Secure Cellphone Maker GSMK Talks Cryptography In A Post-Snowden World

In a world where your every move is tracked, what would you pay for a secure cellphone? Dr. Björn Rupp is willing to bet it’s about $3,500. His company, GSMK Cryptophone builds cellphones that are secure from the ground up. Running a home-brew version of Android, they allow for completely secure, end-to-end communication with most, if not all, of the smartphone features the security-conscious crave. The trick? Both parties in the conversation have to have their own Cryptophones, making them like a sort of James Bondian walkie-talkie.

I spoke with Rupp at his offices in Berlin where we sat behind his spy-proof, bulletproof glass windows and talked about the future of secure communications and how the Snowden affair affected sales of his pricey — if not important — cellphones.

John Biggs: Tell us what you do.

Björn Rupp: What we’ve been doing for 10 years now is secure communications in the broader sense. GSMK was the first, and still is the only company that offers defense-grade security on the commercial smartphones.

So, we take a standard commercial smartphone hardware platform, and we replace in higher format. There is voice encryption, message encryption and secure storage. And we invested our work in making sure that the phone itself is secure: no mobile viruses, no SIM duplicate texts. Also, no remote operator updates that some operator somewhere wants to do an official authorized update, which unfortunately happens to steal all your data, et cetera.

And so, that’s kind of what we do and what we have been doing for 10 years, and we have all these published source codes. You don’t have to trust us. You can verify on your own that the implementation, that the algorithms, are correct, that there are no back doors, which is of course always a concern in the industry.

We figured rather than have suppliers trust us, we found it better to give them the ability to review on their own, have the experts review if its implementation is correct.

JB: So you couldn’t turn just any smartphone into a Cryptophone?

BR: Not any smartphone, because if you want a hardened operating system, obviously, you need to have deep-level access to the OS.

JB: And there’s no way to download this and just, like, install on your phone? It’s a very specific hardened Android that you guys are using?

BR: The thing is you could provide application-level security in the form of a download. But the problem is that that would not meet the level of security that our customers would expect from us.

The problem is even if you have an encrypted communication link using application-level security, a determined attacker would then not go for the encrypted link. He would say, “Okay, it’s encrypted, I can’t break it.” But the intrepid attacker will attack the phone itself. And I don’t have to tell you about how many Android exploits there are out there. So it’s easy, it’s really easy to explore the commercial smartphone and open the microphone. And then you can just get the audio from the microphone even before it is encrypted.

That’s why we really put a lot of emphasis on the 360-degree security. Because otherwise, if you don’t provide that level of security, this hardened operating system, secure storage and so on, you’d create a false sense of security where people think, “Wow, great, I’m encrypted now.” But really, the determined adversary won’t care. He would attack the phone. It’s a proven scenario. You’ve seen that over and over again.

Just like in the computer. What I always worry about when people are using P2P and think they are safe now. I think of human rights activists in certain areas. They feel very confident that they use email encryption. But what they often don’t realize is that their laptops aren’t just secured at all. And someone who has in their cross hairs, and these guys had just encrypted e-mails then probably it’s a huge people. They’ll just plant a Trojan or a virus or whatever on the device and then get the data form there.

For our customers, whether they have this device or not can mean the difference between life and death in many cases. And so we don’t produce toys, but we produce tools. And we have to be able to stand behind that. The history of this company and the history of the people behind it is one of in-depth expertise in IT security.

JB: So, no iOS?

BR: No iOS, exactly. We’ve been working with Windows Mobile, Windows Phone since 2003. There was an offered platform and we had an agreement where we could actually use that. And now, the other obvious option is Android.

Our phones look just like any Samsung Galaxy phone. But you can see that on top of the regular role of Android communication buttons, you have a second role, which includes the secure equivalent. Here you have messaging. You have secure messaging, secure calls and so on. So you have your complete secure compartment, password-protected of course, for entering encrypted calls, secure storage and so on.

And we also have a few other nifty things like these new things. The baseband firewall constantly monitors what’s going on in the interface. So if someone here were trying to intercept us with an IMSI catcher, the phone would notice and tell you an unencrypted call is not recommended. And the phone will also detect active attacks against the baseband processor using over the air attacks. It’s cutting edge technology just to let you know that someone is actually attacking you.

JB: How often have you experienced even a rogue cell?

BR: Well, I mean I might not be the best guy to ask because my business does of course lead me to all kinds of interesting locations, but I have seen that often.

JB: Really?

BR: And when you’re near certain buildings, you can prove that there are people who are also interested in what is going on inside these buildings.

JB: Wow. But it’s not specifically a government thing, it’s basically corporate espionage?

BR: Yeah. Of course, given that these are the recent weeks, the focus has been on strategic surveillance by government agencies. But I’m actually surprised that no one’s really stressing how much tactical espionage is going on as well. I mean, there are other issues just because the stuff has become so cheap.

When you look at 10-20 years ago, these IMSI catchers or interception equipment was so expensive that it was exclusively made for law enforcement agencies. Nowadays, you can build an interceptor on your own with a laptop, a cheap Motorola phone, and of course some knowledge. But hardware is no longer an issue; just a few thousand euros or dollars, you’re in the game. And that means that the technology has now reached the reach of regular criminals on the street.

And of course, when you look at some of our bankers, our investment bankers, they have a multi-million-dollar transaction pending. They have potentially two choices. They either meet in London for discussing certain confidential aspects of the transaction, valuation, and due diligence and so on. Or they just use an encrypted phone because there have been documented cases where, of course, the temptation for the other side was just too high.

JB: In your experience, obviously, how much should the average person care about the government snooping out of cellular data or metadata? Is it to the extent that it’s as dangerous and upsetting as a multi-million-dollar deal going sour because somebody’s watching you from the closet, or is it just the general background? How important is it for your customers and yourself to guard against that versus, actually, industrial espionage and tactical espionage?

