The Hidden Risks of Mobile Calls and Messages: Why End-to-End Encryption is Just the Starting Line – Source: www.csoonline.com

The recent breaches of sovereign telecom networks in the United States, underscores how highly connected but fragmented public networks are increasingly vulnerable to sophisticated attacks. 

Another rising concern is the blind trust organizations and individuals put into consumer-grade messaging apps such as WhatsApp to share government and commercially-sensitive information.  Some of the biggest risks concerning these uncertified methods of communications are identity (through public registration) and access to metadata, which can reveal a detailed picture of relationships and communication patterns. For instance, attackers can learn not only who communicated with whom, but also when, where and how often.

With mobile spying and network interception on the rise, what can organizations do to mitigate these risks and protect communications?

Why Telecom Networks and Mobiles Are a Prime Target

Telecom networks, by design, prioritize global reach and seamless connectivity.

David Wiseman, Vice President of Secure Communications for BlackBerry Cybersecurity:

“Public telecom networks, designed for global reachability, prioritize interconnectivity over security. While this is core to the value that telecom networks provide to consumers, it also means that security trade-offs must take place.”

This ethos, while beneficial to consumers, introduces systemic vulnerabilities. Automated interconnections between carriers worldwide enable effortless communication but also leave doors ajar for cybercriminals and state-sponsored hackers. The weaknesses in roaming protocols, which allow carriers to redirect or intercept cellular traffic without user knowledge, further exacerbate these risks.

As we’ve seen, these vulnerabilities are no longer theoretical. Threat actors now leverage telecom weaknesses and risky mobile apps for espionage, intelligence gathering, and even monetized cybercrime, such as “wire-tapping-as-a-service.” The stakes are high, not just for sensitive businesses information, but for matters of national security.

At the device level, it is often presumed that end-to-end encryption is enough when using common mobile apps for calls, messaging and file sharing.  In fact, it should just be the starting line – and organizations relying on secure, confidential communications must take stock of what is being used by employees, where their data is held and how it is being used.

David Wiseman adds: “Metadata generated by communications via ‘free’ apps for voice calls and messaging can be easily traded, fuelling ‘wire-tapping-as-a-service’ markets that are readily available for purchase on the internet. This underscores the harsh reality that trust placed in uncertified apps does not extend to what happens with your metadata.”

BlackBerry’s Answer to an Otherwise Systemic Problem

Both governments and business alike have exponentially increased the virtualization of their communications, and its people are often fast to adopt inappropriate consumer technology, whether its WhatsApp or Signal; or communicating via their personal iOS^® or Android™ devices.

These devices are ubiquitous, easy to purchase, and the apps themselves are quite frictionless to obtain; so it’s understandable from a usability perspective why individuals would be inclined to go down this path. Alternatively, when provided with specific devices and tools to help secure their communications, there can be reluctance to use them consistently.

BlackBerry helps address these challenges with SecuSUITE^® . The system works seamlessly with off-the-shelf iOS^® and Android™ devices, maintaining excellent sound quality and message delivery speed, while providing the end-to-end encryption necessary to shut out eavesdropping at any point in the communications.

The user experience is uncompromised, and there is no frustration with having to distinguish operation and communication as fundamentally ‘different’ when using mobile devices.

There is also another equally important component to usability, and that is meeting the needs of technology management teams. Flexible deployment options allow for integration with Mobile Device Management (MDM) or operation in full ‘sovereign mode’ with no dependency on any particular vendor infrastructure.

In the case of possible user circumvention, SecuSUITE will not run on rooted or jailbroken devices. On start-up or update, the app always performs an integrity check – if it has been modified in any way, it will not start.

Looking Ahead: Organizations that demand trusted communications must deploy certified communication tools

The recent incidents reported in the US are a wake-up call, but they are far from unique.  Vulnerabilities in one carrier can ripple across the globe, and this is why a shift towards a secure, sovereign system is not optional, but essential.

BlackBerry’s solutions are certified to meet the highest security requirements of Government, from unclassified through to Top Secret, and the portfolio of Unified Endpoint Management (UEM) and SecuSUITE serves as a blueprint for what the industry must prioritize for true mobile security. Fine grain controls for managing diverse devices, coupled with enforcing security policies across all devices and applications that works seamlessly for the user both locally and abroad.