Shostack + Friends Blog Archive

 

AT&T, Voice Encryption and Trust

Yesterday, AT&T announced an Encrypted Mobile Voice. As CNet summarizes:

AT&T is using One Vault Voice to provide users with an application to control their security. The app integrates into a device’s address book and “standard operation” to give users the option to encrypt any call. AT&T said that when encryption is used, the call is protected from end to end.

AT&T Encrypted Mobile Voice is designed specifically for major companies, government agencies, and law enforcement organizations. An AT&T spokesperson said it is not available to consumers. The technology is available to users running BlackBerry devices or Windows Mobile smartphones, and it works in 190 countries.

Organizations interested in deploying Encrypted Mobile Voice will need to pay an additional fee to do so. AT&T said that cost depends on the size of the deployment. (“AT&T improves service security with encryption

Jake Appelbaum and Chris Soghoian expressed skepticism. (“From the company that brought you NSA wire tapping, they thought you’d also like….” and “If you trust AT&T’s new voice encryption service, you are a fool.“)

What’s funny (sad) about this is that there are a number of software encrypted voice systems available. They include RedPhone, CryptoPhone and zFone. Some of these even work on pocket sized computers with integrated radios. But Apple and AT&T won’t let you install alternate voice applications.

A lot of people claim that these restrictions on what you can do with your device just don’t matter very much. That you can really get everything you need. But here’s a clear example of why that isn’t so. Voice encryption is a special app that you have to get permission to run.

Now, maybe you don’t care. You’re “not doing anything wrong.” Well, Hoder wasn’t doing anything wrong when he went to Israel and blogged about it in Farsi. But he’s serving 20 years in jail in Iran.

Now is the time we should be building security in. Systems that prevent you from doing so, or systems that reset themselves to some manufacturer designated default are simply untrustworthy. We should demand better, more trustworthy products or build them ourselves.

[Added: I’d meant to include a comment about Adam Thierer’s comment “The more interesting question here is how “closed” is the iPhone really?” I think the answer is, in part, here. There’s a function, voice privacy, for which AT&T and three other companies think is marketable. And it doesn’t exist on the iPhone OS, which is the 2nd most prevalent phone platform out there.]

[Update 2: Robert and Rob rob me of some of my argument by pointing out that AT&T now allows you to install voice apps, but none of the encrypted voice apps that I’d consider trustworthy are available. (I exlude Skype and their proprietary & secret designs from trustworthy; it’s probably better than no crypto until you trust it, then it’s probably not good enough to really protect you.) Maybe this is a result of the arbitrary rejections by the Apple app store, but when I look for zfone, redphone or cryptophone, I see a fast dial app and some games. When I search for crypto, it’s all password managers. So while I’m no longer sure of the reason, the result remains. The iPhone is missing trustworthy voice crypto, despite the market.]

2 comments on "AT&T, Voice Encryption and Trust"

  • Robert M says:

    “But Apple and AT&T won’t let you install alternate voice applications”

    This information is out of date. Apple has gotten a clue; several VOIP apps are on the App Store today. But of course, this doesn’t mean they won’t reverse course again in the future — and that, I suspect, is your real objection. Am I correct?

  • Rob Sama says:

    “But Apple and AT&T won’t let you install alternate voice applications. ”

    You are correct. I have Skype on my iPhone. And Google Voice was apparently approved for use as well.

Comments are closed.