Establishing Digital Trust: Don't Sacrifice Security for Convenience
Gold Line Groups Hacker Challenge has a cartoonish James Bond aspect to it that begs a bunch of hard questions, but it also has a deadly serious side.
The Israeli company invited hackers, cyber spooks, and industrial espionage geeks to try breaking its new Gold Lock 3G cell phone encryption system. Anyone who succeeds wins a cool quarter million dollars in gold ingots.
The software, launched in mid-2009, is already used by the Israeli military to scramble field communications. South American moguls are using it to prevent kidnap gangs eavesdropping on their conversations. Life and death stuff.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iBut Gold Lock 3G, which the company launched in North America late last year, can also be used by organizations just looking to protect trade secrets from prying ears.
The software encrypts voice conversations, SMS messages, instant message conversations and file transfers to and from Nokia, Windows Mobile, BlackBerry, and iPhone mobile devices.
Phones at both ends have to be running Gold Lock 3G. List prices start from about $35 a month per device, or $1,700 for a perpetual license.
The software does introduce a level of latency in voice conversations typically about a second but the companys North American channel manager, Douglas Haskins, insists users barely notice or, if they do, adjust easily.
Software such as Gold Lines takes on added significance now with recent news that a German encryption expert succeeded in breaking the native 64-bit protocols used by GSM carriers to encrypt cell calls.
In the past, says Haskins, industrial spies would have to spend $80,000 or more on specialized equipment to intercept and decrypt cell phone conversations.
Now they can use a laptop and $100 worth of software.
It could be somebody sitting outside your business or your house they can be a couple of hundred of yards away, or in a nearby cubicle, Haskins says. So its very serious. If youre talking about sensitive information its wide open now.
Gold Line claims that between 2,000 and 3,000 hackers, including security organizations, have taken a crack at breaking its system. The company bumped the prize from $100,000 to $250,000 in November, and renewed the challenge recently.
Final deadline for breaking the Gold Lock 3G system: February 1, 2010.
All hackers have to do is unscramble a Gold Lock-encrypted conversation that the company intercepted and recorded using commonly available call sniffer technology and posted at its Web site.
(To find out how to participate, see this page at the company's site.)
On the line
Theres more at stake here than cash, of course. Theres also Gold Lines reputation.
If someone does decrypt the conversation, the company will have egg on its face although Haskins tries to spin it otherwise.
If it happens, [it means] theres one really smart guy out there and a lot of hackers are really smart, he concedes.
I think if it does happen, the way we look at it is that it gives us the opportunity to make [Gold Lock 3G] that much better. We already have by far the best product out there. We not only have the confidence to issue this challenge, but were prepared to take [it] even a step higher.
Haskins says Gold Lock 3G is superior to comparable products from competitors, such as Cellcrypt because it uses a unique three-layer system.
It starts with automatic handshaking between devices using DiffieHellman key exchange protocols. Then the software uses the same AES-256 (Advanced Encryption Standard) used by the U.S. government for top secret communications. Finally, it re-encrypts the already encrypted data using 384-bit Elliptic curve cryptography (ECC).
Its just off the charts, Haskins says of the effort that would be required to break the system. Even if you could break AES-256, then youd have to work on the 384-bit [ECC].
The company claims an independent auditor estimated it would take hundreds of years to break the system using brute strength methods. But encryption systems have been broken before using cleverer techniques.
Are hacker challenges like Gold Lines anything more than flimsy publicity stunts? How legitimate are they really?
For example, to what extent does putting a four-month time limit on the challenge tilt the board in the developers favor. After all, if some cyber snoop breaks the system on February 2, the implications for users relying on the product are just as dire but with no negative publicity.
And notwithstanding the very attractive prize, has the challenge really brought all the best talent out of the woodwork? Would criminal hackers, for example, risk registering with Gold Line to participate?
And then too, how would we ever know if somebody actually succeeded in breaking the Gold Lock system? Isnt it possible Gold Line would decide to just pay off the winner and keep it quiet while it fixed the vulnerability?
Certainly the company wouldnt be stupid enough to stiff a successful hacker, Haskins says. For one thing, participants in effect enter into a contract with the company. Besides, it would be too easy for the person to go public with the information and embarrass Gold Line even more.
It would cause more damage to try and hide the fact than it would to admit it and fix the product, he says.
But couldnt Gold Line make them sign a non-disclosure agreement to get their loot and keep it all on the QT?
Yet another scary thought: if a criminal hacker did participate and succeed, might they decide the information was more valuable on the black market? How much would Al-Qaeda or the Iranian secret service pay to be able to eavesdrop on the Israeli military?
Gerry Blackwell is a veteran technology journalist who writes from Canada, Italy, and Spain.