2 compliant through the use of these standards.

• ANSI X9.63Full Unified Model Scheme with Bilateral Key Confirmation

• FIPS SP800-56A Rev. 2ECC-DH C (2,2) + bilateral key confirmation

• FIPS SP800-22 Rev. APseudo Random Number tests

• FIPS SP 800-56C and RFC’s 4868 and 5869HKDF key derivation

• FIPS SP 800-133 “Direct Method” key generation

• FIPS SP 800-38AES in CTR mode and AES in GCM mode (rev D)

• FIPS SP 800-132Password-Based Key Derivation (PBKDF)

KEY FEATURES

Strong Encryption

Cellcrypt/Seecrypt provides the highest level of encryption and authentication to protect against call interception and eavesdropping. Messages and file transfers are also encrypted end-to-end to ensure privacy.

Cellcrypt/Seecrypt is certified to the FIPS 140-2 standard, approved by the US National Institute of Standards & Technology (NIST).

Secure Voice Calls

Voice calls are fully encrypted end-to-end and are routed through the mobile device’s data connection. Cellcrypt/Seecrypt’s adaptive voice codecs ensure low data and battery use, with no degradation of voice quality.

Provides full authentication of all parties on a call eliminating the risks of impersonation through Caller ID spoofing.

Private Messaging

Protect your conversations between smartphones, Macs and PCs with secure messaging and total privacy. Share file attachments, voice clips, photos, with the ease of a consumer app.

Group Messaging, for collaboration can be defined centrally by the organization or locally by the user, providing total security and control.

Approved For Government Use

Cellcrypt/Seecrypt is in active use within Enterprises and Governments/Armed Forces worldwide.

Cellcrypt/Seecrypt also provides solutions certified for use beyond Sensitive But Unclassified (US) and Restricted (UK) use with replaceable cryptography where required, for use in Classified environments.

KEY FEATURES

Works Across Any Network

Calls can be made over any network including 2G/EDGE, CDMA, 3G/HSDPA, 4G/LTE, Wi-Fi and Satellite networks.

Cellcrypt/Seecrypt optimizes delivery of encrypted real-time voice and data content between mobile devices, even across low-bandwidth mobile/wireless networks.

Eliminates Roaming Costs

All voice calls are routed through the mobile device’s data connection.

Cellcrypt/Seecrypt’s secure Voice over IP (VoIP) network eliminates long-distance and international call costs between mobile devices and between landlines/office phone systems and mobile users through the Cellcrypt/Seecrypt Voice Gateway.

NEW Instant, Ad Hoc Conference Calls

Select participants from your phone’s contacts list

Press call and a secure conference bridge is created,

connecting you directly

The other participants get a message to join

the call

Forget Passwords, PINs and Dial-ins

• Ensuring all participants have the correct information to join a call is major inconvenience with normal conference calling.

• Pins, passwords and international dial-in numbers can slow everything down, incur expensive long-distance charges, and even prevent crucial participants from joining calls.

• With just one touch, Cellcrypt and Seecrypt‘s Conferencing enables participants to join a cost-effective, secure VoIP conference call, already fully authenticated and ready to contribute.

Secure Scheduling and Call Controls

• Schedule mobile and desktop conference calling with no need for third-party service providers or passwords.

• Conference Calling web UI ensures that your business can enjoy secure, authenticated conference calling, safe in the knowledge that the right people are on the line.

• Call initiator or administrators have a full attendee list, and can easily invite new participants, mute and even eject callers if the need arises.

PRIVATE SWITCHYour own, private, voice and messaging service

• An on premise or cloud hosted solution allows organizations to maintain confidentiality of user, device and call details.

• The Private Switch is the core of control for Cellcrypt and Seecrypt and is administered via a web-based management console with access restricted to authorized users.

• It manages users; call signalling; call control and media communications and authenticates/authorizes every interaction within the network.

VOICE (PBX) GATEWAYSecure, Encrypted Calls Between Land Lines and a Mobile Workforce

• Securely connect from your mobile to the company’s PBX to reach offices, customers and colleagues

• Protection from data interception using military-grade encryption on VoIP calls between mobile devices and the PBX

• Access PBX infrastructure, including conferencing and voicemail, securely from anywhere in the world

• Dramatically reduces calling costs to an from your mobile workforce, eliminating international roaming and long distance charges

• Interfaces to a wide-range of digital PBXs so that you can leverage and maximize the benefits of your existing infrastructure without the need for a costly rip/replace strategy

• The cost savings using Cellcrypt and Seecrypt are similar to the cost savings associated with moving to standard VoIP due to its removal of long distance and roaming charges.– An Avaya study*, showed that in a U.S. sampling of a

15,000-person enterprise with 2,500 mobile users, the yearly mobile cost was $5,871,289.

