I predict that we will soon begin seeing the transcripts of insecure voice discussions exposed on the Internet. This will include conversations from business and government leaders, and follows the situation that mobile calls are just a stream of 1’s and 0’s – no different than your email and files. If you are not protecting your voice calls with application-level encryption, then consider yourself duly warned here. I strongly recommend action – and I think you should read on.
Such protection of voice calls may be the most traditional aspect of the information security industry. With the advance of mobile services, however, the primary focus to date has been on protecting data and apps, rather than addressing the growing risk of mobile calls and texts. With increasing focus on disclosure of sensitive email and other communications to places like WikiLeaks, the risk of voice and text discussions being recorded and leaked will now grow.
KoolSpan has been in the business of protecting calls and texts through use of advanced encryption for several years. The company now offers an end-to-end solution for encryption of calls and texts that addresses many of the risks that executives and other individuals must mitigate in their use of mobile. We recently caught up with my friend and colleague Elad Yoran, Executive Chairman of KoolSpan, to solicit his views on this aspect of modern cyber security.
EA: Should everyone be encrypting their mobile calls and texts?
EY: Yes, absolutely, especially business people and government employees. Until recently, however, it was impractical to do so because encrypted call quality was poor and solutions were inflexible. With KoolSpan, encrypted calls sound better than regular calls and the TrustCall platform is available with several, flexible deployment options. TrustCall can be integrated into customer IT systems, managed to enforce policy, and more. With a secure solution that works well, why would anyone opt to make an insecure call?
EA: Do you expect to see more sensitive business and government mobile communications leaked to the Internet?
EY: Unfortunately, we’ve largely ignored the systemic vulnerabilities of the telecommunications networks over which we speak, text, and share information. Everything we say and text traverses these networks in the clear and is readily intercepted and monitored from around the corner or, just as easily, from around the world. The game today is economic warfare and corporate espionage, where not only government employees, but also business people are prime targets. It is a safe to assume that the things we say and text, especially internationally, are monitored by governments, non-state actors, criminals, and business competitors. We are already seeing the impact. Texts and audio from calls are leaked to the Internet at an accelerating rate. The problem is growing because the attacks are easy, cheap to implement, effective, and impossible to detect.
EA: How does the end-to-end encryption work in the KoolSpan TrustCall solution?
EY: KoolSpan TrustCall is a secure communications platform. Each part of the platform plays a role. End-users have an app on their phone to call and text others. The TrustCenter is a management console that organizations can use for provisioning, revocation, management, reporting and more. Together they form a solution that enables secure communications globally. Calls and texts are protected with strong, end-to-end (E2E) encryption regardless of what networks they transit. Furthermore, KoolSpan continuously deletes TrustCall metadata and does not aggregate, sell, share or otherwise disclose it.
EA: Does the voice disclosure risk increase when executives travel internationally?
EY: Phone and text interception are domestic and international problems. That said, travelers should understand that they have a bullseye on their backs. In a variety of ways, travelers are identified before they arrive in another country, and certainly as soon as they arrive, turning on their phones while still on the airplane. Our phones are subject to direct manipulation by the local phone companies, and our calls and texts are routinely monitored, not only by the local phone company, which is often controlled by the government, but also by others operating in environments, where the laws are different and the rule of law is not as well enforced.
EA: What trends are you seeing in mobile communication security across the industry?
EY: Over the last few years, significant time, effort and money have been spent on solutions, such as MDM/EMM, to manage and protect mobile devices. On the flip side, we have not focused on protecting ourselves against risks from systemic vulnerabilities in the networks over which we talk, text, and share information. Imagine if your phone was a bullet-proofed armored vehicle, but to talk with anyone in a different vehicle, you had to get out of the vehicle and walk over to the other car, thus exposing the communication. That is essentially how our mobile calls and texts are exposed at intermediate points between your phone and the other person’s phone. We can protect devices, but we must also protect the communications in transit between the devices. Our communications transit across networks designed to be interoperable and backwards compatible. So, next time you go on a safari on vacation or travel internationally on business, you can expect that your phone will work when you arrive. The technology that makes this work is called Signaling System 7 (SS7). Even as SS7 will be slowly replaced by a newer technology, Diameter, it too puts “just working” ahead of security. In other words, it is the very design of our telecommunications networks that makes things insecure. The good news is that there is a straightforward and cost effective solution, protecting all communications with strong end-to-end (E2E) encryption, so they are protected even as they transit across networks that are open and interoperable globally.
EA: What considerations should businesses or government organizations have when thinking about mobile communications security?
EY: An easy way to think of it is in categories. One category is the user experience, beginning with how the calls sound, how easy the app is to use, etc. There are additional categories that apply to businesses and government organizations such as manageability, reporting, policy enforcement, integration into other IT systems such as AD, ERP, CRM and other systems. Also, flexibility in deployment options is a critical consideration for businesses and government organizations. TrustCall is available as a cloud based service, a hybrid solution with dedicated TrustCenter, or with TrustCall for Government, a fully on-premise solution providing complete direct control.
EA: There are several free solutions out there, such as WhatsApp. Why not use one of these?
EY: WhatsApp and other solutions provide a degree of security and are an option for some consumers. However, while seeming “free,” they come with other costs that may be more expensive in the long run. In the case of WhatsApp, Facebook sucks up all the data about how people use it, when they use it, where, with whom, for how long and much more. All this information is aggregated with other data and is used to paint shockingly detailed and invasive profiles on each of us. The same thing is true with other free apps. We pay the price with the loss of our privacy and control over our data. Remember, if you are not paying for a product, then you are the product. Of course, businesses and government organizations have additional considerations, discussed above.