auremar - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Should enterprises encrypt audio for secure headset communications?

Encrypting communications between a headset and an audio jack may be crucial in certain situations to mitigate attacks. Enterprise threats expert Nick Lewis explains.

There is a new device that encrypts communications between a headset and an audio jack. What is the necessity of this device? Are headset attacks that common, and are there any other ways to combat such attacks?

In organizations with high security requirements, any communication involving sensitive data is at risk, regardless of the specific wired or wireless communications. In certain circumstances, a Faraday cage may be the best place to have conversations you want no one to eavesdrop on. Faraday cages, however, make communicating critical information difficult, hence cryptography grew in popularity. Right now, most enterprises do not have these types of requirements, but with the increase in pervasive surveillance, assessing the risk of eavesdropping in various ways might be prudent.

Attacks specifically targeting headsets are rare, but as prior attacks on Bluetooth and Wi-Fi have shown, monitoring can be done at a much farther distance than most anticipate. As more devices get Bluetooth or other wireless features built-in, the more resources attackers will devote to compromising these kinds of communications.

The rise in both fake cell base stations and malware that listens in on phone calls might make using something like the JackPair reasonable. Such devices encrypt audio data before it gets to the mobile device. However, note that to properly secure communications, the other party must also be using the same device. This type of hardware security is not available using a software-only technology, but if the endpoints are secure, the software product could potentially be just as secure.

To ensure secure communications, enterprises can set mobile devices to require encryption using GSM for connecting to the cell network, but that doesn't necessarily protect against a fake base station. And while an encrypted connection could be setup in software on a smartphone, this doesn't protect against the smartphone from being compromised. Enterprises should also pressure their vendors to provide secure mobile technologies that protect communications from monitoring in transit.

Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Learn about other headset and unified communications security risks

Find the right mobile data encryption technique for your enterprise

Draft of the Compliance with Court Orders Act might mandate access to encrypted information

This was last published in April 2015

Dig Deeper on Social media security risks