– If that same company could eliminate or reduce international charges, reduce voice overages by 80%, and eliminate roaming charges the yearly cost drops by nearly 32% or $1,875,434.

– Further savings can also be realized by taking into account the costs of conference calling services.

• Unlike some VOIP approaches the Voice Gateway will interface directly with virtually any existing digital PBX avoiding a costly rip and replace strategy.

• Cellcrypt and Seecrypt will also enable these savings to be realized where, due to security concerns, an organization has been prevented from moving to VoIP.

*Avaya – A Business Case for Mobility Solutions

The Economics

Industry Specific SolutionsRETAIL AND PRIVATE BANKINGCellcrypt and Seecrypt can address specific customer communication needs for Retail and Private Banks

– Use secure instant messaging as means of communicating with their customers, including high-net worth, private banking clients

– Make encrypted calls directly with customers on their mobile phone, wherever they are, without incurring costly mobile charges for the bank or the customer even when the client is travelling or is resident in another country

– Securely send and receive account related correspondence directly to the user’s mobile device

– To avoid, lengthy security question and answer sessions at the start of the call to identify and authenticate the client

– A secure mechanism for the client to authorize a financial transaction on their mobile device, anytime, anywhere

Industry Specific SolutionsGOVERNMENTCellcrypt and Seecrypt address the secure communication needs of many Government Agencies including: • Administrative Agencies

– Agency employees regularly have sensitive but unclassified (SBU) on smartphones. This may be inconsequential as standalone conversations, but could be extremely valuable when aggregated, and are therefore in in need of protection.

• Department of Defense and Armed Forces– The military relies on the ability to communicate time-sensitive, mission

critical information in real-time, both at home and abroad. At times, military personnel need to leverage public cellular networks when private networks are unavailable. They also increasingly communicate with inter-agency partners in civilian government, including homeland security, emergency response organizations and NGOs.

• Homeland Security– Disparate agencies engage with each other regularly to protect the

homeland. Secure communication is necessary for disaster response and post-event management. These scenarios often involve the exchange of information that is considered sensitive but unclassified (SBU) across mobile devices and public access networks

ABOUT CSG

CSG is the pioneer of Mobile Voice and Text Protection and can claim a number of World Firsts in this sector:

2000s

2008: Secure mobile-to-mobile, IP-based, software-only call encryption solution

2009: World’s first mobile to landline IP-based, software-only call encryption solution

2010: World’s first Blackberry / CDMA secure voice call

2011: World’s first interoperable, secure messaging and encrypted voice calls between BlackBerry, iPhone, and Android

2012: Seecrypt formed to develop Non-Certified Secure Communications solutions.

2005: Founders began developing core encryption and communication technology in the UK.

2009: World’s first IP-based, software-only call encryption solution over satellite

2009: World’s first Blackberry Secure Voice Solution (and the first IP call on Blackberry)

2010: World’s First Encrypted Conference solution for mobile

2014: Seecrypt releases Secure Communications solution for iPhone, Android, Blackberry and Windows Phone.

2014: Next Generation of Cellcrypt code released

2010s

2016: Cellcrypt and Seecrypt relaunched

2016: First Secure Ad-hoc and scheduled Conference Calling

2005: Cellcrypt formed to productize and commercialize encryption engine

CSG The Pioneer in Secure Mobile Communication

CSG AND MOBILE OPERATORSCARRIER-GRADE SECURITY AND SCALE

• In 2012, CSG began collaborating with Verizon Wireless to provide Verizon Voice Cypher offering secure mobile voice calling and messaging, across iOS, Blackberry, Windows Mobile and Android devices

• In 2016, Verizon launched Verizon Voice Cypher Ultra based on the next generation of CSG technology

CSG AND MOBILE OPERATORSEXPANDING THE CARRIER STRATEGY

• 2016 sees the announcement of other mobile carriers launching a secure call and text service based on CSG technology

• Viva Telecom Bahrain announced Viva Communicator in April, which it is selling to Enterprise and Government clients. Viva is part of Saudi Telecom (STC)

CSG AND MOBILE OPERATORSEXPANDING THE CARRIER STRATEGY

• MTN South Africa is the latest mobile carrier to partner with CSG for secure voice and messaging services using CSG’s technology.

• MTN SA is part of the MTN Group, a multinational telecommunications group, operating in 21 countries in Africa and the Middle East, with over 232 million subscribers.

Calls made using Cellcrypt and Seecrypt in 121 countries

The #1 choice for Government and Enterprise