GCHQ Telephone Security Is 'open to surveillance'

Uploaded on 2016-02-05 in NEWS-Cybersecurity News, INTELLIGENCE--Europe, FREE TO VIEW

Application scenario for Voice over IP (VoIP) 

A security researcher has said software developed by the UK intelligence agency GCHQ contains weaknesses making it possible to eavesdrop on phone calls.

The security protocol is used to encrypt Voice Over Internet Protocol (Voip) calls. In a blog, University College London researcher Steven Murdoch described vulnerabilities in how such conversations were encrypted.

GCHQ said it did not recognise the findings. Dr Murdoch did not say that the vulnerability would give direct access to conversations, but that it would make it possible to undermine the system's security.

The network operator could listen in to calls, or authorise someone else to, and anyone who hacked the system would be able to eavesdrop, he said.

One of Dr Murdoch's chief concerns was that the security standard has "key escrow" by design - meaning, for example, that a third party has access to data sent between two people in a conversation. This, he said, is an example of a backdoor.

In this case, it could allow an intelligence agency, or the organisation, which is using the standard, to intercept phone calls, Dr Murdoch said. "I think this comes from a conflict of interest within GCHQ in that they are there to prevent spying but they are also there to spy - so they facilitate spying," he told the BBC.

Dr Murdoch added that he was aware of two products, which use the standard, both of which are government certified. "They could be in use inside government," he said.

The protocol in question is known as Mikey-Sakke (Sakai-Kasahara key encryption in multimedia internet keying). It works by generating encryption keys that are used to encrypt and decrypt voice conversations.
Although it is technically possible to create these keys on two separate computers and only share part of those keys publicly, the Mikey-Sakke protocol does not do this. The Mikey-Sakke protocol was designed by GCHQ, which is based in Cheltenham.

Instead, keys are distributed by a third party to the conversation participants - the process known as key escrow - meaning that they are much more vulnerable to interception.

There are cases in which this would be desirable, commented Prof Nigel Smart, a cryptography expert at the University of Bristol. "It could make sense to have a form of key escrow where someone can break into communications - you could use it for traders communicating on the London stock exchange," he told the BBC. "You might want them to be encrypted most of the time but you might want a regulator to be able to come in and decrypt."

However, Prof Smart points out that with Mikey-Sakke, it's not clear where or how the protocol is being used. It was up to GCHQ, he said, to make the scope of the protocol clear. "If you don't explain how you're going to use it, what systems it's going to be used in, what the scope and limit of the escrow facility is, then you're going to get bad publicity," he said, "The Mikey-Sakke protocol enables development of secure, scalable, enterprise grade products."

Questions continue to be raised over government policy towards encryption, generally. For instance, a petition to prevent the British government from banning strong encryption standards has received a response from the Home Office this week. "The government is not seeking to ban or limit encryption," the statement read. "The government recognises the important role that encryption plays in keeping people's personal data and intellectual property safe online."

Out of a target of 100,000, 11,000 people have so far signed the petition. And, at the World Economic Forum in Davos, Switzerland, several tech giants have raised the issue of whether governments should be allowed to gain access to secure communications on demand.

BBC: http://bbc.in/1nz9y4V

« US Critical Infrastructure Is At Cyber Risk
Will Robots Save The Future Of Work? »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Council of European Professional Informatics Societies (CEPIS)

Council of European Professional Informatics Societies (CEPIS)

CEPIS is the representative body of national informatics associations throughout Europe and represent over 450,000 ICT and informatics professionals in 32 countries.

Miller Group

Miller Group

Miller Group is an IT managed service provider. We proactively monitor and manage your entire business computer network. Services include backup & recovery and cyber security.

Mobile Mentor

Mobile Mentor

Mobile Mentor is an independent provider of enterprise mobility solutions in New Zealand and Australia.

Momentum Cyber

Momentum Cyber

Momentum Cyber provides world-class M&A and strategic advice combined with unparalleled senior-level access to the Cybersecurity ecosystem.

Cellopoint

Cellopoint

Cellopoint is a leading manufacturer of information security and email lifecycle management (ELM) products.

UK Research & Innovation (UKRI)

UK Research & Innovation (UKRI)

UKRI works in partnership with universities, research organisations, businesses, charities, and government to create the best possible environment for research and innovation to flourish.

Cysiv

Cysiv

Cysiv SOC-as-a-Service combines all the elements of an advanced, proactive, threat hunting SOC, with a managed security stack for hybrid cloud, network, and endpoint security.

Global Cyber Security Capacity Centre (GCSCC) - Oxford University

Global Cyber Security Capacity Centre (GCSCC) - Oxford University

GCSCC's work is focused on developing a framework for understanding what works, what doesn’t work and why – across all areas of cybersecurity capacity.

OnDefend

OnDefend

OnDefend delivers information security solutions that improve overall security posture, reduce risks and defend against continually evolving and persistent cyber adversaries.

Conference on Applied Machine Learning in Information Security (CAMLIS)

Conference on Applied Machine Learning in Information Security (CAMLIS)

CAMLIS is a venue for discussing applied research on machine learning, deep learning and data science in information security.

Defscope

Defscope

Defscope is an Azerbaijani company entirely focused on cybersecurity offering training, security consulting, and other professional services.

Sydeco

Sydeco

Sydeco offer a complete range of products that secure computer and industrial networks, servers, programs and data against any type of computer attack.

Netsurit

Netsurit

Managed IT, Cloud, and Security Services. Netsurit is Your IT Innovation and Digital Transformation Accelerator.

CyAmast

CyAmast

CyAmast is an IoT Network security and analytics company that is changing the way enterprise and governments detect and protect networks from the pervasive threat of cyber attacks.

Alcatel-Lucent Enterprise (ALE)

Alcatel-Lucent Enterprise (ALE)

We are Alcatel-Lucent Enterprise. Our mission is to make everything connect with digital age networking, communications and cloud solutions.

System360

System360

System360 is one of Houston's top suppliers of network administration, design, security, and support services.