‘Can everyone hear me now?'

Voice interception of mobile calls is an invisible security hole that isn't getting enough attention.

Mobile threats have been with us for some time. Most organizations have done a fair job of protecting their important proprietary information, securing emails, encrypting on-board data and using mobile management tools to suppress data loss. All that has made a safer mobile world for many organizations, but certainly not foolproof.

And in fact, one newly visible major mobile security hole has not been adequately addressed: mobile communications via voice. While it's hard to come up with exact figures, I estimate that at least as much corporate sensitive data is communicated via the voice channel in standard telephone chats as via the digital channel in emails, texts, data access, etc. Conversations about organizational planning discussions, new product directions, business performance and much more all take place regularly on mobile devices. And this is where a new risk, mostly unrecognized by enterprises, is emerging.

In the past, switched circuit technology meant that a hard-wired direct connection existed between the two communicating devices, whether mobile or landline. But as communications technology evolved to digital, direct connect switched circuits mostly disappeared. Virtually all voice communications are now digitized and travel along the same paths and over the same networks that digital data does. Voice is now just one more data stream over IP networks. This makes it highly susceptible to interception by bad actors engaged in competitive espionage, or even worse things. This is especially true when business executives travel abroad, to places where you can be sure that all network traffic is being monitored.

With so much potential for corporate data loss via the voice channel, it is critical that organizations find a way to protect this data. It is also incumbent on device manufacturers and/or third parties to offer methods of creating a secure channel, much as they have done for digital data communications. This need for voice channel protection is what led BlackBerry to acquire Secusmart. BlackBerry is establishing a beachhead in a new battleground for secure enterprise communications.

BlackBerry is currently the only device maker offering a means of closing this rather large hole in organizational data sharing across it mainstream products. While I expect other device vendors and some third parties to join the fray, much as MDM vendors emerged to handle BYOD data problems, it's not likely to come in the short term. So far, very little emphasis has been placed on this largely invisible problem within the industry. It's just recently through very public disclosures of intercepted voice communications (e.g., Ukrainian separatists, German government) that enterprises and vendors have woken up to this pressing need.

Some threat mitigation is possible through end-user awareness of what not to say over voice calls and what locations are most vulnerable to interception. But it's not possible to adequately protect proprietary communications without the appropriate security technology in place. Just as most enterprises would not consider deploying mobile devices for corporate data/email access without some form of device encryption/security management, I believe companies must now focus on doing the same for voice communications on these same devices. And by the way, since many enterprise users are heavy users of texting/SMS, companies should be aware that this form of communications travels over the same channels as the voice communications and is subject to the same interception vulnerability as voice communications.

So what should companies do? Any organization that wants to protect its most sensitive data, including data transmitted via voice communications or SMS/text, needs to focus on establishing secure voice communications capabilities for all their devices, and do so quickly. This is particularly true for mobile devices that may be used in foreign lands, but even at home devices are susceptible to communications interception through network hacking/attacks.

For high-profile executives and those in high-profile organizations who don't have voice communications channel protection, it is highly likely that someone is listening. Enterprises need to make this a priority security upgrade to their policies and infrastructure within the next couple of years, if not sooner.


Jack Gold is the founder and principal analyst at J.Gold Associates, an information technology analyst firm based in Northborough, Mass.

Join the CSO newsletter!

Error: Please check your email address.

Tags consumer electronicsdata securitysecuritysmartphonesdata protection

More about BlackBerry

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Jack Gold

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts