3. Mobile Phone Calls and Messages
are Vulnerable to Attack
• Many organizations and individuals
falsely trust the safety and security of
making calls and sending and receiving
texts from their mobile devices.
• However, there are a number of critical
vulnerabilities inherent with mobile
phones and mobile networks that put
our personal privacy and organizations’
confidentiality at risk.
• Understanding and preventing these
risks are critical to protect your
business, your employees and your
clients and customers.
4. Fake Cell Towers
• IMSI Catchers, e.g. Harris
Stingray, pretends to be a
cell tower
• Can be used to turn of the
standard GSM/3G network
encryption on a call
• Undetectable, listens
passively to calls
• Used widely by law
enforcement and
intelligence services, also
available at low cost
Network Attacks
• 3G networks: weak
encryption on backhaul*
• 4G networks: encryption
from the mobile phone stops
at the Cell Tower (eNB),
leaving the IP traffic in the
backhaul unprotected.
• Open to Insider threat from
rogue employees
Signalling Attacks
• Inter-Carrier Signalling
protocol SS7 is vulnerable
to numerous attacks
• Through SS7 calls and
SMS messages can be
intercepted and the mobile
phone tracked.
• Femto cells and Wi-Fi
hotspots integrated with
cellular networks make
attacks easy to carry out.
Device Attacks
• Hardware or software
listening/recording device is
placed on device to bypass
network call encryption
• Requires device access so
can be foiled by device
management
There are Multiple Threats to
Cellular Networks
5. Fake Cell Towers
IMSI Catchers
• An IMSI-catcher is a telephone
eavesdropping device used for
intercepting mobile phone traffic and
tracking movement of mobile phone
users.
• They are "fake" cell towers acting
between the target mobile phone and
the service provider's real cell towers.
• IMSI Catchers grab International Mobile
Subscriber Numbers (IMSI) and the
Electronic Serial Numbers (ESM) from
targeted mobile phones.
• They can force a mobile phone
connected to it to use no encryption
making calls easy to intercept and can
intercept both calls and messages.
6. Fake Cell Towers
A threat to Business and Personal Security
• While, to date, IMSI catchers – in
particular the Harris Corp. Stingray -
have been used mainly for law
enforcement purposes, hostile use of
IMSI catchers is increasingly likely.
• Low-cost IMSI catchers are now
available for as little as $1400.
• In September 2015, International
Business Times reported that the
Chinese Government spied on
aeroplane passengers using IMSI
catchers.
• This highlights the threat to international
business travellers and organizations.
7. Network Attacks
• In 3G networks, the traffic is encrypted from the
mobile device, through the Cell Tower to the Radio
Network Controller, so both the Radio Access
Network and the backhaul portions of the network
are ‘notionally’ protected.
• However if a hacker gains access to the Core
Mobile Network, the encryption used for GSM and
3G is ineffective.
– In 2009, hackers computed and published a codebook
free on the internet to decrypt calls made over GSM
networks
– In 2010, A Practical-Time Attack on the A5/3
Cryptosystem exposed the weakness of the
encryption used in 3G GSM Telephony :
http://eprint.iacr.org/2010/013.pdf
• In 4G networks, the threat is greater as mandated
encryption from the Mobile Phone stops at the
Cell Tower (eNB), leaving the IP traffic in the
backhaul to the operator unprotected.
Gaining access to the core Network is
becoming easier due to the higher
density and diversity of eNBs.
In particular, residential femto cells –
effectively eNBs that can be purchased
for around $100, are an ideal target.
8. Signalling Attacks
Signalling System No.7 (SS7)
• Signalling System No. 7 (SS7) is a set of telephony
signaling protocols standardized, by the International
Telecommunication Union (ITU), a part of the United
Nations, that provides the backbone for all cell
phone communication everywhere in the world.
• It allows mobile networks to communicate between
themselves in order to connect users and pass
messages between networks, ensure correct billing,
and to allow users to roam on other networks.
• Ever since 2008 it has been widely known that
vulnerabilities in SS7 allow cell phone users to be
secretly hacked.
• In 2014 the vulnerabilities in SS7 allowed hackers
to record an unencrypted phone call between the US
ambassador to the Ukraine and US Assistant
Secretary of State.
