ABI Research recently conducted a survey on the security issues of mobile voice calling. Specifically the concern that cellular voice calls can be either intercepted and decoded, or that the cellphones themselves can be infected and infiltrated with malware that can render it remotely accessible by a hacker or someone who wants to eavesdrop on conversations.
In Dark Reading, an article titled Most Enterprises Ignoring Mobile Voice Security, discusses the findings of the survey from ABI. It states that while mobile voice interception and its vulnerabilities are a high concern to the people surveyed, only 18% of respondents have actually implemented mobile voice encryption. One of the key triggers to this concern seems to be around the announced cracking of the A5/1 encryption for GSM voice from a hacker conference earlier this year. In addition, there will be equipment in the sub-$1000 range available to intercept and decode the over-the-air conversations.
I think there will be issues in the deployment of end-to-end mobile voice encryption.
1) The link layer encryption and authentication protocols will be in place and heavily invested by the carriers and handset OEMs.
2) Additional application layer encryption must be resident and match both ends of a voice conversation, especially in a cell-to-cell call. This will be a challenge given the plethora of handset OEMs and the additional plethora of handset models and OS variants they support.
3) The user experience will need to be completely transparent, including all the key exchange and mgmt. If the user has to doing anything more than pick the number and press Send, there will be significant user dissatisfaction. Ultimately the user just wants to have a call, not worry about security or encryption.
It seems to me that the true security concerns do in fact lay in the shoulders of the enterprise as the report states. The enterprise, whether a govt agency or a corporation, has sensitive information and communications that they can allow to be exposed due to regulatory or governmental policies, or even national security. Until the technology completely solves itself, evolves, and becomes easy to use and pervasive enough to be fully relied upon, all enterprises with this concern need to take the following measures.
A) Identify the physical areas throughout your offices and locations that represent the greatest threat if information or communications at those locations were to leak.
B) Implement a No Cellphone policy at those sensitive locations. They might include boardrooms, trading floors, stock exchanges, classified information facilities, call centers, security operations centers, executive offices or suites, etc.
C) Deploy a Cellular Location and Analytics system or service, such as from AirPatrol Corp., to detect, locate, and perform detailed analytics within a geo-fenced environment, i.e. the sensitive areas. This system can be deployed as an in-house system or service for 24×7 monitoring. Or can be selected as a one-time vulnerability assessment to take a snapshot over a short period to see how bad the problem may be.
At the end of the day, the enterprise needs to do what they can do. There will be an awful lot they won’t get the wireless operators to do for them. Security is most definitely one of those things (the enterprise services “SI” part of a carrier corporation notwithstanding). Security adds friction to increasing ARPU. The enterprise needs to take ownership over everything occurring within the confines of their domain.
Do you agree with this? Would love to get point and counterpoint on this topic.