Category: Blog

IMSI catchers now available for EU300

With Mobile World Congress drawing to a close for another year, we were very interested to see this story, highlighted to us by one of our colleagues in Spain. It confirms what we were already well aware of; that you don’t need to be a nation state, major law enforcement (or even the now defunct News of the World!) to have the resources to tap into people’s mobile calls anymore.  IMSI catchers (see our previous blog for further explanation) can be purchased online for EU300 according to this story: http://www.elconfidencialdigital.com/seguridad/Maletines-espiar-conversaciones-moviles-euros_0_2881511824.html.  For non-Spanish speakers, Google Translate does a good job at the click of a button.

Not only are the number of attack vectors increasing exponentially, so too are the number of people/organisations/criminals able to execute these attacks. With the barrier to entry dropped so low, this means that the number of potential victims of phone tapping also increases and is now well beyond the high threat targets that we would expect (intelligence community, law enforcement, government officials, celebrities). Anyone that talks about or exchanges commercially sensitive information such as new product details, formulae, industrial secrets, or intellectual property is now at risk!

This only serves to highlight that we all need to be a lot more aware of the potential hazards with the technology we use.

And if you do fancy treating yourself to an IMSI catcher (to find out what your friends, neighbours, work colleagues are up to), you might want to consider a more streamlined rucksack than the one shown in the article!!

NOTE: Much-respected cryptography expert Bruce Schneier recognised these same risks in his blog https://www.schneier.com/blog/archives/2017/04/surveillance_an_2.html

Big data – big trouble

If you’re using WhatsApp, you’ll be on a list somewhere. But not just the lists of friends, family, and work colleagues that you’d expect. Turns out that it is very easy to build a super list using WhatsApp in a web browser.

APIs are available on the web that enable developers, or anyone else for that matter, to request information about any number registered in WhatsApp, it doesn’t need to be in your address book. Information that is freely available includes your profile picture, your about text and your online/offline status. Using this method it is possible to build a database of almost limitless size and construct timelines showing your activity.

Such a database opens up a lot of nefarious possibilities. As the database builds it becomes possible to run queries such as; When was this phone number online? When profile pictures are brought into the equation, with facial recognition technology (which most people use on Facebook), it becomes possible to take a photo of someone and then query the database to find out who they are and their phone number. Apart from being downright creepy, in certain oppressive regimes this could be extremely dangerous.  For those that travel to exotic locations for business, these possibilities are certainly worth keeping in mind.

There are some steps that savvy users can take to guard against this type of abuse of their data.  Casual WhatsApp users should check their privacy settings.

Remember WhatsApp is just an example that has featured in the news of late – almost any other social media app is likely to have similar vulnerabilities and issues with privacy, including where and how your data is stored.

For any sensitive, official or corporate communications social media apps such as WhatsApp should never be used. Better to use an app that you control so that you know where your data is at all times, and that has security and privacy baked in.

Not to mention mysteriously emptying bank accounts!

There have been several recent news stories highlighting the susceptibility of mobile phones to hacking.  As well as the danger of IMSI catchers there are vulnerabilities within the SS7 protocol – which we’ve talked about previously in our blog post, What’s up with WhatsApp?

El Reg recently ran a story about how Ukrainian soldiers are being bombarded with propaganda texts. The use of a fake base station or IMSI catcher mounted on a drone is suspected because the attacks are highly localised, the texts arrive when the phone is showing no reception and they leave no trace on carrier networks.

Back in January customers of European banks had their bank accounts drained in a quite sophisticated attack. Hackers first infected the banks with Trojan malware to steal login details of customers and view account balances. Then they exploited SS7 to intercept the one-off verification codes for transactions that are sent by SMS.

SS7 is the protocol used by telcos to enable mobile phones to connect to other networks, and to enable them to share/swap billing information (for example). SS7 was designed 40 years ago, when mobile phone hacking was thought extremely unlikely and you would need to be a telco to do it.  Nowadays practically anyone can set up as a telco, which opens up a whole world of opportunities for those with malicious intent.

These two separate stories show the dangers of mobile phone hacking, and its increasingly pervasive nature. It’s a wake up call for all of us to take the security of the ultimate end point – the mobile phone – extremely seriously.

Why WhatsApp is not as secure as you thought it was, even before The Guardian’s most recent revelations about a ‘back door’

There’s been a lot of discussion in the media recently about the privacy of calls and messages sent via mobile phones, with some commentators advocating apps like WhatsApp as the answer. While it is true that messages, and now calls, made using WhatsApp are encrypted and therefore should be secure, in fact, there are still gaping holes.

