Experts say a series of emerging threats, including a recent crack in the GSM encryption algorithm, poses new dangers to enterprise voice data security.
Stuart Shapiro, Principal Information Privacy and Security Engineer, The MITRE Corp.
With more company business being done on mobile devices, personally identifiable information (PII), intellectual property and trade secrets are at higher risk of theft from people using GSM hacking software, which was made readily available following last year's encryption crack. But other voice data risks exist as well, such as mobile device users being unaware of their surroundings.
"People are lulled into acquiescence, a false sense of security," said MacDonnell Ulsch, president and chief risk analyst at Boston, Mass.-based ZeroPoint Risk Research LLC. This false sense of security leads people to say things that perhaps should be saved for a more secure, or face-to-face location, rather than in a public place where conversations can easily be overheard.
Ulsch was part of a panel of experts, led by Larry Ponemon, chairman and founder of the Ponemon Institute LLC. The panel convened via teleconference Wednesday to discuss the threat of data loss from improper voice communication practices, an issue that, until recently, has largely been categorized as a problem to few enterprises.
While government agencies need to be especially concerned by the threats against mobile communications, the risks are now spreading into the enterprise, said Simon Bransfield-Garth, CEO of CellCrypt Inc., a mobile security company headquartered in London.
Mobile, voice security:
GSM cell phone encryption crack may force operators to upgrade: Karsten Nohl, a widely known encryption expert, has cracked the GSM encryption algorithm and claims software is available for hackers to eavesdrop on calls.
MMS messaging spoof hack could have global ramifications: Researchers have figured out a way to spoof sender numbers, bypass carrier protections and trick mobile devices to pull content from an attacker's server.
(Podcast) Karsten Nohl at Blach Hat 2008: Security Wire Weekly - Wireless insecurities In this special edition of Security Wire Weekly, Karsten Nohl, the security researcher who was part of a team that broke the crypto algorithm in the Mifare Classic RFID-based smart card, talks about his upcoming briefing at the Black Hat briefing in Las Vegas. Nohl talks about how RFID use could improve security in smart cards.
It was widely reported in December that security researcher Karsten Nohl had discovered how to crack the GSM encryption algorithm. GSM is the standard used by the majority of the world's mobile phone operators. Nohl said he hoped the disclosure of the hacking technique would get service providers to upgrade to the more secure algorithm.
Until then enterprises should improve user education and operational security said Stuart Shapiro, principal information privacy and security engineer at Bedford, Mass.-based The MITRE Corp.
"If people do not have that awareness of where they are, what they're doing, what kinds of information they're telling, then they're setting themselves up for a potential risk situation," Shapiro said.
Another effective way of fending off voice data theft is employing encryption on mobile devices, said Bransfield-Garth. "People are able to put this software onto standard mobile phones rather than having to haul around a separate device." Encryption eases the burden for employees so they do not have to worry as much about the security of the network, because their device is already protected.
Panelists also touched upon the gray area of compliance when it comes to mobile devices. While organizations do not have an obligation to secure mobile voice channels, most compliance regulations specify the kind of information -- specific files containing sensitive data -- that organizations must secure.
Bransfield-Garth said there are indications that as securing voice information becomes more common in coming months and years, companies who choose not to employ security technologies protecting mobile phones could reasonably be considered negligent.
However, steps are being taken to address this lack of knowledge around compliance. Ulsch referenced the Massachusetts data protection law 201 CMR 17, which requires any company who deals with Massachusetts residents' private information to encrypt all corporate computers -- including mobile devices.
By all accounts, infosec pros should look into their own voice communications policies and processes, Bransfield-Garth said.
"We're seeing a greater awareness in companies and government," he said. "Fortunately, the arrival of some technologies coupled with mobile network and smartphone devices are enabling people to do something about it."