9. Signalling Attacks
SS7 is Easily Hacked
• The vulnerabilities in SS7 allow an an
intruder with basic skills to perform
numerous attacks including:
– IMSI Disclosure
– Intercepting and Redirecting Phone Calls
– Intercepting SMS Messages
– Tracking of a Mobile User
– Block a Mobile User From receiving
incoming calls and messages
• SS7 exploits are easily within reach of
hostile parties and access to SS7 can be
bought from network operators for a few
hundred dollars per month.
Some SS7 exploits such as cell
phone tracking have been
commercialized
10. Signalling Attacks
Examples
Intercepting SMS Messages
The target is registered with a fake Mobile Switching
Center (MSC) and Visitor Location Register (VLR) -
meaning that SMS messages can be diverted to an
alternative host. This allows the attacker to send fake
message received confirmations, and withhold or send
new/altered messages. The target sees no interruption of
service, and therefore has no reason to suspect anything is
amiss. The goal is often to steal passwords for services
such as banking, email and social media etc.
Intercepting Calls
As part of a VLR attack, the phone owner’s profile can be
manipulated so that when they make a call the billing
request and number they are calling are sent to the
attacker. This allows the attacker to create a conference
call, with themselves unseen, and listen and record the
resulting conversation unobserved.
11. Mobile Threats are not limited to
state-actors or high-cost hackers
• With nothing more than a browser, an internet
connection and maybe a pre-pay debit card,
anyone can spoof SMS messages and Caller IDs.
• The fact that the receiving mobile number
recognizes the and displays their name when the
call or text arrives is enough for most individuals to
trust the authenticity of the message or call.
• Combined with basic social engineering, recipients
could give up critical information such as
passwords etc.
• More concerning is where a number of
organisation use SMS as an emergency alerting
procedure, to evacuate buildings or request the
location of an employee.
13. With the relative ease for standard mobile communications to be intercepted
potential threats include:
Economic Espionage
• When employees use their mobile
phones for confidential business
discussions, particularly when travelling
on business, the risk of those texts,
images or calls being intercepted is real.
• If that confidential information is
intercepted by competitors or interested
third parties, the damage can far-
reaching.
• Reports on the economic impact of
industrial espionage vary, but in the US
alone, BlackOps Partners Corporation,
which works with Fortune 500 companies
on counter-intelligence and protection
puts the number at $500 billion in raw
innovation stolen every year.
• As far back as 2012, General Keith
Alexander, NSA director and commander
of U.S. Cyber Command described
economic espionage as “the greatest
transfer of wealth in history.”
The Risks to Organizations and
their Employees
14. Employee and Personal Safety
• For businesses with employees travelling and
working abroad, the risk of interception may
be higher as nation states, competitors,
terrorists and kidnappers target business
travelers
• Cell phones can exponentially increase this
risk as eavesdropping and message
interception can provide crucial information,
while the growing use of IMSI catchers can
provide accurate real-time location
information.
The Risks to Organizations and
their Employees
Crime and Fraud
• The criminal targeting of personal cell
phones is an increasingly rich area, with
scams growing in complexity and reach.
• Early in 2016, millions of customers of
Australia’s biggest banks were targeted
in a sophisticated Android attack, using
fake log in screens for the banking apps,
WhatsApp, Skype, PayPal, eBay and
Google services.
• The malware was used to both intercept
log-in details and to steal SMS two-factor
authentication codes, meaning the bank’s
security measures were bypassed.
15. ‘Can I trust consumer Apps for
encrypted voice and messaging?’
16. Signalling (SS7) Attacks can be used against
many Encrypted Messaging Apps
• It is possible for attackers who have access to the
SS7 network to take control of a victim’s phone
number, and then use this number to register the
app in the victim’s name. The attacker can then
masquerade as the victim to the victim’s contacts.
• Because apps such as WhatsApp, Viber,
FaceBook, Telegram, etc. rely solely on phone
numbers to verify the identity of users (at least by
default), this presents a major security threat.
• Such exploits can be used to write messages on
behalf of the victim as well as read all of their the
correspondence.
17. Consumer-focused Encrypted Voice and
Messaging Apps have other risks
Non-Call and Message Data
• Even when the actual voice call content
and messages are encrypted, a great
deal of information can be gleamed from
other information, outside of the content
of calls and texts.
• Personal, account, location and device
information can be used by a hostile
attacker to build a profile of an individual
or group of targets.
• This is obviously a concern for personal
privacy, but when organization rely on
these services this could put deals,
acquisitions and even employees
physical safety at risk.
