Freely subscribe to our NEWSLETTER

Businesses clearly recognise the threat of cell phone interception: three-quarters of the surveyed corporations have a security policy covering cell phone calling and four out of five IT professionals surveyed believe that cell phones are equally or more vulnerable to interception than email.

Yet, the research shows that while mobile phones and email are both used routinely to communicate confidential information – with 79% of organisations that discuss sensitive or confidential information over mobile doing so at least weekly and 51% daily – only 18% have explicit mobile voice call security solutions in place.

Research has shown that data loss can have a major impact on market capitalisation, reducing it by as much as 5-10%(1), as well as resulting in lawsuits for senior executives, severely damaging their reputation.

The growing problem was highlighted in August, when German hackers announced a project to create a code table that cracks the encryption of GSM mobile calls, used in 80% of the world’s cell phone calls. This codebook is planned to be freely available within the next 6 months, and significantly lowers the bar for everyday hackers to crack GSM calls using only a high-end laptop.

One alarming fact emerging from the survey was that 55% of respondents in IT roles thought that their organisation had implemented mobile voice call encryption solutions but on further investigation only 18% had actually done so.

“Effective email security has become routine but our research shows most businesses do not apply anything like the same level of robust security to cell phone calls. Companies that do not respond are exposing themselves to attack,” said Stan Schatt Vice President and Practice Director, Healthcare and Security, ABI Research.

“Equally concerning is that a significant number of people who identified themselves as being responsible for cell phone voice call security incorrectly believe the organisations’ mobile calls have been protected when they have not. This perception that they are protected when in reality they are not suggests a serious hole in the information security of many businesses. It is important that companies take urgent steps to review their measures for countering this growing corporate risk area,” Schatt continued.

“In light of this summer’s news that a GSM cracking codebook will be made widely and freely available very soon – possibly before the New Year – and sub-$1000 interception equipment being available soon after, this lack of security is particularly worrying,” says Simon Bransfield-Garth, CEO of Cellcrypt.

“Businesses must plan now for the eventuality that their mobile voice calls will come under increasing attack within the next 6 months. A ‘policy of hope’ towards mobile phone security is not adequate, voice is another data service and should be afforded the same security considerations as email and other corporate communications,” continued Bransfield-Garth.

Security of mobile voice calls is not limited to interception of radio waves between a cell phone and a base station mast: interception risks occur at various segments along a call path which may involve multiple network operators in a variety of countries each having a different level of security measures and risks.

(1) Templeton College, Oxford University