Securing mobile devices has never been more important we talk with Alf Kenneth Braathen, Chief Executive Officer and Jon Fredrik Baksaas Investor and advisor of Rosberg on how to eliminate these threats.
New European Economy: With the proliferation of smart devices in recent years, cyber security has become a bigger issue than ever. What role does Rosberg and it’s Verji protective software play in this environment?
Rosberg addresses the vulnerabilities in the GSM standard for mobile networks. We target 3 serious weaknesses which is used by organised crime, within industrial espionage and even for surveillance by governments. These 3 vulnerabilities are the “loophole” in SS7, fake cell towers (IMSI Catchers) and silent SMS.
SS7: We often make the mistake of comparing infections on smartphones with infections on computers. In fact, for the most part, they are radically different. In smartphones, infections sometimes don’t even have to be on your phone at all… A recent episode of 60 minutes by CBS showed how German scientists could tap into and record all calls and messages sent and received from a US Senator’s phone. How did they do that? They did that by exploit- ing a weakness in the system that connects all Telco’s worldwide together, called SS7.
Your smartphone might be infected, and you have no way of knowing.
The weakness in the SS7 has been well known for a long time, and the Telco`s take measures to stop misuse, but due to the GSM standard it is very hard to stop all attempts of misusing the weakness. This opens up the for the possibility of industrial espionage and surveillance by intelligence services. This means that nothing needs to be amiss on your phone – and you can still be spied on. This is why encrypted speech, encrypted messaging and encrypted file transfer is so important. You simply cannot know or under- stand that you are being spied on as it happens somewhere out of your own control.
The encryption ensures that your communication is safe, as it is encrypted so heavily that there is no known method of decrypting it. And does it stop there? No… It gets worse…
Fake cell towers/ IMSI catchers: There are eavesdropping devices readily available the so called IMSI-catchers. These devices were originally made to harvest information about which mobile phones were in their vicinity, but have through many years evolved into advanced spying devices. Their prices have also dropped from several hundred thousand pounds apiece to a mere 180 pounds as a start- ing price. The size has also shrunk from boxes that needed a big vehicle to conceal them to boxes the size of a pack of cigarettes.
The IMSI-catchers were for many years, devices used exclusively by the military and police in the western world. As such they were not talked about as they were a good way to spy on potential perpetrators. However, this has changed. There are advanced IMSI-catchers manufactured in China for sale for a few hundred pounds, and the company manufacturing them claims they can deliver 10 000 units a month. This means that these devices are no longer exclusively used by the military and police, but as much or even more in industrial espionage and criminal activities.
These devices are used to spy on people’s whereabouts, and as an attack platform to attack smartphones and directly bypassing any security the Telco may have in place.The really bad thing is that they normally don’t attack the smartphone’s operating system, like Android or iOS, but attack the modem and SIM-card, and insert their spying software there. The smartphone has no ability to detect any spyware residing in these lower levels of the phone, and the spy software can gain access to all your files, e-mails, conversations, messages, record your conversations, and turn on the microphone and camera to record at will.
The only thing a hacker will need is your cell phone number, then the hacker can send a silent sms and infect your cell phone with malicious code.
This is why we developed an advanced system on the Android platform that works at the back of the secure messaging and speech app, and warns you if an IMSI-catcher is targeting your smartphone. You’ll know when you have been targeted, and can protect your phone by going to flight mode or turning it off. The security in the modem and SIM-card is a lot different than in the iOS or Android system itself, and since many of the standards they need to conform to is from the 1980’s, attacking them is not as hard as one might imagine.
Silent SMS attacks: An SMS can contain code that can infect your smartphone, and can also be sent as a service SMS (silent SMS). A service SMS is not visible for the user of the smartphone.
- Monitor all activity and content on your smartphone.
- Remote activation of your microphone and camera
- Localising you, geo-fencing.
- Destroy the smartphone.