For example:
WhatsApp’s recent change to their Privacy Policy
states that they will collect and share the following
information:
• Your phone number, profile name and photo, online status
and status message, last seen status.
• Your e-mail when you communicate with them for
customer service
• Device data, such as hardware model, operating system
information, browser information, IP address, mobile
network information including phone number, and device
identifiers.
• Location data.
• Information on your online status such as when you were
last seen online, when you updated your status message,
etc.
• Information from third party services that are integrated
with WhatsApp, e.g. if you share any article from the web
using WhatsApp.
• Information on who is messaging you, calling you or which
groups you belong to.
18. Consumer-focused Encrypted Voice and
Messaging Apps have other risks
Encryption
• Not all encryption is equal. Though difficult to verify, it has
been reported that the majority of consumer apps have
already been compromised in a variety of ways.
• For example, The Russian Federal Security Service (FSB)
has recently announced that it has the ability to collect
encryption keys that enable the creation of a back door for
WhatsApp and similar consumer messaging app Telegram.
“Organizations with higher-than-average security requirements and/or
regulatory requirements (healthcare, finance, government and energy)
should adopt mobile voice and text protection. Certain companies look for
a best-effort secure messaging option among a number of freeware
alternatives.
Often, the sole presence of an encryption algorithm is not enough to
ensure proper enterprise-level security, and we do not recommend relying
on such solutions for the use cases described in this note. The way
ciphering is implemented, the performance and customer support
delivered are all fundamental differentiators.”
Market Guide for Mobile Voice and Texting Protection, Gartner, 22 July 2015.
20. SECURE MOBILE
COMMUNICATIONS
• CSG’s Cellcrypt and Seecrypt mobile
apps provide secure voice / conference
calling and private messaging with file
sharing
• The highest level of protection for mobile
communications, all calls and messages
are protected by military-grade,
authenticated, end-to-end encryption
• Secure calls are VOIP-based data calls
that are transport and carrier agnostic
• Calls and messages over Cellcrypt and
Seecrypt are not susceptible to attack
from IMSI catchers, SS7 or other mobile
network threats
21. SECURE MOBILE
COMMUNICATIONS
• Cellcrypt and Seecrypt are now
available for Microsoft Windows and
Apple Mac computers, so that the same
secure communication technologies can
be utilized on desktops, laptops and
tablets
• Coming soon, multi-device support will
allow users to switch seamlessly
between desktop and their smartphones
without compromising security
22. Military-Grade Encryption for
Secure Communication
Strong Encryption Protocols
Using double-layer encryption in an end-to-end configuration with
a new key for each and every call and text message.
• Confidentiality
Dual-encryption using RC4-384 and AES-256
• Authentication
384-bit Elliptic Curve Cryptography
• Integrity
AES-GCM authentication tag (128 bit MAC)
• Perfect Forward Secrecy (PFS)
Ephemeral ECDH-384
• Off-The-Record (OTR)
PFS + no digital signatures
The Best Crypto Standards
The CSG Crypto engine is designed to be modular and adhere
to best practice cryptographic standards and protocols.
Cellcrypt is FIPS 140-2 certified and Seecrypt is FIPS 140-2
compliant through the use of these standards.
• ANSI X9.63
Full Unified Model Scheme with Bilateral Key Confirmation
• FIPS SP800-56A Rev. 2
ECC-DH C (2,2) + bilateral key confirmation
• FIPS SP800-22 Rev. A
Pseudo Random Number tests
• FIPS SP 800-56C and RFC’s 4868 and 5869
HKDF key derivation
• FIPS SP 800-133
“Direct Method” key generation
• FIPS SP 800-38
AES in CTR mode and AES in GCM mode (rev D)
• FIPS SP 800-132
Password-Based Key Derivation (PBKDF)
23. KEY FEATURES
Strong Encryption
Cellcrypt/Seecrypt provides the highest level of encryption
and authentication to protect against call interception and
eavesdropping. Messages and file transfers are also
encrypted end-to-end to ensure privacy.
Cellcrypt/Seecrypt is certified to the FIPS 140-2 standard,
approved by the US National Institute of Standards &
Technology (NIST).
Secure Voice Calls
Voice calls are fully encrypted end-to-end and are routed
through the mobile device’s data connection.
Cellcrypt/Seecrypt’s adaptive voice codecs ensure low data
and battery use, with no degradation of voice quality.
