It’s no surprise that pro-privacy tech has risen up the agenda since NSA whistleblower Edward Snowden revealed the vast extent of government agencies’ surveillance programs. For instance we’ve seen a new cryptophone, the Blackphone, be born and gain significant investor backing in the current climate.
The problem with Blackphone is that not everyone who’s interested in privacy can afford to shell out ~$600 for a cryptophone, which only safeguards calls if your interlocutor is similarly kitted out. Nor do average folk necessarily want to ditch their current smartphone, or carry around multiple phones, simply to shield the content of their calls from prying ears.
So that’s where a new device called the JackPair is aiming to come in. Currently it’s just a prototype, seeking $35,000 in crowdfunding on Kickstarter to go into production. If it hits its funding target it’s aiming to come to market costing $89 for one device (to early Kickstarter backers), or $139 for a pair of JackPairs. To be clear, in order for the encryption to function a second JackPair is absolutely required — on the device the person you’re speaking to is using. So you still need multiple people to buy in to get practical use out of the system.
The concept is pretty simple: one box plugs into your phone, whether that’s a smartphone, landline telephone or VoIP client on a PC, via the standard 3.5mm headphone jack — and then, once you have paired two JackPairs to establish a secure connection, the devices will encrypt the audio before it’s sent via whatever network you’re using to the person you’re speaking to. JackPair’s software uses a synthesized voice sound for the encrypted audio to ensure mobile devices are tricked into believing the signal is a human voice, not just modulated waves — in order to prevent Voice Activation Detection systems from screening out a sound they might otherwise identify as static noise.
How specifically does it work? The JackPair contains a port where you plug in your headphones so it sits between your headphones and the device you’re making a call on. To make an encrypted call using JackPair two people start a call then either one of them can press a button on their JackPair to generate a one-time encryption key. Once the key has been generated and exchanged, the two people on the call confirm verbally (or otherwise) that they can both see the same number displayed on their device — confirming that the call has been encrypted between those two particular JackPairs.
The one-time secret key (OTSK) is generated on the fly, using a method that JackPair’s makers say protects against man in the middle interception attacks (specifically they are generating keys using the Diffie-Hellman-Merkle key exchange protocol).
The pairing code that the two callers read out to each other, to confirm the call is now encrypted, is not the full OTSK but an abbreviated hash digest number derived from that key. As for the encryption itself, JackPair’s Jeffrey Chang say the audio is encrypted with a synchronous stream cipher –“with XOR’ed keystream resulted from pseudo random number generator using OTSK as seed, and periodic marker flag for re-synchronization”.
Although Chang hails from Taiwan originally, the team is U.S.-based — and aiming to manufacture JackPair in the U.S. too. They are also intending to open source their code so that their security claims can be verified by third parties and support for fixing any holes can be aided by a wider community effort. They say they may also look at ways to open their hardware up for review too — given that hardware can contain hidden security backdoors.
Still, Chang argues that having a dedicated encryption device is better than using an app to encrypt calls, firstly because it means the system works on devices that are not smartphones — such as landline telephones. But also because he says using a separate hardware encryption device circumvents the risk of the smartphone itself being compromised before an encryption app was downloaded.
“If the smart phone itself is compromised, then all bets are off and the encryption software alone won’t guarantee the security of your voice. It’s very hard for a standalone software app vendor to guarantee the security of your smart phone,” adds Chang.
If the crowdfunding campaign goes to plan, JackPair’s makers are aiming to get their gizmo to market this December.