The only thing a hacker will need is your cell phone number, then the hacker can send a silent SMS and infect your cell phone with malicious code. In fact, advanced attackers can infect thousands off phones based on phone number lists, within hours. Afterwards the hacker can listen to your calls, get your SMSs, E-mails, passwords and even turn on the microphone and camera to conduct remote surveillance and there is nothing you can do to stop it.
Silent SMS (Operator SMS) – was originally designed to ease the Telco’s work when they amongst other things wants to provision your phone, when tracking you and also providing information to your phone when you are roaming about which provider to choose. This technology was first used in 1995. There are other ways to attack your phones modem, in addition to silent SMS. Among them hackers can use Hayes Commands and Binary SMS. We are not going into detail here, Verji SMC also protects against these attacks’
The challenge is not the government using the vulnerabilities on mobile networks, the real challenge is industrial espionage, organised crime or even foreign governments. We solve these security challenges, and is to our knowledge the first company to have devised a scalable software based solution for mobile phones.
New European Economy: What are Rosberg’s main products? And who are its target customers?
Rosberg`s main product is Verji SMC (Secure Mobile Communication). Verji SMC addresses the following security challenges in Mobile Communication: The general problem of how easy it is to listen in on communication, using e.g. the SS7 vulnerability.
- Fake cell towers (IMSI Catchers)
- SMS attacks including silent SMS attacks.
- Verji SMC is module based and consists of: Module 1:
- End to end encrypted messaging. Send and receive messages included all kind of attachments with superior security without worrying about others getting hold of the information.
- End to end encrypted voice calls. Talk secure without worry, no one can listen in.
- Module 2: Protection against fake cell towers including IMSI catchers. Don’t worry about fake cell towers/ IMSI catchers, you are protected.
- Module 3: Protection against SMS/silent SMS attacks Your phone is protected. Don’t worry about infections you can’t see or stop
New European Economy: What kind of clients does Rosberg work with? What are some of the projects you have worked on with them?
Rosberg`s clients can be divided into two main categories’. The first category is security conscious customers which want to protect against eavesdropping and loss of information to attackers using the infections and surveil- lance methods described above. These sectors include Government, Finance, Law firms, Energy companies and all types of Corporations that are e.g. involved in tenders or have an R&D department. We work with the C-level management of these companies, usually head of Risk Management or CISO which are the ones that increasingly address and assess such threats. The second category is customers that can increase efficiency and improve documentation by implementing our technology. The security provided is the enabler for these customers to be able to implement electronic communications in work operations which was previously handled manually.
The health sector is one example. For instance, we work with the Childcare System which have seen a huge improvement in both efficiency and documentation by implementing the Verji Technology. The pain point for the Childcare System is that they are not allowed to send sensitive information (e.g. report from meetings with families) by other means than regular post. The consequence of this was that a lot of reports were written every second week when workers had a “report day” sitting in the office writing reports. Of course, the accuracy of the reports suffered due to this method, and there were no documentation on whether the players in the report have received it, read it and the most important thing, actually agreed with the content, which again gave problems in court cases. Today this is changed, the reports are done electronically in the meeting, electronically approved by the attendees and sent to the central filing system. The people working there says it`s like coming from the stone age to the modern world. This is possible because Verji works in compliance with encryption and security regulations of the health sector in Norway.
New European Economy: How do you envisage the company growing as the world of cyber security evolves?
Rosberg’s market approach is based on Gartner’s surveys and analysis. According to GARTNER there will be over 30 billion devices connected on mobile networks within 2020. According to Cyber Security Ventures, the marked for Cyber Security is expected to grow from 77 billion dollars in 2015 to 170 billion dollars within 2020 due to the exploding growth of Smartphones.
Security is the key to make this happen. Securing mobile devices is still “in the early stages”, the market for security on mobile phones can be compared with developments in the market for antivirus programs for PC. In the beginning, only the especially interested bought it, today every PC is protected with a virus program. Rosberg is addressing this market by selling Verji SMC through distributors/ integrators/vendors across Europe and in the future in the US, as we believe this market will evolve over time
For more information : www.rosberg.com