GCHQ VoIP software can be used to eavesdrop
The backdoor could allow agents, employers or third parties to listen in on conversations
The GCHQ has developed VoIP encryption tools with a built-in backdoor, allowing both authorities and third parties to listen in on conversations.
The backdoor is embedded into the MIKEY-SAKKE encryption protocol and has a 'key escrow' built in, allowing those with authority - whether an employer or government agency - to access it if a warrant or request is made.
The backdoor was uncovered by Dr Steven Murdoch, a security researcher from the University of London, who wrote a blog about the potential snooping tool.
He explained that MIKEY-SAKKE has a monopoly over other security protocols used by approved government voice communications, meaning almost all software used for communication is using the encryption, with the enbedded backdoor. GCHQ can also insists the technology is used in other products used by the public sector and companies "operating critical national infrastructure".
"Although the words are never used in the specification, MIKEY-SAKKE supports key escrow," Murdoch wrote. "That is, if the network provider is served with a warrant or is hacked into it is possible to recover responder private keys and so decrypt past calls without the legitimate communication partners being able to detect this happening."
He explained this is being marketed as a benefit to using MIKEY-SAKKE rather than a bug, with documentation issued by GCHQ advertising it means employers can listen into voice communications when investigating into misconduct trials.
"The Government should come to the realisation that the inclusion of backdoors in encryption isn't merely a legislative or privacy mandate, however, it is technically impossible to control the use of a backdoor in this way." Justin Harvey, chief security officer at Fidelis Cybersecurity said.
"I liken the pro-backdoor encryption movement to complaints about the weather; some people complain about rain, snow or sunshine and wish it were otherwise, but in the end, we can't do anything about it. The same is true for strong encryption."
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Evaluate your order-to-cash process
15 recommended metrics to benchmark your O2C operationsDownload now
AI 360: Hold, fold, or double down?
How AI can benefit your businessDownload now
Getting started with Azure Red Hat OpenShift
A developer’s guide to improving application building and deployment capabilitiesDownload now