What Lessons Can Businesses Learn From Phone Hacking Scandals?

Phone Hacking

While this year’s phone hacking scandal promises to rumble on for the foreseeable future, highlighting security weaknesses of mobile phones, the reality is that phone hacking is far more extensive than purely voice mail hacking.

If we move beyond the Leveson inquiry with its witness stand full of celebrities there is a very important reason why UK corporations should be taking the security of their mobile communications far more seriously.

Last year a pair of security researchers demonstrated to a Berlin conference how they were able to eavesdrop on mobile phone calls and texts made on any GSM network. This wasn’t about hacking voicemails but listening into calls as they were taking place across the GSM network. Indeed there are a number of hacking techniques that can be used by the criminally minded with enough motivation;

  • Setting up a fake base station
  • Attacking weaknesses in the GSM standard, as demonstrated by Karsten Nohl, a researcher at University of Virginia
  • Exploiting Femtocell vulnerabilities, a technique used for turning a commercially available Femtocell into a call monitor
  • Building a mobile interceptor, an easy DIY digital spy drone created by combining a number of publically available technologies.

These examples show that intercepting mobile phones calls, a capability that was until recently the preserve of intelligence agencies, is now within the reach of anyone with some basic technical skills.

As Chris Bryant, MP, recently commented when shown a fake base station, it’s all too quick and easy to do. “…we heard that the man in charge of counter-terrorism in the Metropolitan police is 99% certain that his phone was hacked. An hour later (after this claim was made), I was shown a piece of kit that costs about £1,500 and is readily available on the internet. It effectively sets up an illegal mobile phone mast through which it is possible to listen to any conversation held by anyone on a mobile phone within three miles…”

What many of these conversations don’t tell people is that no matter how small or large their organisation is they can easily protect themselves, employees and sensitive corporate information from falling prey to this latest form of hacking.

In its simplest form cell phones and other mobiles devices are essential business tools that any modern business would now struggle to operate without. But mobile networks cannot guarantee privacy or the integrity of any call and they only way to address this is to ensure that sensitive calls are encrypted.

Businesses spend a fortune on securing data networks with firewalls, email spam filters, web content filters and, of course, anti-virus products but for some reason the VoIP world has not yet reached this level of security awareness and is often left unsecured. Perhaps with mobile security currently at the forefront of national news businesses might now consider what steps they need to take.

Standard data firewalls can only effectively address generic IP security threats, all other threats exploit vulnerabilities at the VoIP protocol level and need targeted security controls. By simply investing in a suitable VoIP application for mobile devices and a Session Initiation Protocol (SIP) security controller encrypted calls over the mobile data channel can be secured and also provide the added benefit of reducing call and roaming charges.

This investment can be used not only for mobile devices but also across internal phone systems as well. It means using a SIP Trunk service from an Internet Telephony Service Provider (ITSP) rather than an ISDN provider.

So while you might not be Hugh Grant, Sienna Miller or perhaps Jude Law, you know that your business secrets, which let’s face it hold a real value to your business, are kept safe and secure.

Peter Cox is founder and CEO of UM Labs. He has more than 30 years of IT industry experience, and has worked exclusively in the area of internet security since 1994. Peter was a co-founder of Borderware Technologies, where he helped develop and bring to market one of the first commercially successful firewall products. While at Borderware, Peter focused on application specific security gateways including Email, IM and VoIP products. Peter is the author of the SIPtap VOIP eavesdropping demonstration tool, and is a frequent speaker on the subject of VOIP security.