Not least is the so called ‘back door’ revealed by The Guardian in its article ‘ Whatsapp back door allows snooping on encrypted messages’ which explains how ‘WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages’ it goes on to state that ‘The vulnerability calls into question the privacy of messages sent across the service, which is used around the world, including by people living in oppressive regimes.’ And ‘can be used by government agencies to snoop on users who believe their messages to be secure.’

This is another example of just how important it is to keep control of your own data and using a free app over which you have no control, simply isn’t good security practice.  As Tim Cook summarised the situation very well when he said:  ‘A few years ago, users of Internet services began to realise that when an online service is free, you’re not the customer.  You’re the product!’

Even before this latest revelation, there are other security holes in Whatsapp that anyone that wants to keep their conversations private should be aware of.

Susceptible to the SS7 hack

First, the app itself. Though its media encryption uses the respected Signal protocol, WhatsApp has been shown to be susceptible (like similar applications) to attacks, for example using flaws in SS7 that allow an attacker to mimic a victim’s device.  SS7 stands for Signalling System No 7 (also called the Common Channel Signalling System 7 in the US or Channel Interoffice Signalling 7 in the UK), and is the system that connects mobile phone and landline networks to each other. SS7 protocols enable phone networks to exchange information needed to process calls and text messages across disparate networks (including roaming on foreign networks), and to ensure correct billing. It also enables local number portability, prepaid payments, SMS and number translation. However, SS7 was designed nearly 40 years ago, long before phone hacking was considered a serious threat.

Whatsapp depends on the integrity of your mobile phone number to identify you, but this can be faked at the SS7 level because of the many vulnerabilities in that system (this particular issue was discovered in 2008 and made public in 2014). Hackers can then take on a victim’s Whatsapp identity and send and receive messages to other users. Of course, a hacker with access to the SS7 system can also transparently control normal voice and SMS services to and from a mobile, intercepting calls, reading SMS messages, and tracking the phone’s location.

Insecure Authentication

Apart from eavesdroppers listening in to your potentially sensitive conversations, where they may gain commercially valuable information, one of the biggest dangers is the interception of two-step verification codes. WhatsApp may be secure once provisioned, but if the verification code is intercepted during set-up the app will be compromised. This vulnerability is equally true for Telegram, Viber and any other apps that use this form of authentication, just as it is for banking and other sensitive web transactions that send codes by (insecure) SMS. For those that are likely to be targeted due to the work that they do (government, military/defence, handling commercially sensitive information like intellectual property, company secrets, financial transactions, sales deals, etc.), this is a relatively easy hack, and one that you wouldn’t know about until it was too late.

No control over who has your data

Second, the company.  WhatsApp is now owned by Facebook, who have declared to their shareholders that once the number of users of WhatsApp reach 1 billion they will look to monetise.  That means sharing your details with advertisers and who knows who else.

This is seen as such a serious situation by the UK Government that the Information Commissioner’s Office (ICO) has intervened and as a result Facebook has agreed to ‘pause’ its plan to share data with advertisers. However, it continues to share data for what it describes as spam fighting services.

Even when a service claims that it has no access to your encrypted data, it still has access to “metadata”, such as the date and time of calls and messages, the mobile phone numbers of the recipients or senders of each call or message, and (depending on the application), other information such as your location, native contact lists and the like – all of which a security-minded user might prefer not to have collected by a company such as Facebook.

You get what you pay for

WhatsApp may be free, but there is a price to pay.  With any free app you don’t really know who has access to your information.  And you certainly don’t know who will have access to it in the future as organisations are acquired and personal data becomes a lucrative asset to be traded.

You might also want to avoid a proprietary system where the vendor wants to lock in its users and so has no interest in promoting interoperability with competitor systems; fine for a social media app but not helpful if you want to link together a variety of organisations, where a standards-based solution would be much more logical.

If you would prefer that your sensitive conversations remain private you should take positive steps to ensure that they stay that way. That means using security applications that you control, so that you know exactly where your data is being held and who has access to it. When provisioning new security services be sure to follow strict security best practice. SMS for activation or authentication simply isn’t secure. Better options include multi-part activation details that can be distributed via separate channels, whether handed over personally, or sent via encrypted email, or best of all, managed from a central distribution point, which is within your organisation’s control, or managed on your behalf by a Government-certified, trusted supplier.

As with everything in life, you get what you pay for. Free apps have their place in leisure time for casual use, but when it comes to business, your intellectual property, state secrets, or commercially valuable information, you really can’t put your trust in something that you don’t control just because it is free.

