GCHQ Telephone Security Is 'open to surveillance'

Application scenario for Voice over IP (VoIP) 

A security researcher has said software developed by the UK intelligence agency GCHQ contains weaknesses making it possible to eavesdrop on phone calls.

The security protocol is used to encrypt Voice Over Internet Protocol (Voip) calls. In a blog, University College London researcher Steven Murdoch described vulnerabilities in how such conversations were encrypted.

GCHQ said it did not recognise the findings. Dr Murdoch did not say that the vulnerability would give direct access to conversations, but that it would make it possible to undermine the system's security.

The network operator could listen in to calls, or authorise someone else to, and anyone who hacked the system would be able to eavesdrop, he said.

One of Dr Murdoch's chief concerns was that the security standard has "key escrow" by design - meaning, for example, that a third party has access to data sent between two people in a conversation. This, he said, is an example of a backdoor.

In this case, it could allow an intelligence agency, or the organisation, which is using the standard, to intercept phone calls, Dr Murdoch said. "I think this comes from a conflict of interest within GCHQ in that they are there to prevent spying but they are also there to spy - so they facilitate spying," he told the BBC.

Dr Murdoch added that he was aware of two products, which use the standard, both of which are government certified. "They could be in use inside government," he said.

The protocol in question is known as Mikey-Sakke (Sakai-Kasahara key encryption in multimedia internet keying). It works by generating encryption keys that are used to encrypt and decrypt voice conversations.
Although it is technically possible to create these keys on two separate computers and only share part of those keys publicly, the Mikey-Sakke protocol does not do this. The Mikey-Sakke protocol was designed by GCHQ, which is based in Cheltenham.

Instead, keys are distributed by a third party to the conversation participants - the process known as key escrow - meaning that they are much more vulnerable to interception.

There are cases in which this would be desirable, commented Prof Nigel Smart, a cryptography expert at the University of Bristol. "It could make sense to have a form of key escrow where someone can break into communications - you could use it for traders communicating on the London stock exchange," he told the BBC. "You might want them to be encrypted most of the time but you might want a regulator to be able to come in and decrypt."

However, Prof Smart points out that with Mikey-Sakke, it's not clear where or how the protocol is being used. It was up to GCHQ, he said, to make the scope of the protocol clear. "If you don't explain how you're going to use it, what systems it's going to be used in, what the scope and limit of the escrow facility is, then you're going to get bad publicity," he said, "The Mikey-Sakke protocol enables development of secure, scalable, enterprise grade products."

Questions continue to be raised over government policy towards encryption, generally. For instance, a petition to prevent the British government from banning strong encryption standards has received a response from the Home Office this week. "The government is not seeking to ban or limit encryption," the statement read. "The government recognises the important role that encryption plays in keeping people's personal data and intellectual property safe online."

Out of a target of 100,000, 11,000 people have so far signed the petition. And, at the World Economic Forum in Davos, Switzerland, several tech giants have raised the issue of whether governments should be allowed to gain access to secure communications on demand.

BBC: http://bbc.in/1nz9y4V

« US Critical Infrastructure Is At Cyber Risk
Will Robots Save The Future Of Work? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Intrinsic-ID

Intrinsic-ID

Intrinsic-ID's authentication technology creates unique IDs and keys to authenticate chips, data, devices and systems.

Sucuri

Sucuri

Sucuri have offered holistic website security solutions since 2008 including malware removal, malware monitoring and website protection services.

Orange Cyberdefense

Orange Cyberdefense

Orange Cyberdefense is the expert cybersecurity business unit of the Orange Group, providing managed security, managed threat detection & response services to organizations around the globe.

Nation-E

Nation-E

Nation-E offers innovative cyber security solutions for industrial installations, critical infrastructure and smart grids.

Infosistem

Infosistem

Infosistem is a Croatian ICT company with extensive expertise and experience in enterprise and SMB ICT projects and solutions.

CERT-PH

CERT-PH

CERT-PH is the National Computer Emergency Response Team and the highest body for cybersecurity related activities in the Philippines.

Nihon Cyber Defense

Nihon Cyber Defense

Nihon Cyber Defence’s mission is to provide robust solutions, services and support to governments, corporates and organisations in order to protect them from all forms of cyber warfare.

Deepnet Security

Deepnet Security

Deepnet Security is a leading vendor in Multi-Factor Authentication (MFA) and Identity & Access Management (IAM).

Tapestry Technologies

Tapestry Technologies

Tapestry Technologies supports the Department of Defense in shaping its approach to cybersecurity.

SAFECode

SAFECode

SAFECode is a global industry forum where business leaders and technical experts come together to exchange insights on creating, improving, and promoting effective software security programs.

Winbond Electronics

Winbond Electronics

Winbond is a Specialty memory IC company. Product lines include Code Storage Flash Memory, TrustME® Secure Flash, Specialty DRAM and Mobile DRAM.

Swissbit

Swissbit

Swissbit AG is the leading European manufacturer of storage, security and embedded IoT solutions for demanding applications.

Infosec Institute

Infosec Institute

Infosec is a leading cybersecurity training company, we help IT and security professionals advance their careers with skills development and certifications.

CDS

CDS

CDS is a strategic change agency enabling organisations and businesses to create and build better services to meet the evolving needs of customers, employees and citizens.

Radix Technologies

Radix Technologies

Radix offer end-to-end device management solutions, consolidating all the organization devices, processes and stakeholders into one easy-to-use management platform.

Gutsy

Gutsy

Gutsy uses process mining to help organizations visualize and analyze their complex security processes to understand how they actually run, based on observable event data.