|Topic:||Attacks that leave no trace|
Richard Greco is CEO of Cellcrypt. Mr. Greco has over 30 years of global experience in the internet and telecommunications industries such as Bulldog Communications Limited and ICO Global Communications.
Richard is Chairman and CEO of Treasure Investments Limited.
Using unsecured smartphones could be exposing your organization to attacks that leave no trace. The risk of cellphone interception has been increasing steadily as equipment has become readily available that can intercept mobile calls in real-world environments. Unsecured mobile communications leave transmitted information vulnerable to attack and exploitation. However, voice call encryption solutions for smartphones can eliminate potential vulnerabilities.
Cellphone calls are vulnerable to interception, not just by unauthorized agencies of foreign countries or well-funded criminal organizations but also by a new and emerging threat from hackers who have developed equipment to intercept voice calls for as little as US$1,500. And now anyone can get hold of this technology.
Knowing whether cellphone calls have been intercepted is difficult. You may not even realize it has happened until you have to face the consequences of a lost deal or sensitive corporate information splashed across the headlines. Or you may never find out.
So then why do people continue to share sensitive information over their phones, unprotected, putting confidential business and private information at risk? Why don’t companies and organizations implement policies mandating the use of encrypted voice security for all sensitive discussions?
Cellphones are used every day out of convenience or necessity for all kinds of discussions. Everybody has at least one, reception is pretty good these days and many of us practically live our lives on our smartphones.
We all assume that cellphone voice traffic is fairly secure but that does not mean that someone who wants to intercept your calls can’t still do so. And that ‘someone’ is no longer limited to a small pool of professionals or agents using expensive interception equipment, but could be almost any individual or entity with sophisticated hacking tools that have become more accessible and far less expensive.
Cellphone calls are at risk
Although the standard encryption deployed by carriers, such as A5/1, promises to keep calls confidential, it suffers from a variety of implementation weaknesses including: (a) not being consistently implemented along all segments of the call route, (b) weak encryption algorithms, and (c) vulnerabilities in key management. Although cellular carriers may implement security measures to protect calls when the call path is wholly within their control, they are unable to guarantee the security of calls beyond the edge of their networks.
Since a multi-operator call, such as an international call, may involve multiple service providers and cross telecommunication infrastructure in several countries, all operated by different companies and subcontractors, it is impossible for one service provider to guarantee end-to-end call security using the existing global public phone network.
Hackers exploit known weaknesses
The risk of cellphone interception has been increasing steadily since 2009 when it was widely reported by The Washington Post, The New York Times, the BBC and many others that hackers published freely available software for cracking standard GSM call encryption, used by 80 percent of cellphones, and had begun developing and demonstrating interception equipment costing under US$1,500. A simple Internet search on ‘cellphone interception equipment’ yields a surprising number of low-cost options. The call hacking solutions that appear leverage the vast increase in computing power in ever cheaper hardware, making interception more widely available to known attackers, as well as the new threat sources that previously would not have been able to access or afford equipment costing many hundreds of thousands of dollars.
Multiple interception threats
Several types of equipment for both active and passive attacks have been demonstrated to intercept mobile calls in real-world environments. Much of the research and equipment is available online for anybody to build and use.
In an active attack, a radio scanner is used to intercept and manipulate the radio signal between the cellphone and the cellular base station tower. It pretends to be a fake base station that manipulates the cellphone to attach to it, after which it forces the phone to turn off standard encryption and record calls that route through it.
A passive attack uses a radio to receive calls over the air and decrypts the standard encryption without manipulating the cellphone. Passive attacks are more dangerous because they are undetectable.
Another common method of attack exploits the internal infrastructure of telecommunications networks, which can often prove to be the most vulnerable part of the call path. Cellphone communications are in the clear (unencrypted) once they hit the core networks within carriers and can be intercepted by internal staff who may have been bribed, threatened, coerced or even joined the company specifically to facilitate an attack. In a recent example, a technician with one of Lebanon’s main mobile network providers was arrested for allegedly spying for Israel for more than 15 years.
Protect against voice call interception
Although few would admit it, a vast amount of sensitive information is relayed every day on our cellphones. Today’s mobile smartphones certainly can make workers more efficient and effective but if calls are not encrypted end-to-end, it can place an organization at risk. Motivations and threat sources for interception vary from corporate espionage, to unauthorized foreign state-sponsored agencies and organized crime, as well as hacktivist groups and unscrupulous journalists looking to break a story or even to create a scandal.
Top-secret conversations within the government and military have long been protected using specialized communications equipment, but to most organizations this solution is simply too expensive, cumbersome and inconvenient for all calls and users.
Encrypted voice calling for everyone
Wouldn’t it be wonderful if we could communicate over our cellphones without fear of interception?
The inherent cellphone vulnerabilities described above mean that for the security-minded, the most effective way for callers to have assurance that their voice communications are safe from eavesdropping is to use an end-to-end encryption system. Using voice call encryption solutions on the smartphone eliminates these potential vulnerabilities and can be as simple to use as making a normal call. This is important because if the system is not easy to use, then people won’t, even if there is an operational security policy in place that says they must.
By deploying a downloadable software application for encryption, your organization can add a secure communications capability that is accessible to all the people who require it on off-the-shelf cellphones. Ensure it uses end-to-end encryption that has been validated by a third party, such as a government accreditation, and your organization can then place calls and establish a government-certified security connection that work everywhere the phone does, over cellular (CDMA and GSM), satellite and Wi-Fi networks.
Hardware-based solutions are available too, but can be inconvenient to deploy or replace if handsets are lost or stolen. Managing the hardware also adds a whole new physical logistics challenge for most organizations. Also hardware solutions based on SD cards will not work on iPhones which do not support this technology. Typically, a software-only solution can be deployed and re-deployed rapidly over-the-air in a matter of minutes. And by choosing a solution that is compatible between a broad selection of popular devices and operating systems, it is more likely to enable your organization to continue to use existing devices or even incorporate a Bring Your Own Device (BYOD) policy, without incurring additional hardware costs.
Keeping all conversations confidential
Look for solutions that allow you to communicate securely and easily, without changing your organization’s normal calling routine. For example, solutions that interface with office phone systems will also be able to connect to landlines as well as securely access standard PBX (Public Branch Exchange) features such as voicemail, conference calling and calling out to the public phone network.
Let’s look at conference calls in particular. These are more vulnerable to interception. As workers become increasingly mobile, key conference call participants are often out of a secure office location when they are required to join a conference call. From board meetings, intellectual property discussions, high value business deal talks to crisis management calls, organizations like yours depend on conference calls to run their daily operations so these calls can represent an aggregated risk.
Don’t ignore the risks
As communications technology has proliferated, so too have the methods and tools of attack, offering adversaries easy access to a world of information. In an era where we need to share information rapidly to get our jobs done, and with sabotage on the rise globally, unsecured mobile communications leave the transmitted information vulnerable to attack and exploitation.
Never assume that calls are secure, unless you have implemented measures specifically to protect calls end-to-end. Anybody who has information that they perceive to be valuable, and wants to prevent it from getting into the hands of known or unknown foes, should address this risk now. Establish a policy and raise awareness of the threat within your organization. We already protect our email, and other data – the time has come to secure our voice.