BR: Well, I have broad range of clients of course ranging from government agencies, large corporates, all the way down to private individuals. And of course there are different motivations and different scenarios.

When you look at banks, for instance, or energy companies where there’s also lots of competition in certain areas, there is an obvious business case. That’s easy to justify because these people know that they’re being bugged, either by their local counterparts or other interested parties.

Whereas for private individuals, I guess the question is, what value do you put on your privacy? There might not be a clear-cut case where John Doe on dispute can put a number to that. But I think it really touches on the philosophical aspect in the basic foundations of our society. You should have constitutional rights to communicate for you as everyone else, something into that. In principle, everyone should be protected by the right, but recent events have shown that that is not always enforceable. So, protecting yourself against that by technological measures is one of it.

In principle, that shouldn’t even be necessary. But unfortunately, it’s the same as email. You’d better encrypt your email even though many people don’t. That was a good idea. It’s a good question. And I think maybe what the recent events have shown us is that we’re just at the beginning of it. And we’re in this building in our society, how sensitive that matter really is. I mean, lots of people still post very private stuff on websites that they don’t even realize what the company is providing the services that they’re relying on. These are the full sharing or whatever, what they do with that. You can analyze photos, and I don’t have to tell you it’s possible.

But I think that we’re just at the beginning of heightened awareness where people realize what the risk is by just taking their communication electronically. Up until recently, most people just saw it as reasonably safe and, yes, there is the occasional hacker and blah, blah, blah. For many people, there was implicit trust in the service provider, and I think that is —

JB: Now, the government is the hacker?

BR: Yeah. It’s not just the government, of course. I mean there is also economic motivation for many companies to mine your data and to do with that whatever maximizes their profits. Of course, again, the recent weeks have put a lot of focus on large-scale government surveillance and that’s obviously a huge problem because it touches the foundations of our free society. But there are many other aspects of the game that also should be looked at very carefully from my point of view.

JB: And so, what are some very, very basic things that just average people can do to avoid it? I mean, potentially they should go to your website and buy a bunch of encrypted phones. But just at the very basic level, what should the average person do to protect at least some of their privacy?

BR: Well, getting encrypted phone is never a bad idea, of course. But I guess from a very basic, simple step that everyone can take is just to think twice before you give out your data. Be sparse with your personal data whether that means leaving cookies all over the web. Or whether that means handing over all kinds of documents or other electronic materials to service providers where you might get some value out of it but you don’t realize what price you’re paying.

There are easy steps to take like encrypt your emails. There is free software out there that allows you to do that. You can use to anonymize your browsing and so on and so on. But before you can even take these measures, just always think twice: “Do I really have to give out the data to someone? What are they likely going to do with it? Do they really need it? Do I want to provide the data to that company or to that agency or whatever?”

There are many conscious choices that you can make that people just hadn’t thought about so far because they were not very sensitive about what the consequences of them are today. It’s all the modern intelligence support systems and data mining software. You can just combine all this data in so many ways that are just not foreseen by the average user or the average person on the street.

JB: And how popular have the phones gotten? And you keep selling more and more of these things?

BR: We’ve been in the business for 10 years now. But what we have seen over the last years, it’s definitely again just rising awareness. Even for a small or medium-sized enterprise that does business at certain countries abroad, you just think, “We need to encrypt the phone.” Assuming you have your top salesperson in Beijing and you discuss the best and final offer with the CEO back home here in Europe or in the U.S. or wherever you think “it might be a really good idea to not do that in the open.”

I mean there were just too many of these companies that have noticed that their best and final offer was refused as a competitor comes in at just a few bucks cheaper. And so, we’ve seen lots of increase in these.

JB: Are these financed through Europeans and Americans. Are Europeans more paranoid than Americans?

BR: We’re active in over 50 countries worldwide, and it’s hard to say. Europe is our home market, but the U.S. is also a very important market for us for sure. We have a big presence there. Also in countries in Asia and other regions across the world, so it’s really hard to say.

Of course, again, Europe and U.S.A. are important markets for us, but I wouldn’t say that per se, a specific region is more paranoid than another. Even though, of course, there is, as you’ve probably experienced on your own, there is let’s say a certain attitude towards data protection and privacy here, for instance, in Germany, that goes above what you would find in other countries. But still, privacy is a right that everyone would like to enjoy, no matter what country you’re in. It just maybe makes a difference how immediate you see the threat to that privacy being endangered.

For instance, South America, we hardly have to do advertising because every couple of weeks, there is news that, “This official has been tapped. This industry executive has been tapped. And by the way, here are the juicy details of the latest phone call with the, blah, blah, blah.” So I mean, the people think they’re being tapped.

JB: So you separate out the encrypted actions. Is there a reason why somebody couldn’t do all of their communications with security? Does it just become impractical? Is it more complex for the average person?

BR: Not really. We’ve worked very hard to make sure that an encrypted call is just as easy to make as a normal call. But of course, if you want to enter into encryption, you need to have a partner with the other side that also has an encrypted phone.

So you’ll still have people; your circle of friends, business partners, whatever will just only have a regular phone. And so, with these, you cannot make encrypted calls of course.

JB: So you sell these to CEOs and hang out with individuals. Is there any evidence that more average consumers are getting interested in these categories very much? Like bankers with millions of dollars to transact or extremely wealthy individuals or people with very, very sensitive information.

BR: That appeared to be the case a few years ago. But as I explained, in the past few years, we’ve seen that propagate. Again, 10 years ago, it was large corporations. Now, it’s also small and medium enterprises. And we’ve just recently had people who are just doing business trips and just said, “We’ve had issues with security so I need these things.”