The processing power in cell phones has increased to the point where today’s smartphones would outpace high-end computers of just a few years ago.
As a result, they have become an essential tool in the way we communicate and conduct business while on the move.
Yet, while the role of IT security has focused largely on protecting data, computers and the perimeter of an organization’s IT infrastructure, the security of voice calls is being under-resourced, overlooked or assumed safe — which has been shown to no longer be the case.
The encryption algorithms used to secure GSM (Global System for Mobile Communications) networks today are very similar to those specified in the late 1980s. Although 3G networks often use a stronger cipher, 2G networks (or 3G networks that switch automatically to 2G in poor coverage) routinely use a much weaker algorithm. In some countries encryption is turned off all together.
However, the massive growth in everyday computing capability in the last 25 years means that networks are open to a degree of brute force attack that was never envisaged by the founding fathers.
This coupled with recent information coming from the hacker community and the ability of the internet to distribute ways of attacking phones globally has massively reduced the barrier to intercepting cell phone calls.
This change was demonstrated dramatically in February, when, at a conference in Washington, a hacker published what he claimed to be a viable cell phone hack using open-source software and $1,400 of equipment.
Videos of public demonstrations and out-of-the box open-source software have since been made freely available on the internet and gained widespread media attention.
It is tempting to think that one solution is to simply upgrade the standard of encryption in networks. At an individual device level this would be correct, but the sheer scale of the undertaking — four billion users plus billions of dollars of infrastructure worldwide — makes this at best a long-term project.
There is also some confusion regarding who should be held responsible — the GSM Association, network operators or device manufacturers.
So, the problem of cell phone interception is real, growing and unlikely to be eliminated in the foreseeable future.
For an organization, knowing that phone calls have been intercepted at all is difficult. There is rarely a test that can be done, other than looking at the consequences of a lost deal or secret information in the public domain. In fact, in 2010, the Ponemon Institute found that 80 percent of CIOs admitted they would not find out directly if they had been intercepted.
The problem shows a wide geographical variation, both in the number of instances and in the public perception of risk.
In the United States and mainland Europe, the perception of risk is relatively low. However, travel to Latin America or some parts of Asia, and the perception of an issue has reached the consumer with advertisements on mainstream television for protection equipment.
Yet few executives traveling around the world have taken special measures to secure their cell phone conversations.
Research from ABI shows that 79 percent of companies’ cell phones were routinely used to discuss information that, if intercepted, would lead to material loss to the business. Yet less than one in five had in place adequate measures to address this risk.
Similarly, the Ponemon Institute found that the average cost of significant data loss in Tier-1 American corporations was $1.3 million per incident. Sixty-one percent of companies believed that such losses occurred at least monthly. Cell phones were cited alongside malware and viruses as key means of obtaining this sort of information.
Evidence of this threat is also growing.
The 2005 annual report to Congress on foreign economic collection and industrial espionage stated that 108 countries were involved in collection efforts against sensitive and protected U.S. technologies.
More recent examples include the discovery of a Mexican spy center, which was equipped with a mobile van unit, alleged to be used for intercepting politician, businessmen and journalist phone calls.
The trend for cell phone interception is becoming more widespread, and there is no simple measure on the horizon to fix the problem within the networks. We will all need to get used to the idea that conversations on cell phones are not secure.
Technology is a great benefit, but it only addresses a problem as part of a wider program of secure voice usage.
It is still surprising how many people are prepared to shout out all their credit card details, including security codes, on a crowded train. Similarly, leaving a phone lying around is an opportunity for a dedicated attacker to put a physical bug within the phone itself. Sometimes even taking the battery out is not enough — the battery may be a physical bug with its own built-in transmitter (yes, they do exist!)
Instead, it is a balance of risk.
The objective of any security system is to make the cost of breaking the protection higher than the expected return. A combination of awareness, policy and technology measures is the recommended way to ensure that business stay secure.