Can Vysk's QS1 Smartphone Case Really Make Handsets Unhackable?

Image "Your phone’s operating system is compromised," Victor Cocchia, chief executive of Vysk Communications, tells me point blank. "There are millions of new pieces of malware created each month, and the bad guys’ software will almost always circumvent the good guys’ software. That’s why we do everything outside of the phone." Outside? For most people, a smartphone case is an accessory to (hopefully) keep their screen from cracking when they drop their phone. To Cocchia, it's a piece of high-end security hardware that can solve the problem of vulnerable smartphone software.

His invention is called the QS1, a $230 case for Apple's iPhone 5 and 5s and Samsung's Galaxy S5 that is due to start shipping in the winter of this year, promising "complete privacy".

Cocchia says it was born out of the need to have an encrypted conversation with a Cambridge professor about another product entirely.

“We couldn't talk over the telephone because his phone was most likely hacked because of tremendous commercial applications to it. At the time I was dealing with heads of state around the world, so for sure my phone was hacked," he says.

Cocchia’s certainty that our phones are compromised is likely part marketing spiel, but the vulnerability of smartphone software is real – and the sophistication of mobile malware would surprise many people.

Cocchia thinks that the only way to properly encrypt a smartphone is with a combination of software and hardware. Hence the gigantic black case of the QS1, which includes its own circuitry, batter pack, microphone and shutters for the rear and front-facing cameras.

"The encryption is happening on the hardware chip. The communication then goes through the phone, so this way there's no way for someone who's got control of the phone to hear what you're saying," he says.

"And then we decided just in case any of those were compromised, we would put a mechanical device on the phone that physically jams the microphones."

Physically jamming the microphone is what Cocchia calls “lock-down mode” where, even if the microphone is turned on remotely, the hacker can’t listen to whatever it picks up.

Cocchia is an excitable character who clearly relishes the chance to make definitive statements – including telling the Guardian that the QS1 is "the most secure form of communication in the world".

So much so that "agencies" are already buying it, and that he's already supplied three presidents with the case. An assertion that's impossible to prove, given his (understandable) unwillingness to name them.

Calling your product "unhackable" is quite a claim, though: most other mobile security companies have shied away from that kind of statement, including the QS1's most obvious competitor: the Blackphone.

That handset's main vulnerability is its baseband – the black box that communicates with cell towers, and has low-level access to the device's microphone and GPS, which the Blackphone does not encrypt.

Cocchia claims that the QS1 protects its owners because all its encryption happens outside the phone, leaving no metadata trail. He adds that Vysk does not collect any information, so cannot be forced to hand over data to governments if requested: it simply doesn't have the data to hand over.

The Guardian spoke to four security experts about Vysk's claims, and none could point to an obvious flaw in the QS1 that could be exploited by hackers. On the face of it, the device looks solid, although without properly testing it, that can't be proved.

Egemen Tas, vice president of engineering at security specialist Comodo, called for Vysk to release the source code for public scrutiny.

"In order to gain the confidence of private, anonymous or sensitive users and have a wide spread adoption, they should make their core technologies open source and open to an independent audit," said Tas.

"This will allow us to see if they have introduced some sort of an innovation which turns iPhones and Android phones into secure phones used by certain government agencies, or if they’ve introduced a new VOIP network which offers a certain degree of call encryption and anonymity."

Cocchia told The Guardian that Vysk does have plans along these lines, but that he is currently unsure how much will be released, and when. (Jay McGregor,
Last modified onSaturday, 06 May 2017 10:07