auremar - Fotolia
There is a new device that encrypts communications between a headset and an audio jack. What is the necessity of this device? Are headset attacks that common, and are there any other ways to combat such attacks?
In organizations with high security requirements, any communication involving sensitive data is at risk, regardless of the specific wired or wireless communications. In certain circumstances, a Faraday cage may be the best place to have conversations you want no one to eavesdrop on. Faraday cages, however, make communicating critical information difficult, hence cryptography grew in popularity. Right now, most enterprises do not have these types of requirements, but with the increase in pervasive surveillance, assessing the risk of eavesdropping in various ways might be prudent.
Attacks specifically targeting headsets are rare, but as prior attacks on Bluetooth and Wi-Fi have shown, monitoring can be done at a much farther distance than most anticipate. As more devices get Bluetooth or other wireless features built-in, the more resources attackers will devote to compromising these kinds of communications.
The rise in both fake cell base stations and malware that listens in on phone calls might make using something like the JackPair reasonable. Such devices encrypt audio data before it gets to the mobile device. However, note that to properly secure communications, the other party must also be using the same device. This type of hardware security is not available using a software-only technology, but if the endpoints are secure, the software product could potentially be just as secure.
To ensure secure communications, enterprises can set mobile devices to require encryption using GSM for connecting to the cell network, but that doesn't necessarily protect against a fake base station. And while an encrypted connection could be setup in software on a smartphone, this doesn't protect against the smartphone from being compromised. Enterprises should also pressure their vendors to provide secure mobile technologies that protect communications from monitoring in transit.
Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email. (All questions are anonymous.)
Learn about other headset and unified communications security risks
Find the right mobile data encryption technique for your enterprise
Draft of the Compliance with Court Orders Act might mandate access to encrypted information
Dig Deeper on Social media security risks
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading