The GCHQ has developed VoIP encryption tools with a built-in backdoor, allowing both authorities and third parties to listen in on conversations.
The backdoor is embedded into the MIKEY-SAKKE encryption protocol and has a 'key escrow' built in, allowing those with authority - whether an employer or government agency - to access it if a warrant or request is made.
The backdoor was uncovered by Dr Steven Murdoch, a security researcher from the University of London, who wrote a blog about the potential snooping tool.
He explained that MIKEY-SAKKE has a monopoly over other security protocols used by approved government voice communications, meaning almost all software used for communication is using the encryption, with the enbedded backdoor. GCHQ can also insists the technology is used in other products used by the public sector and companies "operating critical national infrastructure".
"Although the words are never used in the specification, MIKEY-SAKKE supports key escrow," Murdoch wrote. "That is, if the network provider is served with a warrant or is hacked into it is possible to recover responder private keys and so decrypt past calls without the legitimate communication partners being able to detect this happening."
He explained this is being marketed as a benefit to using MIKEY-SAKKE rather than a bug, with documentation issued by GCHQ advertising it means employers can listen into voice communications when investigating into misconduct trials.
"The Government should come to the realisation that the inclusion of backdoors in encryption isn't merely a legislative or privacy mandate, however, it is technically impossible to control the use of a backdoor in this way." Justin Harvey, chief security officer at Fidelis Cybersecurity said.
"I liken the pro-backdoor encryption movement to complaints about the weather; some people complain about rain, snow or sunshine and wish it were otherwise, but in the end, we can't do anything about it. The same is true for strong encryption."
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
‘Archaic’ legacy tech is crippling public sector productivityNews The UK public sector has been over-reliant on contractors and too many processes are still paper-based
-
Public sector improvements, infrastructure investment, and AI pothole repairs: Tech industry welcomes UK's “ambitious” AI action planNews The new policy, less cautious than that of the previous government, has been largely welcomed by experts
-
UK government trials chatbots in bid to bolster small business supportNews The UK government is running a private beta of a new chatbot designed to help people set up small businesses and find support.
-
Operational efficiency and customer experience: Insights and intelligence for your IT strategyWhitepaper Insights from IT leaders on processes and technology, with a focus on customer experience, operational efficiency, and digital transformation
-
AWS makes its Panorama Appliance generally availableNews The device helps increase quality control, optimize supply chains, and enhance consumer experiences
-
Eagle Eye Networks announces new editions of Cloud VMSNews The editions are suitable for small, medium, and large businesses
-
How to build a Raspberry Pi security cameraTutorials Build your own cut-price surveillance equipment
-
EnGenius EL-EWS1025CAM reviewReviews A clever hybrid IP camera that combines video surveillance with a wireless AP and support for EnGenius’ Neutron WLAN meshing
