Voice interception of mobile calls is an invisible security hole that isn’t getting enough attention
Mobile threats have been with us for some time. Most organizations have done a fair job of protecting their important proprietary information, securing emails, encrypting on-board data and using mobile management tools to suppress data loss. All that has made a safer mobile world for many organizations, but certainly not foolproof.
And in fact, one newly visible major mobile security hole has not been adequately addressed: mobile communications via voice. While it’s hard to come up with exact figures, I estimate that at least as much corporate sensitive data is communicated via the voice channel in standard telephone chats as via the digital channel in emails, texts, data access, etc. Conversations about organizational planning discussions, new product directions, business performance and much more all take place regularly on mobile devices. And this is where a new risk, mostly unrecognized by enterprises, is emerging.
In the past, switched circuit technology meant that a hard-wired direct connection existed between the two communicating devices, whether mobile or landline. But as communications technology evolved to digital, direct connect switched circuits mostly disappeared. Virtually all voice communications are now digitized and travel along the same paths and over the same networks that digital data does. Voice is now just one more data stream over IP networks. This makes it highly susceptible to interception by bad actors engaged in competitive espionage, or even worse things. This is especially true when business executives travel abroad, to places where you can be sure that all network traffic is being monitored.
With so much potential for corporate data loss via the voice channel, it is critical that organizations find a way to protect this data. It is also incumbent on device manufacturers and/or third parties to offer methods of creating a secure channel, much as they have done for digital data communications. This need for voice channel protection is what led BlackBerry to acquire Secusmart. BlackBerry is establishing a beachhead in a new battleground for secure enterprise communications.
BlackBerry is currently the only device maker offering a means of closing this rather large hole in organizational data sharing across it mainstream products. While I expect other device vendors and some third parties to join the fray, much as MDM vendors emerged to handle BYOD data problems, it’s not likely to come in the short term. So far, very little emphasis has been placed on this largely invisible problem within the industry. It’s just recently through very public disclosures of intercepted voice communications (e.g., Ukrainian separatists, German government) that enterprises and vendors have woken up to this pressing need.
Some threat mitigation is possible through end-user awareness of what not to say over voice calls and what locations are most vulnerable to interception. But it’s not possible to adequately protect proprietary communications without the appropriate security technology in place. Just as most enterprises would not consider deploying mobile devices for corporate data/email access without some form of device encryption/security management, I believe companies must now focus on doing the same for voice communications on these same devices. And by the way, since many enterprise users are heavy users of texting/SMS, companies should be aware that this form of communications travels over the same channels as the voice communications and is subject to the same interception vulnerability as voice communications.
So what should companies do? Any organization that wants to protect its most sensitive data, including data transmitted via voice communications or SMS/text, needs to focus on establishing secure voice communications capabilities for all their devices, and do so quickly. This is particularly true for mobile devices that may be used in foreign lands, but even at home devices are susceptible to communications interception through network hacking/attacks.
For high-profile executives and those in high-profile organizations who don’t have voice communications channel protection, it is highly likely that someone is listening. Enterprises need to make this a priority security upgrade to their policies and infrastructure within the next couple of years, if not sooner.