About Andy Lilly

Andy Lilly is Director and Co-Founder of Armour Communications. He has a proven track record of delivering challenging, leading-edge research and development solutions into global markets, having held leadership positions at multi-national organisations as well as VC-funded start-ups. Andy has been instrumental in delivering military-grade secure communications systems as well as solutions suitable for use in commercial environments for over 25 years.

Andy Lilly discusses how securing your mobile communications could be a key step in meeting the new GDPR regulations

The new General Data Protection Regulation (GDPR) comes into force on 25^th May 2018 and you are probably starting to consider what it will mean for your company. A lot has already been written about GDPR, which will override current national data protection laws. In a nutshell, it includes new and more detailed legislation for managing and protecting personal data, meaning that all organisations will need to review their policies and practices to ensure that they comply.

Many are seeing the introduction of the new regulations as a positive step. It encompasses how personal data is managed, processed and deleted – and in particular, how it is lawfully and fairly protected by documented security measures. GDPR is clear in that it encompasses all of a company’s data (including that held in marketing, sales and finance) when dealing with EU citizens. With many companies using mobiles to communicate with customers, it also means that texts and messaging, whether internal or external, will be considered within the new data laws.

With non-compliance fines of up to €20m or 4% of global turnover, not to mention reputational damage, companies ignore the new legislation at their peril. According to ICO Information Commissioner Elizabeth Denham¹; “If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance.”

Getting your ducks in a row

Whatever their business, all companies will need to get their ducks in a row when it comes to data retention, compliance and security. Governance will play an enhanced role under GDPR and you will have to ensure that you have appropriate systems and processes in place to be able to manage and monitor all data under the new rules. Accountability is also important so as well as complying, you will have to be able to demonstrate how you comply.

On a practical note, with Armour Mobile your organisation can ensure data and messaging communications are entirely secure whether in transit or stored, either with our cloud solution once you have licensed your mobile devices with us, or with our Armour on-premises solution. In fact, the latter allows your organisation to configure and manage your secure communications service in total privacy, restricting any outside connections.

We can also provide secure voice communications between your mobile and other voice systems (e.g. desk phones within your office) or services (voicemail or conferencing). Securing messaging and voice communications in these ways provides robust audit trails to support compliance and due diligence of the new privacy rules.

GDPR will mean that all organisations will have to start thinking about data in a different way – adopting Armour for your mobile communications could be a big tick in the first steps towards achieving compliance.

Developing young talent through apprenticeships…no added sugar required!

Apprenticeships are a great way to get young people into the workplace, helping them develop meaningful skills and gain valuable hands on experience. That’s why at Armour Comms we implemented an apprenticeship scheme almost 3 years ago that has yielded a fully-fledged Support Engineer. We continue to invest in new apprentices and currently have two bright and enthusiastic people, one of which has recently completed her course and works within marketing, and the other working on the support desk, should complete her course in three months.

We’ve been working with Tech City Stars who, over 13 months, deliver courses via a mix of in-work training and teacher-led classes that are designed to teach apprentices how to deliver value across a range of platforms and technologies relevant to business. The Learning & Development Specialists worked with us to identify our requirements before tailoring the programme to meet our specific needs.

Apprenticeships continue to work very well for us and while for some job functions a degree will always be required, for many roles, apprenticeships are ideal. They provide on the job training with off-site/college based learning and a formal qualification, giving apprentices a solid platform to launch their career.

As James O’Donnell, Director of Employer Partnerships at Tech City Stars, explains;

 “When we recruit apprentices we are looking for energy, enthusiasm, a willingness to learn, ability to take feedback and a propensity to take action. If a young person can demonstrate this to us we know, that with our awesome employers we can help mould and shape some of the stars of the future.”

The final word goes to Kyle, who went through the apprenticeship program and is now a full time Support Engineer at Armour Comms; “The benefit of being an apprentice is learning on the job from extremely knowledgeable people who are experts in their field. I was overjoyed to be offered a full time role at the end of my apprenticeship. I love my job, no two days are ever the same and there is so much flexibility to learn new technologies and expand my skills.“

The importance of protecting your metadata.

You don’t need to know what is being said in a conversation to know it is significant.  Sometimes just knowing that someone is talking to someone else gives adversaries, competitors, unfriendly nation states, tabloid journalists/paparazzi all they need.

So just because your mobile conversations are encrypted, doesn’t mean all the information is encrypted and therefore unavailable – protecting your metadata and understanding exactly who has access to it, and what they might do with it, is every bit as important

What is metadata?

