Spying on telephone calls made by your neighbours or corporate rivals has never been easier - or cheaper - and according to one security expert this represents a major chink in the security armour of many individuals and companies.

Mobile Phone Monitoring

Generally speaking, over the last few years, most people have understood the need to secure their PCs and laptops, whether that is against malware looking to steal your banking details, or rival companies looking to steal your corporate secrets.

"By now there is no credible corporation around that hasn't secured its IT infrastructure with firewalls, anti-virus software. [But] voice and mobile devices are the chink in the security armour."

So says Bjoern Rupp, CEO at GSMK Cryptophone which specialises in providing end-to-end encryption of voice and mobile calls to individuals as well as businesses.

Rupp believes people still work on the assumption that the telephone system is a trusted, government-run entity, even though this is no longer the case.

One of the main reasons that call monitoring like this is becoming such a huge problem, it that the cost to intercept telephone calls and attack mobile devices has decreased enormously in the last couple of decades.

"Twenty years ago this was the preserve of law enforcement agencies, [using] specialised, expensive equipment which could not be bought on the open market. Nowadays, if you know what you are doing, you can go into an electronics shop and for just a few hundred pounds you are in business."

While Rupp says the use of such technology is widespread, "the general public has not yet arrived at that level of awareness."

Larger corporations, especially those regularly targeted by interested parties and subject to espionage, have woken up and understood this reality however, but "your average small or medium-sized company has no clue how dangerous this is."

Researchers Karsten Nohl and Luca Melette from Chaos Computer Club recently demonstrated for German business magazine Wirtschaftswoche how easy and cheaply calls can be intercepted remotely.

All that is needed for a medium-skilled computer hobbyist to intercept a mobile phone call is a laptop, four traditional mobile phones and spying software, which is available on the internet. All this is available for a minimal cost of around a few hundred pounds and it has opened voice interception to a much larger, mass market where specialist knowledge is no longer required.

Despite scientists proving how it easy it is to intercept GSM calls with self-built 'IMSI' catchers, mobile networks have not been able to stop such attacks.

"Progress in terms of security in the telecoms world is much slower than the general IT world, as applying a fix to mobile and fixed-line phones will cost a lot of money, which leads to companies not carrying out the work," says Rupp.

No easy fixes

"For some problems, there are no easy fixes. Telephone interception, the only solution to that is end-to-end encryption and that's something that has to happen on the terminal side."

GSMK has seen the adoption rate of encrypted handsets among management increase dramatically in the last 12 months. More and more companies are supplying their employees with encrypted handsets which they must use when making calls relating to sensitive company information.

From a network point of view, they have started to improve their security systems, by adopting better encryption standards, but this is still some way from ideal: "[This encryption] only provides a basic level of security that is good for protecting an individual from his neighbour listening in. Of course that encryption can never be end-to-end when it is provided by the networks."

Rupp adds that if you are dealing with industrial espionage or even government secrets, then you must assume that the attacker is sophisticated enough to know that when there is no end-to-end encryption.

"Even if the first link from the mobile phone to the base station is encrypted, the link from the base station to the switching centre is not encrypted, and you just log on to that and intercept it, and boom, there you have all the contents."

If you are making a phone call back to your head office from abroad, talking about a sensitive piece of corporate information, Rupp says that without end-to-end encryption, your competitors are likely going to be able to snoop on your conversations.

The first line of security needs to happen in the phones themselves and Kopp believes it is up to each company to "beef up security," just as it is the company's obligation to protect their laptops and PCs.

Vulnerable

In another example of how vulnerable telecoms networks are, Ruhr University Bochum in Germany recently demonstrated that satellite telephony, which was thought to be secure against eavesdropping, can be intercepted.

Researchers cracked the encryption algorithms of the European Telecommunications Standards Institute (ETSI), which is used globally for satellite telephones, and revealed significant weaknesses.

Rupp also says that telephone interception and monitoring is not the preserve of nosey neighbours or criminals. He says that in most countries "you must assume that all calls are recorded." With digital storage costs dropping in recent years, governments the world over are now able to record and store every single phone call.

"It has become really cheap to record everything by default. Any decent intelligence agency can easily afford to record all calls made in a given year on their local networks - be it mobile or fixed line. The cost is negligible for the budget these intelligence agencies typically have."

Rupp says that every one of your calls is stored somewhere and it is only a matter of someone accessing it from an archive to listen back to your conversations.

Most countries use intelligence support systems (ISS) which make life for the analyst a lot easier by filtering out the calls which might be important.

The first-stage filters monitor call patterns. For example a typical call pattern for an organised crime group would see one person call five people, then each of those five people call another five people and so on.

Pre-filtering by call data records is then carried out, and once you have a group of 'interesting' calls, speech analysis is done on them to identify key words. Vocal recognition is not carried out on the whole set of calls as it is still relatively expensive to do this for such a large sample.

Street

In terms of carrying out surveillance on your neighbours, Rupp says local interception can be extremely cheap, but you do need to be relatively close to the victim.

"Corporations and governments just need to adopt the same approach that they already apply to other mobile devices, most notably laptops, notebooks and so on.

"Of course mobile phones these days are computers that happen to fit in a pocket, that have a microphone and a speaker. They are full blown computers that are subject to the same risks as laptops and desktop computers are."

A criminal will always look for the soft link as the place to attack, and right now, Rupp believes this means mobile phones. "They [mobile phones] all have access to the corporate email system and they are carried by key individuals in their pockets all the time."

Rupp says the technology to do voice encryption, message encryption and mobile device security is available. "It's just like in the early days of email encryption and hard disk encryption, the perception is not yet there to the level it is there now in laptops, but it is a matter of time."

There is an obvious expense for corporations looking to implement these security measures, but Rupp says compared to the alternative of losing critical data to a competitor, the cost is much lower.