GCHQ Telephone Security Is 'open to surveillance'

Application scenario for Voice over IP (VoIP) 

A security researcher has said software developed by the UK intelligence agency GCHQ contains weaknesses making it possible to eavesdrop on phone calls.

The security protocol is used to encrypt Voice Over Internet Protocol (Voip) calls. In a blog, University College London researcher Steven Murdoch described vulnerabilities in how such conversations were encrypted.

GCHQ said it did not recognise the findings. Dr Murdoch did not say that the vulnerability would give direct access to conversations, but that it would make it possible to undermine the system's security.

The network operator could listen in to calls, or authorise someone else to, and anyone who hacked the system would be able to eavesdrop, he said.

One of Dr Murdoch's chief concerns was that the security standard has "key escrow" by design - meaning, for example, that a third party has access to data sent between two people in a conversation. This, he said, is an example of a backdoor.

In this case, it could allow an intelligence agency, or the organisation, which is using the standard, to intercept phone calls, Dr Murdoch said. "I think this comes from a conflict of interest within GCHQ in that they are there to prevent spying but they are also there to spy - so they facilitate spying," he told the BBC.

Dr Murdoch added that he was aware of two products, which use the standard, both of which are government certified. "They could be in use inside government," he said.

The protocol in question is known as Mikey-Sakke (Sakai-Kasahara key encryption in multimedia internet keying). It works by generating encryption keys that are used to encrypt and decrypt voice conversations.
Although it is technically possible to create these keys on two separate computers and only share part of those keys publicly, the Mikey-Sakke protocol does not do this. The Mikey-Sakke protocol was designed by GCHQ, which is based in Cheltenham.

Instead, keys are distributed by a third party to the conversation participants - the process known as key escrow - meaning that they are much more vulnerable to interception.

There are cases in which this would be desirable, commented Prof Nigel Smart, a cryptography expert at the University of Bristol. "It could make sense to have a form of key escrow where someone can break into communications - you could use it for traders communicating on the London stock exchange," he told the BBC. "You might want them to be encrypted most of the time but you might want a regulator to be able to come in and decrypt."

However, Prof Smart points out that with Mikey-Sakke, it's not clear where or how the protocol is being used. It was up to GCHQ, he said, to make the scope of the protocol clear. "If you don't explain how you're going to use it, what systems it's going to be used in, what the scope and limit of the escrow facility is, then you're going to get bad publicity," he said, "The Mikey-Sakke protocol enables development of secure, scalable, enterprise grade products."

Questions continue to be raised over government policy towards encryption, generally. For instance, a petition to prevent the British government from banning strong encryption standards has received a response from the Home Office this week. "The government is not seeking to ban or limit encryption," the statement read. "The government recognises the important role that encryption plays in keeping people's personal data and intellectual property safe online."

Out of a target of 100,000, 11,000 people have so far signed the petition. And, at the World Economic Forum in Davos, Switzerland, several tech giants have raised the issue of whether governments should be allowed to gain access to secure communications on demand.

BBC: http://bbc.in/1nz9y4V

« US Critical Infrastructure Is At Cyber Risk
Will Robots Save The Future Of Work? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Uniken

Uniken

Uniken REL-ID is a safe, simple, and scalable security platform that tightly integrates your identity, authentication, and channel security.

DNV

DNV

DNV are the independent expert in assurance and risk management. We deliver world-renowned testing, certification and technical advisory services.

Ahope

Ahope

Ahope is a mobile security solution provider in Korea with a long history of security solution development.

DANAK

DANAK

DANAK is the national accreditation body for Denmark. The directory of members provides details of organisations offering certification services for ISO 27001.

International Cybersecurity Institute (ICSI)

International Cybersecurity Institute (ICSI)

ICSI is a UK company offering specialized and accredited professional qualifications in cybersecurity for young IT graduates as well as mature professionals.

KBR

KBR

To help governments and other agencies to combat cyber threats, KBR is safeguarding their most valuable systems with sophisticated tools, hardware and training.

boxxe

boxxe

boxxe create flexible IT infrastructures, collaborative global workspaces and data clarity, all underpinned by world-leading security.

Trava Security

Trava Security

Trava simplifies cyber risk management for business owners and IT professionals. Automated assessments, mitigation advising, and data-driven cyber insurance.

Cybaverse

Cybaverse

Cybaverse (formerly North Star Cyber Security) was founded to create the perfect blend of a Managed Security Service Provider (MSSP) and a Cyber Security Consultancy in one.

Outsource Group

Outsource Group

Outsource Group is an award winning Cyber Security and IT Managed Services group working with a range of SME/Enterprise customers across the UK, Ireland and internationally.

Guidepost Solutions

Guidepost Solutions

Guidepost Solutions are a diverse, global team of investigators, experienced security and technology consultants, and compliance and monitoring experts.

gener8tor

gener8tor

The gener8tor Cybersecurity Accelerator offers a cutting-edge program in San Antonio, home to the second-largest concentration of cybersecurity experts in the United States.

Core4ce

Core4ce

Core4ce is a mission-oriented company that serves as a trusted partner to the national security community.

SecurWeave

SecurWeave

SecurWeave's Configurable Hardware Enforced Safety and Security (CHESS) platform has been designed to meet the security and safety criticality needs of the evolving digital industry.

CyberGrape

CyberGrape

CyberGrape is a client centric managed services company, providing enterprise leading security solutions and helping companies through their IT risk and security challenges.