The adversary - such as a secret service, for example - always likes to listen in. Anyone who makes mobile phone calls must take that into account. Both private companies and government agencies are well advised to ensure that company-internal matters are not at the wrong place at the wrong time. The Duesseldorf company Secusmart knows how top managers, politicians and other people carrying sensitive information can be protected against the ever-present threat of interception of mobile and ordinary phones. Their solution, ‘Secuvoice' is approved for the ‘VS-NfD' and ‘Nato Restricted' security levels. Matthias Erler of GIT-SECURITY.com spoke with Dr. Hans-Christoph Quelle, founder and Managing Director of Secusmart.

Dr. Quelle, the smart phone is everyone‘s closest companion these days, and as a carrier of secrets it is an interesting device interesting for spies. Who is actually listening to whom?

Dr. Hans-Christoph Quelle: For the one part there are classic attack scenarios that everybody knows - these include legal interception by the law enforcement agencies or the intelligence services of various foreign countries. These latter are frequently ignored by industry, by the way. Additionally there is also the - nowadays affordable - technology that allows private individuals to listen to each other.

But how big is the danger really? Can it be quantified?

Dr. Hans-Christoph Quelle: Generally there is no clearly identifiable enemy these days, insofar as there are no access restrictions to the various bugging methods anymore. The danger scenarios have in a way become more abstract, but the danger itself more concrete. There are studies, for example from Ernst & Young, that demonstrate this. Interestingly, two-thirds of companies questioned today don‘t feel safe anymore with regard to eavesdropping. Awareness of the problem itself has therefore risen but also of the fact that you can do something about it, in particular because the financial and technical hurdles are no longer so high. The comprehensively organized work of the secret services is still based on collecting and evaluating the entire information flow of the respective company. Protection against eavesdropping becomes a million times better just by using encryption technologies alone.

There are however various different attack scenarios - via the radio link, in the transmission network and by using a false call number. Let‘s start with the radio link.

Dr. Hans-Christoph Quelle: If someone is using a mobile phone, someone else can stand in front of the house with the appropriate equipment and record the entire radio link communication between the base station, that is, the radio mast of the provider or roaming provider, and the mobile telephone. Modified phones are available to do this. The result can be decoded and evaluated. But the technology is also now available to enable live monitoring of conversations. The encryption between the phone and the base station is no longer secure, and is easily cracked with simple open-source codes: the keys that are used have all been pre-calculated so that a fast computer can try out all the keys in the shortest time. These days, anyone can obtain this equipment, not just the secret services and law enforcement agencies.

Then there are the wired transmission network and the deception scenarios?

Dr. Hans-Christoph Quelle: The wired telephone network is totally unencrypted so monitoring at the interfaces can be carried out without a problem. A very different type of spying however, that should perhaps instead be called ‘Social Engineering', is call number deception - this is acting under a false identity. It is possible with almost every telephone system in which the number to be transmitted can be set. That also applies to VOIP telephony: you can enter any number when logging in. There are even providers that allow you to freely choose a number call-by-call. In this situation I am called and expect someone else on the other end. In large firms, for example, where you wouldn‘t necessarily recognize somebody by their voice, a call can supposedly come internally from Accounting and ask for the quarterly results and other confidential matters, although it is actually bogus. Known voices can be imitated, and not only by professionals like Jay Pharoah, Rory Bremner or Ronni Ancona - the secretary trusts the voice, and makes the connection. From this we can deduce that security must consist of two things: firstly, the encryption of the content so that nobody else can monitor the information; secondly, you have to be sure of who you‘re speaking to.

You‘re now providing a solution for the widely-used smart phone telephony. What is this solution based on?

Dr. Hans-Christoph Quelle: Our solution uses the opportunities that end-to-end encryption offers and the end-to-end authorization of the two parties. Then each end of the conversation has the security in his hand. There is a continuous communication route in between for telephony, for SMS and e-mail. We therefore secure the communication with two separate measures: with certificate based authentication and end-to-end encryption. Only these guarantee really secure communication. If the conversation between two cellphones is encrypted at one end and ­decrypted at the other, the ‘man in the middle' has no chance. And the reassurance that I‘m speaking to the right person comes from certificate based authentication.

How does certificate based authentication work?

Dr. Hans-Christoph Quelle: The principle is known from e-mail that can be digitally signed. In the background is a complex cryptographic system with which the recipient can ensure that the mail actually comes from you. Such pro­cesses rely on certificates and the same can now also be done with other forms of communications such as SMS. When the connection is established, both participants exchange their certificates so that they can ensure the authenticity of their counterpart. This functions like a trust center with the help of a Public Key Infrastructure (PKI). A trustworthy body functions at the certification authority. The government agencies work with such an organization and we at ­Secusmart offer to be the issuer of the certificate for private customers - the customer can also do it themselves, but this is quite complicated and is therefore hardly ever done.

In what form is this implemented for the customer?

Dr. Hans-Christoph Quelle: The functions mentioned above are carried out by a smart card chip. This provides a mobile security anchor that cannot be hacked. It works on the principle of asymmetric encryption with a private and a public key pair. We have implanted the chip in a micro-SD card that can be inserted into conventional smart phones The smart card chip looks after the complete authentication and encryption processes - viruses and trojans don‘t have a chance. Only the chip knows the private key. We currently offer this system for Nokia mobiles, such as those used by the government agencies, and Blackberry and Android devices will be added soon.

Dr. Quelle, many thanks for the conversation.