There’s a flaw hitting the headlines that could let all and sundry listen to your calls, track your location and nick your data. If you’re a business this could be particularly bad as apparently you could even be liable for not protecting yourself – so, here’s your call to action!
Apparently a flaw has been exposed that’s affecting the mobile phones of billions of users around the globe. On the flipside, the list of those exploiting the flaw is almost as extensive, including (according to tech site computerweekly.com): “hackers, fraudsters, rogue governments and unscrupulous commercial operators.”
The flaw that’s making sharing your info more of a reality than you’d perhaps like is in the architecture of the mobile phone signalling system SS7, which enables mobile roaming between different companies. There’s speculation that this flaw hasn’t been fixed faster because intelligence services are having a grand old time using it to their advantage.
The Aussie TV show 60 Minutes investigated the flaw, showing how hackers in Germany were able to record the phone calls and movements of a politician in Australia. Apart from freaking out a lot of people, and making everyone wonder just how long intelligence agencies have been aware of this, it’s also raising the question of how safe the SMS verification systems used by online banking and email services are.
The tech behind the terror here is a ‘man in the middle’ attack: once an attacker has access to the SS7 system it can forward calls to a recording device, then send the call through to the person who was meant to receive it, leaving the attacker with all the info and the caller none the wiser.
Telecoms security specialist Peter Cox said: “People can be making very confidential business calls, discussing mergers and acquisitions. If information leaks out through this vulnerability, the company making this call can be liable for compliance breaches”.
He suggested: “Users should consider alternatives, such as using voice over IP services with encryption, and should recognise if you are using a mobile phone, you are on a public network, and all the security vulnerabilities that you apply to data should apply to voice calls.”
Our security arm Secarma agrees: “You probably already tell staff you shouldn’t talk about confidential company matters with your personal email addresses, and the same goes with mobile phone comms, unless – like Cox says – you can utilize end-to-end encrypted calls.
“If you can’t enforce controls over the network you are using, as in public mobile networks, then you probably shouldn’t be having that private conversation; however you can put in controls on a private company network, for example VoIP over VPN, or using an encrypted protocol.”
Whilst nothing is foolproof, these options give you some of the control back – if you set up a VPN you know you won’t be giving away your back door keys to the government, or anyone else!
If you’re interested in exploring our security solutions take a look at our website or give us a call on 0208 045 4945.