Five Ways Encryption Has (or Hasn’t) Changed Since Snowden
I’ve been thinking about the BlackBerry security presentation I attended in New York a lot this week, largely because it scared the bejesus out of me. In case you haven’t yet heard it, The New York Times covered the conversation between U.S. diplomats that was discussed during the presentation; this recorded conversation was released by Russia on Twitter. Taken out of context, the more colorful parts of this conversation could not only be a career killer, but likely did a ton of damage to the U.S./EU relationship at a time when both entities needed to work together to address the Ukraine problem. Folks not in security may assume this is the only conversation that was captured, but that would be a false assumption. This was simply the tidbit that Russia thought would do the most damage; they likely know more about what many U.S. government officials do on a daily basis than our government does (with the possible exception of the NSA and CIA).
Why is this scary? Because this was a cell phone conversation using digital cell phones. Most of us believe those calls are secure and, for the most part, they have been. But with advancements in unstructured data analysis and massive increases in scanning, it is likely that your calls are being captured by at least one government, if not two, if you live or work in a large city center.
BlackBerry points out that with its latest technology, it can mitigate this, and right now, it is the only mainstream cell phone firm that can. But wait, there is more. BlackBerry’s technology only works with other BlackBerry phones or specially configured trunks. This last part may mean we are screwed. Let me explain.
I came into the technology market through ROLM Systems, which later became IBM’s telephony division until it was sold to Siemens, which pretty much finished killing it. I was in Finance, Internal Audit and Competitive Analysis. I actually wrote the turnaround plan for the division that unintentionally resulted in getting the division sold (that’ll teach me to be exhaustive). That plan contained the core point that is pertinent here. It had been assumed that companies would replace their PBX and related technology as they would their servers, at the time on an eight-year cadence. Advances in voice, voice mail, routing, voice quality and — here is the important part – security, would drive this cadence.
Our plan was largely based on the theory that voicemail, not email, would rule. But what happened was that the telephony folks didn’t operate like the other IT folks. And instead of replacing PBXs every eight years, they weren’t replacing them, period. That is why when you look at PBX companies, they are a lot harder to find now. They were far too reliable for their own good.
But this also means that they are based mostly on thinking that existed before Netscape and the Internet. In other words, their security isn’t just out of date, it is decades out of date.
Can’t Do Encryption
Back when PBXs were king, the way you monitored phone calls was to physically intercept the call by splicing into the line and effectively mirroring the data, which was most often in analog form, to another device, or put a microphone in the phone and linked it physically or wirelessly to a remote monitor. Wireless phones at the time were mostly analog and all you needed was a radio on the same frequency to listen in (like a lot of folks do with baby monitors today). With a PBX line, monitoring was difficult because the PBX would dynamically assign trunks to incoming calls. Later models would use one or more T-1s, which would aggregate the calls and you’d have to capture every call and physically listen to it for the entire company, making the microphone approach far easier and far more common. An agency like the NSA or FBI might tap a T-1 and put analysts on the job of listening to calls, but this approach was well beyond the capabilities of an individual, company or typical law or public investigation firm.
Cell phones were thought to be secure in much the same way, because you’d have to record all the conversations going in and out of each cell tower and then someone would need to listen to them. But computers can do all of that now at scale, which is why BlackBerry is pushing encryption.
However, the current generation of PBXs can’t do encryption. The fix is to put devices on the trunks that sense an encrypted call and encrypt/decrypt the conversation. The problem is, that fix doesn’t address PBXs that are networked or the T-1 digital feed from SS7 nodes. It also means that inside the company, the calls remain unencrypted. Any time a call is made to anything that doesn’t have this encrypted capability, it is in the clear. Oh, and if you don’t call the company through one of the special trunks (PBXs have software that automatically routes the call to the cheapest line, which likely won’t be encrypted), the call isn’t protected.
In effect, with the possible exception of some of the newer VOIP products (which I have checked), your decades-old PBX can’t be protected adequately. And the system that used to drive the White House isn’t even close to being secure enough (it was one of ours). I expect we’ll start hearing some interesting conversations out of it shortly unless it has been replaced.
Wrapping Up: Two Options for Voice Security
If you are in one of the areas where security is critical like government, military, health care, finance, pharma, legal, high tech or advanced development in any industry, you need to get rid of your PBX. Either replace it with something that can do dynamic encryption to the handset or dump the entire idea of a PBX, get everyone on secure cell phones and then virtualize the PBX function for call routing.
I know of a few firms that are supposedly looking at how to do this; you really don’t need two phones for every employee and most of the ones that do business on a cell phone have a company phone.
One piece of final advice: Until you know that you are on a secure encrypted line, figure that someone will eventually listen to whatever you are saying, and adjust what you are saying accordingly. If you don’t say something that will come back to haunt you, it won’t matter if someone is listening in.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+