The entire focus of our security policies usually hover around securing data wherever it is
You can put in place a corporate policy to restrict the use of sensitive data on the smart phones, you can restrict e-mail access on the phone (not that its easy to enforce such a policy), but what if all your employees are using the very basic cell phones with absolutely no smart phone capabilities? You might think the mobile platform is now completely secure. Youre absolutely wrong.
The entire focus of our security policies usually hover around securing data wherever it is (in this case the mobile). But what about securing the voice conversations? The point is, not all communication is in the form of digital data. A large number of sensitive discussions and decisions happen over conversations on the voice network. What if your competitors are snooping into all the strategic conversations taking place in your organisation! What perhaps youve missed is that how easy it is becoming to snoop into voice calls and SMSs. Now, how do you restrict the use of cell phones? How do you convince people in the organisation to give precedence to in-person meetings over phone calls to discuss sensitive matters? The whole communications paradigm in an organisation is poised to change unless we find ways to secure this weakest link.
The threat perception of any given resource (in this case the GSM network) is directly proportionate to the amount of money it takes to execute an attack or to build a threat to exploit the vulnerability in it. About 80 percent of all mobile connections run on GSM networks, an ageing technology with extremely poor encryption. The 64-bit GSM encryption that was considered cutting-edge in 1988, is no longer sufficient to keep our conversations private. Till 2003 you would consider your mobile conversations private unless you knew your telecom operator was trying to spy on you. However, in 2003, the method by which GSMs encryption code could be cracked was uncovered by a team of Israeli researchers which gave hackers a new avenue to explore. However, the method required equipment worth over $50,000 and a high level of skills to exploit. So you still didnt need to worry much as the cost of executing the attack was still very high.
By 2008, security researchers David Hulton and Steve Muller made things easier when they presented at Black Hat a technique for the successful interception and decryption of a GSM stream using $1,000 of hardware and in 30 minutes. Came December 2010, and it is now possible to listen in to any calls on the GSM network using just a $15 cell phone, a laptop and open source software.
Are operators aware of this? Of course they are. But to secure the network theyll need investments worth millions of dollars, which unless made obligatory, no operator would be willing to commit. The Indian government has recently updated its policies on lawful interceptions, increasing the fine from the previous 500 rupees to 2 crore rupees. However, that may not be a deterrent enough when you dont need the government to tap anybodys phone and you can do it with the help of any geek.
Thankfully, computer engineer Karsten Nohl only demonstrated and did not completely disclose the latest technique to hack the GSM networks. It was supposed to be a wakeup call for the operators and security professionals to pull up their socks and secure our biggest communication asset before theres another Wikileaks of sorts that puts everyones private conversations in the public domain. A simpler way to handle the situation is to move to a CDMA network, which hasn't been hacked into, yet.
So the next time youre secretly discussing a job prospect with someone over the mobile phone, remember this, your boss could be listening in on your call!