Hungary’s CryptTalk boosted by encryption controversy
We’ll send you a myFT Daily Digest email rounding up the latest Cyber Security news every morning.
In his modest office in one of Budapest’s innovation parks, Szabolcs Kun reels off an eclectic list of clients: law firms, commodity traders, television celebrities and dealers in gemstones and precious metals.
“Oh, and we recently got an inquiry from a top European football club,” he adds.
All want the same thing: completely secure telephone calls.
“Football club managers are like commodity traders: both deal in very expensive goods and have to negotiate [by phone],” says Mr Kun, a 34-year-old IT entrepreneur, whose start-up CryptTalk is one of the products making a name for itself in Hungary’s growing technology sector.
It was energy traders in Hungary who, in 2010, first alerted Mr Kun to the increasing threat of phone tapping. “They found prices would mysteriously move against them after agreeing a deal on the phone,” he says.
Mr Kun and Attila Megyeri, his business partner, were experienced telecommunications engineers. As more clients found evidence of eavesdropping, they turned their attention to security when communicating by telephone.
They wanted to provide a software solution, so that customers would not need to buy a second phone or additional gadget to increase security.
Even more importantly they wanted to make sure the software did not have a so-called “back door” that would allow governments or hackers to circumvent security measures. Traditional telecom providers typically offer secure telephony and “call encryption” through a central server, which generates and stores encryption keys.
“This is legally mandated so the secret services can monitor calls [when justified],” says Mr Kun. “But it is also a back door into your system. Even if [it exists] for good control purposes, that door can be opened by the bad guys, for industrial espionage.”
To circumvent this risk, the pair used so-called peer-to-peer encryption, whereby calls and messages are scrambled from handset to handset using software based on a complex algorithm. This generates an encryption code shared only between caller and receiver.
The Achilles heel of such systems is the delay in calls — typically of two seconds duration — that is caused by the encryption-decryption process and can frustrate users. With their specialist knowledge of telephony and “many hours of hard work”, Mr Kun and his partner eliminated this lag.
The two founders have won backing from a clutch of private investors to finance their vehicle, Arenim Technologies. Angel investors are still the most common way for Hungarian start-ups to raise funding, with 37 per cent of start-ups using this route for finance, according to the European Startup Monitor, a study conducted by start-up associations around Europe.
Arenim was registered in Stockholm while the development team remained in Budapest.
“After a long review, we chose Sweden. It has the best privacy laws . . . It’s where the rights to free speech and such stuff are important,” Mr Kun says.
Sweden also has more liberal export regulations than Hungary, where licences are needed to sell security software outside the EU.
Designed to work with Apple’s iPhone, they quietly launched their CryptTalk app in 2014.
“This is a solution with no back door, without any special hardware and, very importantly, even we, the vendors, cannot decrypt calls made using CryptTalk,” Mr Kun says. “If my engineer goes crazy, or gets a big offer from a bad guy — here’s $1m, but help me [eavesdrop] — even in that situation, CryptTalk cannot be hacked.”
Two audits undertaken by NCC Group, a UK-based cyber security and risk mitigation company, in 2015 and 2017, support this claim.
CryptTalk “was found to be secured to a very good standard and no practically exploitable vulnerabilities were found,” NCC wrote.
Commercial progress, though, has been modest: CryptTalk has attracted 15,000 users, half from within Hungary, with revenues last year totalling €0.4m. Prices start from €19.99 per month for a subscription.
Gyuri Karady, Arenim’s business development director, says that a slow start is typical for a new product like this. He argues that businesses, while spending huge sums on computer security, typically fail to show the same concern over their phone calls.
“Most corporates don’t seem to have caught on that they are at risk,” he says.
Arenim Technologies’ 25 staff are now focused on launching an Android-based version of CryptTalk later this year, followed by a drive for international sales.
CryptTalk was at the centre of controversy in March last year when, as part of Hungary’s “war on terror”, a government official threatened to ban secure communications providers, including CryptTalk, for thwarting eavesdropping operations.
In an ironic twist, the very same week the Hungarian Innovation Association — a state-supported body championed by the government — awarded the annual prize for start-up innovation to Arenim Technologies in recognition of CryptTalk.
The hubbub died down after the government decided not to enact the ban.
Mr Kun says he is willing to co-operate on legitimate security concerns with any state — including, if necessary, closing a user’s account. But, he says: “So far, [we have had] zero official request from authorities or governments of any kind to co-operate with them or provide them data.”
Publicity surrounding the government’s threat to CryptTalk last year had a positive effect on sales. Extensive media coverage in the region and globally, led to a surge in users, which jumped 20 per cent from 8,000 to 9,600 in one month.
“It shows the Hungarian government does support start-ups,” says Mr Kun. “We couldn’t have paid for this [kind of] marketing.”