Saturday, January 30, 2010

The Cell Phone Security Threat

Posted by Mark Brousseau

The majority of large and medium businesses are failing to adequately protect themselves against the growing threat of mobile voice call interception; leaving them vulnerable to loss of sensitive and confidential corporate information. That's according to a new survey by ABI Research on behalf of Cellcrypt.

Businesses clearly recognize the threat of cell phone interception: three-quarters of the surveyed corporations have a security policy covering cell phone calling and four out of five IT professionals surveyed believe that cell phones are equally or more vulnerable to interception than email.

Yet, the research shows that while mobile phones and email are both used routinely to communicate confidential information – with 79 percent of organizations that discuss sensitive or confidential information over mobile doing so at least weekly and 51 percent daily – only 18 percent have explicit mobile voice call security solutions in place.

Research has shown that data loss can have a major impact on market capitalization, reducing it by as much as 5-10 percent, as well as resulting in lawsuits for senior executives, severely damaging their reputation.

The growing problem was highlighted in August, when German hackers announced a project to create a code table that cracks the encryption of GSM mobile calls, used in 80 percent of the world’s cell phone calls. This codebook is planned to be freely available within the next 6 months, and significantly lowers the bar for everyday hackers to crack GSM calls using only a high-end laptop.

One alarming fact emerging from the survey was that 55 percent of respondents in IT roles thought that their organisation had implemented mobile voice call encryption solutions but on further investigation only 18% had actually done so.

“Effective email security has become routine but our research shows most businesses do not apply anything like the same level of robust security to cell phone calls. Companies that do not respond are exposing themselves to attack,” said Stan Schatt Vice President and Practice Director, Healthcare and Security, ABI Research.

“Equally concerning is that a significant number of people who identified themselves as being responsible for cell phone voice call security incorrectly believe the organisations’ mobile calls have been protected when they have not. This perception that they are protected when in reality they are not suggests a serious hole in the information security of many businesses. It is important that companies take urgent steps to review their measures for countering this growing corporate risk area,” Schatt continued.

“In light of this summer’s news that a GSM cracking codebook will be made widely and freely available very soon – possibly before the New Year – and sub-$1000 interception equipment being available soon after, this lack of security is particularly worrying,” says Simon Bransfield-Garth, CEO of Cellcrypt.

“Businesses must plan now for the eventuality that their mobile voice calls will come under increasing attack within the next 6 months. A ‘policy of hope’ towards mobile phone security is not adequate, voice is another data service and should be afforded the same security considerations as email and other corporate communications,” continued Bransfield-Garth.

Security of mobile voice calls is not limited to interception of radio waves between a cell phone and a base station mast: interception risks occur at various segments along a call path which may involve multiple network operators in a variety of countries each having a different levels of security measures and risks.

Among the key findings of the survey:

... 75 percent of the businesses surveyed discuss sensitive or confidential information via cell phones and 81 percent do so via email

... Of that 75 percent, 79 percent of businesses do so at least weekly, 51 percent do so daily

... Of the businesses sampled, 82 percent have a high level of concern about the security of email and 69 percent about cell phone security

... 41 percent of the individuals surveyed think mobile phones are more vulnerable to interception than email and 39% think they are equally as vulnerable to interception as email

... 74 percent of businesses discuss financially sensitive information on cell phones and of those 77 percent believe that if this were intercepted it would have a major impact

... 55 percent of respondents thought that their organisation had implemented mobile voice call encryption solutions but on further investigation only 18 percent had actually done so

What do you think?

1 comment:

technotera said...
This comment has been removed by a blog administrator.