GCHQ Telephone Security Is 'open to surveillance'

Uploaded on 2016-02-05 in NEWS-Cybersecurity News, INTELLIGENCE--Europe, FREE TO VIEW

Application scenario for Voice over IP (VoIP) 

A security researcher has said software developed by the UK intelligence agency GCHQ contains weaknesses making it possible to eavesdrop on phone calls.

The security protocol is used to encrypt Voice Over Internet Protocol (Voip) calls. In a blog, University College London researcher Steven Murdoch described vulnerabilities in how such conversations were encrypted.

GCHQ said it did not recognise the findings. Dr Murdoch did not say that the vulnerability would give direct access to conversations, but that it would make it possible to undermine the system's security.

The network operator could listen in to calls, or authorise someone else to, and anyone who hacked the system would be able to eavesdrop, he said.

One of Dr Murdoch's chief concerns was that the security standard has "key escrow" by design - meaning, for example, that a third party has access to data sent between two people in a conversation. This, he said, is an example of a backdoor.

In this case, it could allow an intelligence agency, or the organisation, which is using the standard, to intercept phone calls, Dr Murdoch said. "I think this comes from a conflict of interest within GCHQ in that they are there to prevent spying but they are also there to spy - so they facilitate spying," he told the BBC.

Dr Murdoch added that he was aware of two products, which use the standard, both of which are government certified. "They could be in use inside government," he said.

The protocol in question is known as Mikey-Sakke (Sakai-Kasahara key encryption in multimedia internet keying). It works by generating encryption keys that are used to encrypt and decrypt voice conversations.
Although it is technically possible to create these keys on two separate computers and only share part of those keys publicly, the Mikey-Sakke protocol does not do this. The Mikey-Sakke protocol was designed by GCHQ, which is based in Cheltenham.

Instead, keys are distributed by a third party to the conversation participants - the process known as key escrow - meaning that they are much more vulnerable to interception.

There are cases in which this would be desirable, commented Prof Nigel Smart, a cryptography expert at the University of Bristol. "It could make sense to have a form of key escrow where someone can break into communications - you could use it for traders communicating on the London stock exchange," he told the BBC. "You might want them to be encrypted most of the time but you might want a regulator to be able to come in and decrypt."

However, Prof Smart points out that with Mikey-Sakke, it's not clear where or how the protocol is being used. It was up to GCHQ, he said, to make the scope of the protocol clear. "If you don't explain how you're going to use it, what systems it's going to be used in, what the scope and limit of the escrow facility is, then you're going to get bad publicity," he said, "The Mikey-Sakke protocol enables development of secure, scalable, enterprise grade products."

Questions continue to be raised over government policy towards encryption, generally. For instance, a petition to prevent the British government from banning strong encryption standards has received a response from the Home Office this week. "The government is not seeking to ban or limit encryption," the statement read. "The government recognises the important role that encryption plays in keeping people's personal data and intellectual property safe online."

Out of a target of 100,000, 11,000 people have so far signed the petition. And, at the World Economic Forum in Davos, Switzerland, several tech giants have raised the issue of whether governments should be allowed to gain access to secure communications on demand.

BBC: http://bbc.in/1nz9y4V

« US Critical Infrastructure Is At Cyber Risk
Will Robots Save The Future Of Work? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

D-RisQ

D-RisQ

D-RisQ is focussed on delivering techniques to reduce the development costs of complex systems and software whilst maximising compliance

Verint Systems

Verint Systems

Verint is a leader in CX automation. The world’s most iconic brands rely on our open platform and team of AI-powered bots to create tangible AI business outcomes, now.

EverC

EverC

EverC (formerly EverCompliant) is a leading provider of cyber intelligence that allows acquiring banks and payment service providers (PSP) to manage cyber risk.

Sky Data Vault

Sky Data Vault

Sky Data Vault provide the simplest and most cost effective method of Disaster Recovery / Business Continuity for mission critical systems and applications.

Northcross Group (NCG)

Northcross Group (NCG)

NCG provides services to help organizations meet the challenges of regulatory compliance. Our services include support, consultation, tools and accelerators for all parts of an organization.

Senserva

Senserva

Senserva delivers a deep analysis for security user accounts and applications within the Microsoft cloud environment.

Noblis

Noblis

Noblis is a dynamic science, technology, and strategy organization dedicated to creating forward-thinking technical and advisory solutions in the public interest.

Rayzone Group

Rayzone Group

Rayzone Group offers a wide range of Cyber Security solutions and services, providing hollistic protection suitable for both enterprises and National cyber security centers.

Triaxiom Security

Triaxiom Security

Triaxiom Security offers penetration testing, security audits, and strategic consulting customized to meet your needs.

Route1

Route1

Route1 is an advanced provider of secure data intelligence solutions to drive your business forward.

ID North

ID North

ID North is a Nordic service provider offering identity security to its customers by providing world class expertise and best-in-class solutions and services.

Sendmarc

Sendmarc

Sendmarc automates the process of protecting your domain from being used in email impersonation and phishing attacks.

ThreatNix

ThreatNix

ThreatNix is a tight knit group of experienced security professionals who are committed to providing competent cybersecurity solutions that adhere to international standards.

CI-ISAC Australia

CI-ISAC Australia

CI-ISAC has been designed to support and promote existing legislation and Government initiatives that are working to uplift cyber resilience across critical infrastructure sectors.

CyberKinetics

CyberKinetics

CyberKinetics specializes in cloud-based services and solutions for federal agencies and commercial clients with compliance mandates.

Deimos

Deimos

Deimos is a technology, cloud, hybrid and multi-cloud focused, professional services company. Our expertise and focus is on cloud native Developer and Security Operations.