A new fingertip-sized voice encryption chip could lead to broader adoption of mobile device voice encryption.
Next month, KoolSpan will release the TrustChip, a US$300 encryption chip in an SD memory card form factor that end users themselves can slide into any Windows Mobile or Symbian device with an SD card slot.
The TrustChip automatically encrypts voice data when an end user calls another TrustChip-enabled phone.
"It creates a secure encryption key session between two devices with chips," said Tony Fascenda, CEO of KoolSpan, a vendor of embeddable encryption technology.
The market for voice encryption on mobile devices has been limited so far in the US. Experts say the technologies on the market tend to be expensive and unwieldy.
A KoolSpan-sponsored survey of 219 IT managers published last August revealed that 44% of respondents were aware that voice communication on mobile and cellular networks is not secure, but only 8% had actually deployed a secure voice solution.
"There's a general trust for carriers in this country," said Jeff Stern, vice president of business development for KoolSpan. "There is a well-defined process by which the government can tap a phone if it wants to, and the bad guys generally don't have access to carrier networks. In other countries, the lines are blurred."
But enterprises outside the United State are much more aware of the vulnerability of mobile voice conversations to eavesdropping.
In Italy, for instance, government officials, celebrities and members of the royal family have all found the details of private mobile phone conversations leaked to the public recently. And two years ago, Greek citizens were shocked to learn that the mobile phones of about 100 people, including the country's prime minister and his cabinet, had been tapped for more than a year by unknown parties, possibly foreign intelligence agencies.
"Many of the same attacks that occur overseas can occur here," Stern said. "A lot of tools for committing these attacks may be illegal here, but they can be obtained online."
Nick Selby, senior analyst and director of enterprise security at The 451 Group, said the TrustChip is more affordable and easier to use than other mobile device voice encryption technologies on the market.
"It would first be of interest to vertical markets that are highly regulated or highly competitive and so subject to industrial or corporate espionage," Selby said. "Also, if you're a CEO going into China or going to Europe, you want to have encrypted voice capabilities."
There are several specialised vendors that modify mobile phones with embedded encryption, but these "spook phones" don't measure up, Selby said. To begin with, they can talk only to similarly modified phones, while TrustChip phones can call anyone. The TrustChip encrypts voice only when the phone calls another TrustChip phone. The user will see an icon on his display that informs him that the call is encrypted.
"If you were to go with spook phones, those are in the neighbourhood of US$1,500. They tend to be older hardware, '90s-era Nokia phones," Selby said. "They are extremely expensive, and they are limited in functionality."
Other vendors offer software-based encryption services for mobile devices. Selby said one leader in this method is the German whole-disk encryption vendor Utimaco Safeware. Selby described the Utimaco approach as effective but daunting.
"You have to have an enterprise that is standardised on a certain kind of device," Selby said. "Then you take the corporate image of the operating system for that device and send it to [Utimaco]. They reprogram it so that it has encryption models. Then they send it back to you and you flash it onto everyone else's handsets, but you loose the address books and calendars and everything else because you're reflashing everything onto their phones."
The TrustChip platform consists of three main components, Fascenda said. The chip, with its embedded encryption software is the first piece. The second piece is TrustCenter, a Linux-based management server that allows enterprises to manage chips, create groups and set policies. The third piece is the TrustChip software development kit (SDK), which will allow third parties to connect the encryption technology to other mobile applications.
Selby said the SDK will allow third-party developers to extend the chip's software to encrypt mobile email, instant messages and other business applications. The SDK could also allow developers to extend use of the TrustChip into other devices that accept an SD card, such as laptop and desktop PCs.
"If you can push it to email and other applications, now you're talking about mainstream adoption, such as the financial industries, insurance, healthcare," Selby said. "This would have widely horizontal legs."
A management feature of the platform, known as TrustGroups, will also spur new interest in mobile device encryption, he said.
"TrustGroups totally reduces scale. Rather than having an encryption key unique to each user, what we've done is assign a TrustGroup a very large collection of keys. That collection is given to all users that belong in a TrustGroup," Fascenda said. "So if you're in an organisation, say an oil company, everyone in that enterprise would have the same TrustGroup key. The enterprise could create a second group to secure communication with suppliers and partners. And only the members of the enterprise that have to deal with those suppliers would be in a TrustGroup with those suppliers."
"This sets up granular control over which groups trust which groups," Selby said. "Let's say you have 12 people in a company. Three are in management but just one guy in management talks to the company's venture capital firm. The venture capital can talk to his contact with the company, and no one else in the company can hear that. And those three guys in management can talk to each other, but the rest of the company can't hear those conversations."