Metadata is ‘data about data’.  Most people don’t give it a second thought when communicating digitally.  In effect, it’s the envelope with the address of the person to whom you are sending a letter.  The postman can’t read the contents of the letter, but they know that you sent a letter, where from, who to and when.  In most western regimes the contents of the letter, email, voicemail, etc., is protected under civil liberties and human rights, but more and more governments are legislating so that they have a right to interrogate metadata, with ISPs and telcos legally obliged to keep these records.

Where were you – who did you speak to?

Information like your location, who you spoke to, when, for how long and how often, can give plenty away without having the details of what was said.  As a simple example, if two companies are negotiating a sensitive deal, it is fairly easy for hackers to see the calls being made and received, who they were to/from and this could be all a competitor needs to gain a commercial advantage.  There are many examples where privacy is paramount to protecting an organisation: a team of lawyers working on a corporate merger or acquisition; a defence contractor completing the final details of a supply deal; or a pharmaceutical company discussing the results of the latest drug trials.  Alternatively, for a high net worth individual, having a journalist learn that they have called a drug rehabilitation clinic could be enough to ruin their reputation.

It’s cheap and easy to find out if you are not careful!

Simply encrypting the email, voice call, attachment or text message doesn’t provide total security because metadata is still available.  Even entry level criminals or script kiddies can access technology (such as IMSI catchers/fake base stations, SS7 hacks, etc.), that enables them to harvest your call and location metadata, for just a few hundred pounds.

And that’s not all – if you use a free app, such as those that are owned and controlled by social media companies, they also control your metadata. They can, and do, use that information for their own ends, and pass it on to others.  Metadata is a valuable commodity, which is being bought and sold!

If your staff need to communicate while out on the road, from a mobile device, and you need to keep commercially sensitive information and intellectual property private, speak to us now.

 

Practically nothing!

It is true that a 256 bit encryption key is many times more difficult to guess (referred to as a brute force attack) than a 128 bit key. However, given that a 128 bit key takes so long to guess using such a huge amount of computing power, that for all practical purposes, it simply wouldn’t happen, how much more certain does anyone really need to be?  For an explanation of the maths try this blog

To generate this kind of brute force, a hacker would need quantum computing, which is still years away.

So, if there is practically no difference between the two in terms of ability to protect your data, are there other factors to consider?  256 bit keys require more processing power, and can take longer to execute, so on small devices where power is an issue, or where latency is likely to be an issue, users are better off with 128 bit keys.

When looking to access a system, hackers will always go for the weakest point, which isn’t going to be the encryption whether it’s a 128 bit key or a 256 bit key. Therefore, it is more important to check that the software you are considering does what you want it to do, it protects your data in the way you think it does, and that there are no weaknesses in the processes.  Also, that there are no grey areas where you are not quite sure where your data is, or who is looking after it (for example, if data is held in the cloud – do you know where the cloud actually is?).   And most important of all, the security software you choose should be easy to use, invisible to users, so that they have no need or inclination to take insecure workarounds in order to do their day to day job.

In short, don’t waste time stressing about 128 v 256 bit encryption keys.  Both do the job, and there are more important security issues to be worried about.

Spear phishing is what happens to gullible idiots who are not paying proper attention, right?

Wrong! Spear phishing mixes increasingly clever social engineering to make spoof emails appear real, and it’s all too easy to become a victim.  Even if you are way too clever to get caught, your business users, who are not necessarily thinking about technology and security every minute of their day, may fall victim to these types of attacks.

And their mobile phones could be helping…?

Here’s how. Details of supposedly private conversations between colleagues can be used to make a spear phishing scam more believable. If your business users are subject to an IMSI catcher attack, where a fake base station is used to intercept calls, forcing them down to 2G technology (which negates the stronger encryption used across 3G & 4G networks), their conversations, which they think are private, can actually be listened to.  See our previous blog for details on how this works.

Then all it takes is a phishing email addressed from a trusted colleague, referring to an earlier conversation, which gives the email credibility, a request to click a link, and a virus or Trojan could be launched. The person that has been hacked doesn’t even know.

So how can you tell if your mobile phone has been subject to interception?  Short answer, you wouldn’t, unless you are in the covert ops industry with access to some pretty heavy duty technology. Who could launch such an attack? Almost anyone that wants to – with entry level hacking skills, and a piece of kit that can be purchased online for about €300. This could be a disgruntled ex-employee, competitors looking to steal your intellectual property, or even just pranksters/script kiddies.

The security and IT press has been talking about ‘protecting the endpoint’ for years, now the endpoint includes mobile phones. If your business users have intellectual property to protect, commercial secrets that you’d rather remained a secret, then perhaps now is a good time to start looking at protecting your ultimate endpoint – the mobile phone!