Should Voice Be Secure By Default?

“I’d rather talk about this on the phone. It’s safer.” If you’ve ever said this, you could be exposing your enterprise to a huge security risk. The reality is, modern chat and email communications are often more secure than traditional voice communications. Keep reading to learn more about the vulnerabilities of traditional voice communications and how Silent Circle’s offerings are designed to secure your enterprise’s mobile communications.

The Little Lock Says So

Web pages can be delivered to your browser using either a secure or an insecure approach. As internet giants - browser creators and search engine providers - began to penalize insecure delivery, using mechanisms such as reducing the search ranking or showing web users “not secure” warnings, the proportion of pages delivered securely has steadily risen. This secure-by-default approach to web browsing protects web users from a slew of standard internet vulnerabilities and significantly raises the difficulty for hackers to steal personal information.

What About Voice?

Compare this to most voice communication, and it’s like the Wild West. Voice connections are commonly not secure by default. In the early days of party phone lines, someone could pick up a receiver and listen in. This can still happen today, albeit with a bit more technical sophistication. In fact, the international telecommunications standard SS7 protocol (by which most phone calls travel - even everyday calls from your smartphone) is notoriously vulnerable. For example, the 2017 DHS Study on Mobile Device Security “provides recommendations for assessing some of the risks posed by weaknesses in U.S. networks that appear to be unaddressed by industry [...] weaknesses in SS7”. SS7 can be wiretapped, both from ground and space-based interception.

Voice Content Is Often More Sensitive

Phone calls are often used in lieu of email for sensitive or very personal communications. The irony is that most people think that phone calls are more secure, but this is far from the truth. A traditional Gmail account has significantly more security around authentication and confidentiality than a standard telephone call.

Let’s say you set up a conference call for a quarterly report. Anyone with the dial in number could potentially hack in and listen. How many times in larger meetings do participants pop in and out unidentified? “Who just joined?” is the mantra of an insecure system.

Who’s Big Enough To Care?

You may think your business isn’t important enough to attract eavesdroppers. But, if we look at ransomware attacks in general, most criminals don’t target high profile companies. Instead, they go for the easy target. No company or individual is too small to be a victim of cybercrime.

On the flip side, you may think that only executives should be worried. But in reality, any person in your enterprise could be a portal of entry to your organization’s most sensitive information and details about its operations. Any piece of business information shared over voice is an appealing target. With just your mobile phone number, a hacker could tap into your calls and text messages. In fact, SS7 was recently breached in Germany, enabling the criminals to drain the victim’s bank accounts.

Silent Circle CTO, Hamilton Turner, says “The technology and skills needed to break into telephone systems are becoming more available at a rapid pace. Meanwhile, voice telephony is not becoming significantly more secure. Hackers look for easy entry points, and the balance of power has shifted. ”

What’s The Fix?

The ideal solution would be to make all voice communication encrypted by default just like web browsers. But for now, none of the large providers are willing to take on the task. Of all the voice options currently available, a fully encrypted VoIP platform provides the best security.

“The ZRTP protocol, developed by one of our co-founders, establishes a voice call which confirms both parties are on a secure encrypted line.” says Turner. “All of our source code is open for review, and anyone curious about how we achieve our results is welcome to take a look. Silent Circle does not sell any advertisements, does not collect any personal data and does not hold any decryption keys. Our only objective is to provide our customers with the best enterprise mobile security possible” concludes Turner.

When a Silent Circle subscriber makes a phone call or video chats with another Silent Circle member, that communication is secured and encrypted end-to-end. Learn more about Silent Circle’s technology and products and solutions.