Provides full authentication of all parties on a call eliminating
the risks of impersonation through Caller ID spoofing.
Private Messaging
Protect your conversations between smartphones, Macs
and PCs with secure messaging and total privacy. Share file
attachments, voice clips, photos, with the ease of a
consumer app.
Group Messaging, for collaboration can be defined centrally
by the organization or locally by the user, providing total
security and control.
Approved For Government Use
Cellcrypt/Seecrypt is in active use within Enterprises and
Governments/Armed Forces worldwide.
Cellcrypt/Seecrypt also provides solutions certified for use
beyond Sensitive But Unclassified (US) and Restricted (UK)
use with replaceable cryptography where required, for use
in Classified environments.
24. KEY FEATURES
Works Across Any Network
Calls can be made over any network including 2G/EDGE,
CDMA, 3G/HSDPA, 4G/LTE, Wi-Fi and Satellite networks.
Cellcrypt/Seecrypt optimizes delivery of encrypted real-time
voice and data content between mobile devices, even across
low-bandwidth mobile/wireless networks.
Eliminates Roaming Costs
All voice calls are routed through the mobile device’s
data connection.
Cellcrypt/Seecrypt’s secure Voice over IP (VoIP) network
eliminates long-distance and international call costs
between mobile devices and between landlines/office
phone systems and mobile users through the
Cellcrypt/Seecrypt Voice Gateway.
25. NEW Instant, Ad Hoc Conference Calls
Select participants from
your phone’s contacts list
Press call and a secure
conference bridge is
created, connecting you
directly
The other participants
get a message to join
the call
26. Forget Passwords, PINs and Dial-ins
• Ensuring all participants have the correct
information to join a call is major inconvenience with
normal conference calling.
• Pins, passwords and international dial-in numbers
can slow everything down, incur expensive long-
distance charges, and even prevent crucial
participants from joining calls.
• With just one touch, Cellcrypt and Seecrypt‘s
Conferencing enables participants to join a cost-
effective, secure VoIP conference call, already fully
authenticated and ready to contribute.
27. Secure Scheduling and Call Controls
• Schedule mobile and desktop
conference calling with no need for third-
party service providers or passwords.
• Conference Calling web UI ensures that
your business can enjoy secure,
authenticated conference calling, safe in
the knowledge that the right people are
on the line.
• Call initiator or administrators have a full
attendee list, and can easily invite new
participants, mute and even eject callers
if the need arises.
28. PRIVATE SWITCH
Your own, private, voice and messaging service
• An on premise or cloud hosted solution
allows organizations to maintain
confidentiality of user, device and
call details.
• The Private Switch is the core of control
for Cellcrypt and Seecrypt and is
administered via a web-based
management console with access
restricted to authorized users.
• It manages users; call signalling; call
control and media communications and
authenticates/authorizes every
interaction within the network.
29. VOICE (PBX) GATEWAY
Secure, Encrypted Calls Between Land Lines and a Mobile Workforce
• Securely connect from your mobile to the
company’s PBX to reach offices, customers
and colleagues
• Protection from data interception using military-
grade encryption on VoIP calls between mobile
devices and the PBX
• Access PBX infrastructure, including conferencing
and voicemail, securely from anywhere in the world
• Dramatically reduces calling costs to an from your
mobile workforce, eliminating international roaming
and long distance charges
• Interfaces to a wide-range of digital PBXs so that
you can leverage and maximize the benefits of
your existing infrastructure without the need for a
costly rip/replace strategy
30. • The cost savings using Cellcrypt and Seecrypt are similar to the cost savings associated
with moving to standard VoIP due to its removal of long distance and roaming charges.
– An Avaya study*, showed that in a U.S. sampling of a
15,000-person enterprise with 2,500 mobile users, the
yearly mobile cost was $5,871,289.
– If that same company could eliminate or reduce international
charges, reduce voice overages by 80%, and eliminate
roaming charges the yearly cost drops by nearly 32%
or $1,875,434.
– Further savings can also be realized by taking into account
the costs of conference calling services.
• Unlike some VOIP approaches the Voice Gateway will interface directly with virtually
any existing digital PBX avoiding a costly rip and replace strategy.
• Cellcrypt and Seecrypt will also enable these savings to be realized where, due to
security concerns, an organization has been prevented from moving to VoIP.
