The next battle in the ongoing war for security will be focused on devices which, thanks to the Internet of Things, are proliferating at an astonishing rate. But there’s one device that sits on almost every (physical) desktop – one that we rarely think of as a security threat: the humble telephone.
Never underestimate the ingenuity and effort that burglars will put into their work. If a team of committed criminals knows that there are untold of riches lying in a bank vault, they won’t be put off by a six-inch steel door, alarms and CCTV systems – they’ll find a way through somehow. Even if it means drilling through several feet of concrete over a Bank Holiday weekend.
There’s a lesson here for businesses, even if they don’t hold a hoard of gold and precious gems on their premises. Cybercriminals are just as skilled and determined as their colleagues in the offline world; if they know that there’s valuable data to steal, they will use the most devious and ingenious methods to steal it.
Organisations can spend millions of dollars protecting their networks with best-of-breed security software and systems, but while these can defeat most determined ‘head-on’ attacks, they also force hackers to be more creative in the way that they probe their targets for weaknesses that they can exploit.
This is an approach that has contributed to an unprecedented rise in cybercrime, which cost businesses $388 billion in 2016. And as businesses wise up to more traditional methods such as brute force attacks, malware and social engineering, criminals are diversifying their tactics.
Battlegound 2.0 – Internet of Things
The next battle in the ongoing war for security will be focused on devices which, thanks to the Internet of Things, are proliferating at an astonishing rate. But there’s one device that sits on almost every (physical) desktop – one that we rarely think of as a security threat: the humble telephone.
We tend not to think of telephony as a realistic attack vector for hackers, and that’s largely because we forget that they aren’t the analogue devices of our youth. An IP-based phone is a sophisticated computing device in their own right; it has software and network connectivity that can provide an easy way in for hackers who are searching for the perfect vulnerability.
If this sounds alarmist, consider the research by F5 Networks into the string of cyberattacks that hit organisations in Singapore in June this year. The analysts found that almost 90 per cent of the malicious traffic (which originated in Russia) was specifically targeted at VoIP phones – coinciding with the Trump-Kim summit. By hacking into these phones – the type typically found in hotels where high-status delegates might be staying – the hackers would be able to eavesdrop on some of the most sensitive conversations imaginable.
The average businesses deploying VoIP phones might shrug their shoulders and wonder why the Cold War tactics of state-sponsored hackers should concern them. The answer is that hackers cut their teeth by targeting the most high-value people and organisations. Once a technology or technique has been proven against ‘valuable’ victims – such as diplomats or financial services firms – hackers can either roll it out to other businesses, or sell the knowledge and tools they have developed on the Dark Web.
So, while telephony isn’t yet a major attack vector for today’s cybercriminals, it would be foolish to imagine that IP telephony doesn’t represent a vulnerability that will be targeted and exploited sooner rather than later.
In the business of sensitive conversation?
Any business that conducts sensitive conversation over the phone needs to protect inbound and outbound calls from snoopers who are just waiting to steal anything of value – from trade secrets to customer card numbers. The solution is surprisingly simple, and focuses on removing the key vulnerability that hackers exploit – the connection between a wireless headset and its base station.
These last few inches are easy to neglect, which is why they provide such a tempting target for cybercriminals. If hackers can access this connection, they can listen to every secret or piece of sensitive information relayed over the phone.
That’s why organisations that are serious about security should choose telephony hardware that features secure encryption, authentication and secure pairing between device / headset and the base unit. This means that a non-paired unit (such as one deployed by a hacker within a few dozen feet of the office) can’t access the link and so eavesdrop on the conversation.
Pairing between base station and device is nothing new, but the latest standard is ‘physical assisted pairing’. This occurs when the headset is docked in the base unit, when a secret link-key is created to connect them. Similarly, authentication has been around for some time, but security standards can vary enormously; that’s why security-conscious organizations should look for headset / base unit. authentication based on the most secure 128-bit level technology, rather than the old standard of 64-bit.
Of course, security is only as good as the standard of encryption itself. Many DECT headsets feature some form of authentication and encryption, but often of a very limited standard. Basic encryption may put off the casual attacker, but to be fully secure an organisation needs the highest standard – ideally, military-grade technology such as AES 256-bit encryption, which gives a line of defence that goes beyond that of DECT Security Level C.
Unlike so many security technologies, secure telephony isn’t difficult to find or to deploy. It requires little or no ongoing management – all it needs is an awareness of the threat and a willingness to upgrade to a secure solution when upgrading your telephony infrastructure.
Of course, secure telephony won’t stop hackers testing other parts of your cyber defences. It will, however, close an open door that’s an invitation to the growing army of clever and determined hackers around the world.