Securing IP Voice Calls using your Smartphone
Easy to Communicate, Easy to Intercept.
In today’s world of internet communications, IP voice calls have become an inexpensive easily accessible form of communication. Normal IP voice conversations using your smartphone, whether Android or IOS, are however highly vulnerable to interception which has created a growing, pressing need to secure these calls and protect them from interception for malicious intent, that is, ensuring that only intended parties can hear and comprehend the conversation.
It is a known fact that there are serious and real-time threats against IP voice calls taking place over the internet while using most smartphone voice applications. Many of these applications are hosted in the internet cloud, providing one-to-one and group calls between users, allowing for a worldwide, simple and effective communication platform between users, requiring only data connectivity during the call. These hosted voice solutions make use of numerous cloud servers placed in strategic data centres across the global internet, ensuring low latency and seamless failover in case of internet path failure.
However, as simple, and convenient as these hosted voice solutions are, they are developed, designed, and hosted by third party countries, and for the user, there is no control over the design, development and most importantly the control of the information being transmitted through these systems.
Understanding the Threat
It is important to understand that in the internet world, voice communications is basically transmitting one’s and zero’s, the same as sending a file, this data can be written to a storage device as easily as a normal file is saved on a server allowing the “call” to be recorded for later “listening”.
The end user has no control over this capability and relies completely on the standard terms and conditions of the “contract” between themselves and the hosted service. It is virtually impossible for the user to guarantee that the hosting company will respect these terms and conditions. How can you then trust that the communications you are having across their infrastructure will be respected for privacy and not given to businesses and governments for commercial or security use?
Most users are not even fully aware of the implications of the terms that they agree to when installing voice applications to their smartphones. For the typical user, privacy and security are not top of mind when using the application, perhaps extremely low cost and simplicity is just more appealing.
End users require global, simple, cost effective voice solutions for their smartphones however, they also require privacy and security, of which the latter often neglected by off-the-shelf free applications. Once the reality of the threat is recognised, it becomes clear that a solution providing simple communications while ensuring privacy and full system control is needed.
"Once the reality of the threat is recognised, it becomes. clear that a solution providing simple communications while ensuring privacy and full system control is needed."
Users who have understood this concept, and are most in need, are typically governments, militaries, security agencies, organisations, and some private individuals. The communications that these users typically have are often of national, global, or even regional sensitive nature, or when business is concerned, of a commercially sensitive nature. If the information shared is intercepted and interpreted, this can have serious implications for all entities involved, i.e., financial implications may be at stake or in more serious instances, lives may even be at risk.
When weighing up the risk, it becomes evident that third party hosted application servers, for secure voice systems, are not the ideal way to protect voice communications. Instead, entities need to rather consider a professional, privately hosted secure voice system, over which they have full control. Ideally deployed within the company or organisation's own IT infrastructure, with custom key management ensuring control over secure voice applications, managed at all times on communicating end-user devices.
Once a government or organisation adopts this self-hosted method, then the building blocks for providing a true secure voice service, allowing smartphone devices to talk securely over the global internet are in place. Only then will smart devices have the ability to initiate truly secure and confidential voice calls.
What characterises True Secure Communications?
In true secure communication, authentication between the end-user application and the server ensures that only the secure custom application is allowed to connect to the server. The call between the server and the called party is set-up, authenticated and an end-to-end encrypted session is started between the parties. This ensures that there is always a secure encrypted voice link between these parties when they share sensitive information over the global internet.
As in an internally hosted system, capabilities to audit conversations are often required to interrogate conversation. It is necessary to have information trails for inconsistencies and supporting evidence should information breaches occur. In many cases fully auditable systems provide valuable supporting evidence to law enforcement.
As an integral part of any true communications security system, the user needs to consider the origin of the application they are using. Simply downloading the application from the internet, simple setups and configuration and a quick start to use by anyone on any device, should ring alarm bells.
"If you are committed to practicing True Secure Communications, you need to have a truly secured device too."
In best practice, the user device is used to transmit and receive sensitive information. If a user is to practice true Communications Security, then it is imperative to ensure that firstly, the device is protected from any existing threats that could be already on the device. In order to ensure that the device is “clear and clean” from potential threats before installing a secure communication application, the smartphone will need to be cleaned and a secure Mobile Device Management service (MDM) will need to be installed. This will ensure that the smartphone is scanned, and continuously monitored and protected from potential man-in-the-middle attacks, operating system (OS) vulnerabilities and other malicious code and attack attempts.
Once this holistic unified threat protection process is completed and the device managed, monitored, and controlled, only then is it recommended to install a carefully selected Secure Voice application.
Why Mobile Device Management?
The MDM service ensures that all smartphones within the organisation are controlled and managed against an acceptable organisational policy, regulating what applications can be loaded or how they can be used on the smartphone. In the event the smartphone is misplaced or stolen, the end user device can be located, and a remote wipe of the entire device can be initiated from the centralised control and management of the MDN solution.
In order to safeguard specialised applications such as installed Secure Voice applications on user devices, MDM and the Secure Voice application need to work seamlessly together to ensure that when sensitive and confidential information is shared between two parties, all necessary security and protections are in place to prevent unauthorised access to the end user devices and that the actual call between the parties is encrypted with a high-level encryption algorithm.
Technological advances have provided us with numerous communication channels and capabilities using our smart devices, unfortunately the increased capabilities are accompanied by even more threats and vulnerabilities. The reality is that failure to observe and implement the necessary industry standards for true secure communications, will only provide you with security by obscurity which will prevent absolute integrity of devices as well as the conversations taking place.