*Avaya – A Business Case for Mobility Solutions
The Economics
31. Industry Specific Solutions
RETAIL AND PRIVATE BANKING
Cellcrypt and Seecrypt can address specific customer
communication needs for Retail and Private Banks
– Use secure instant messaging as means of
communicating with their customers, including
high-net worth, private banking clients
– Make encrypted calls directly with customers on their
mobile phone, wherever they are, without incurring
costly mobile charges for the bank or the customer
even when the client is travelling or is resident in
another country
– Securely send and receive account related
correspondence directly to the user’s mobile device
– To avoid, lengthy security question and answer
sessions at the start of the call to identify and
authenticate the client
– A secure mechanism for the client to authorize a
financial transaction on their mobile device,
anytime, anywhere
32. Industry Specific Solutions
GOVERNMENT
Cellcrypt and Seecrypt address the secure communication
needs of many Government Agencies including:
• Administrative Agencies
– Agency employees regularly have sensitive but unclassified (SBU) on
smartphones. This may be inconsequential as standalone conversations,
but could be extremely valuable when aggregated, and are therefore in in
need of protection.
• Department of Defense and Armed Forces
– The military relies on the ability to communicate time-sensitive, mission
critical information in real-time, both at home and abroad. At times,
military personnel need to leverage public cellular networks when private
networks are unavailable. They also increasingly communicate with inter-
agency partners in civilian government, including homeland security,
emergency response organizations and NGOs.
• Homeland Security
– Disparate agencies engage with each other regularly to protect the
homeland. Secure communication is necessary for disaster response and
post-event management. These scenarios often involve the exchange of
information that is considered sensitive but unclassified (SBU) across
mobile devices and public access networks
34. CSG is the pioneer of Mobile Voice and Text Protection and can claim a number of World
Firsts in this sector:
2000s
2008: Secure mobile-
to-mobile, IP-based,
software-only call
encryption solution
2009: World’s first mobile to
landline IP-based, software-
only call encryption solution
2010: World’s first
Blackberry / CDMA
secure voice call
2011: World’s first interoperable,
secure messaging and encrypted voice
calls between BlackBerry, iPhone, and
Android
2012: Seecrypt formed to
develop Non-Certified Secure
Communications solutions.
2005: Founders
began developing core
encryption and
communication
technology in the UK.
2009: World’s first IP-based,
software-only call encryption
solution over satellite
2009: World’s first Blackberry
Secure Voice Solution (and the
first IP call on Blackberry)
2010: World’s First
Encrypted Conference
solution for mobile
2014: Seecrypt releases Secure
Communications solution for
iPhone, Android, Blackberry and
Windows Phone.
2014: Next Generation of
Cellcrypt code released
2010s
2016: Cellcrypt and
Seecrypt relaunched
2016: First Secure
Ad-hoc and scheduled
Conference Calling
2005: Cellcrypt
formed to productize
and commercialize
encryption engine
CSG The Pioneer in Secure Mobile Communication
35. CSG AND MOBILE OPERATORS
CARRIER-GRADE SECURITY AND SCALE
• In 2012, CSG began collaborating with
Verizon Wireless to provide Verizon
Voice Cypher offering secure mobile
voice calling and messaging, across
iOS, Blackberry, Windows Mobile and
Android devices
• In 2016, Verizon launched Verizon Voice
Cypher Ultra based on the next
generation of CSG technology
36. CSG AND MOBILE OPERATORS
EXPANDING THE CARRIER STRATEGY
• 2016 sees the announcement of other
mobile carriers launching a secure call
and text service based on CSG
technology
• Viva Telecom Bahrain announced Viva
Communicator in April, which it is selling
to Enterprise and Government clients.
Viva is part of Saudi Telecom (STC)
37. CSG AND MOBILE OPERATORS
EXPANDING THE CARRIER STRATEGY
• MTN South Africa is the latest mobile
carrier to partner with CSG for secure
voice and messaging services using
CSG’s technology.
• MTN SA is part of the MTN Group, a
multinational telecommunications group,
operating in 21 countries in Africa and
the Middle East, with over 232 million
subscribers.
38. Calls made using Cellcrypt and
Seecrypt in 121 countries
The #1 choice for
Government and Enterprise
Editor's Notes
* A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony
Orr Dunkelman, Nathan Keller, and Adi Shamir : http://eprint.iacr.org/2010/013.pdf