Out-Law News 2 min. read
12 Feb 2010, 9:42 am
A survey by voice encryption firm Cellcrypt found that fewer than 20% of people in sensitive corporate departments such as finance or research and development encrypt their calls.
In December, researchers announced that they had cracked the ageing encryption code used by GSM mobile phone networks, such as all those in Europe. Within weeks, other researchers announced that they had cracked the more up-to-date A5/3 system.
Voice encryption company Cellcrypt said that it had surveyed 250 US businesspeople who said that voice encryption was used by departments transmitting sensitive information in under 20% of cases.
The businesspeople told Cellcrypt that encryption was used in just 13.5% of financial, 17.1% of legal and 18.3% of research and development departments.
Secret information that could be valuable to competitors is routinely discussed on mobile phones. Cellcrypt said that the businesspeople told it that 78% of them discussed financial information in mobile calls, 66% discussed employee information, 51% discussed matters relating to intellectual property and 50% discussed commercial secrets.
Of the people who did discuss sensitive information in mobile calls, 80% believed that the information would have a major impact on their business if it was leaked.
"The inherent insecurities of GSM encryption have been well publicised, even though most governments and enterprises have been aware of this threat for a while,” said Cellcrypt chief executive Simon Bransfield-Garth. “However, this research shows there is still confusion out there about when and how people should be protected from this threat."
Bransfield-Garth told technology law podcast OUT-LAW Radio that the cracking of the encryption that keeps mobile phone calls secret should be a source of worry for businesses that use mobile phones.
"We believe that these new changes to mobiles are particularly concerning because it's not particularly difficult, once those tools are available, to be able to get that information, you kind of roll a truck up to roughly where you want to record, and then you record," he said.
Bransfield-Garth said that companies whose employees discussed sensitive information over mobiles were at risk not just because of the specific information that might be leaked, but because of the reputational damage to companies when any data at all was leaked.
He said, though, that even using the decryption cracks published recently it was still not possible for hackers using off-the-shelf equipment to target specific phones, people or numbers for hacking.
The process involved the parallel recording of up to thousands of encrypted calls at once and the later decryption of those files, making live and targeted recording impossible.
He said, though, that hackers could at least narrow down the range of their targeting of surveillance subjects.
"If you imagine you were to go and set yourself up in the car park outside the headquarters of a major multinational or outside a government department, simply record all the mobile phone calls that go on and then decode a selection of those then it's fairly clear that with a certain amount of effort you are likely to come across calls that have value and are interesting," he said.
Bransfield-Garth said that as well as geographical targeting, hackers could use other information to target individuals, for example using information they had about which kind of phone a particular person used.
"You can certainly capture all of the calls and fairly quickly narrow down the ones that come from a particular model of phone," he said.
Cellcrypt's technology turns a phone call into an encrypted exchange of digital data and depends on both handsets involved having Cellcrypt's software on them.
