Analysis: Wireless phone headsets insecure
By SHAUN WATERMAN (UPI Homeland and National Security Editor)
Published: February 01, 2008TOOLBAR
WASHINGTON, Feb. 1 (UPI) -- Wireless phone
headsets of the kind beloved by Wall Street
executives and high-end law firms can be bugged
by simple off-the-shelf radio scanners unless they are encrypted.
"These guys are bugging their own office,
essentially," security consultant Doug Shields told United Press International.
He said that, for a recent client, he had used an
inexpensive commercial scanner capable of
monitoring frequencies in the 900 MHz and 1.2 GHz
ranges, which is where many of the popular hands-free headsets operate.
He said the scanner could hear conversations
inside buildings as far as 600 feet away.
"Sometimes, when the other party has hung up, the
wireless connection remains open and you can hear
what (the party at your end) is saying afterwards."
From a position across the street from his
client's facility, he said, the equipment was
able to record conversations by employees,
including commercially sensitive information.
"Some of this stuff, if you traded on it, you'd
never have to work again," said Shields, a
partner in Syracuse, N.Y.-based Secure Network Inc.
Scott Berinato, the executive editor of Chief
Security Officer magazine, told UPI he was aware
of cases where the technique had been employed,
among others, for corporate espionage.
"Some are encrypted, most are not," he said of
the commercially available headsets. "The risk is
(the difficulty involved in bugging them) is reasonably trivial."
He said "bigger, smarter" firms were likely to
have adopted encryption, giving as an example the
large pharmaceutical companies, which used
encryption even for internal presentations employing wireless microphones.
Buildings could also be shielded, he said.
"More (companies) should be doing it (adopting
countermeasures) than are," he said.
Shields said two other countermeasures were
spread spectrum and frequency hopping -- both of
which break up the transmission in different ways
to make it harder to intercept.
But he said most companies seemed unaware of the
risks inherent in this kind of technology. "They
are focused on other things," he said.
"We use industry-standard security," said Deborah
Kline, a spokeswoman for Avaya Inc., a telephone
technology company that is one of the makers of hands-free wireless headsets.
But she added, "Industry standards Â… are not
always as secure as we would like."
Bob Hayes, managing director of the Security
Executive Council, a membership organization for
security leaders in the private and public
sectors, struck a more skeptical note.
"There are a lot of threats that are technically
possible," he said, pointing out that monitoring
telephone conversations that way without
permission was a federal crime. "Why would I do
that," he asked, "when I could get the same
information a dozen different ways?" For instance
by going through someone's garbage, pretext phone
calling, or eavesdropping on conversations at trade shows.
"If you're doing business that sensitive," he
said, "your whole life should be at a higher
security level. Â… Secrets are stolen out of cars Â… or garbage cans."
He also said that, unless the listeners were "in
the right place at the right time," they were
likely to get "a lot of pizza orders, bedtime
kisses for kids" and other idle chatter.
"Think of it from the spies' point of view," he
said. "There's a reason every intelligence agency
in the world values human intelligence the most highly."
Jack Johnson, former chief security officer for
the Department of Homeland Security and now a
partner in the Washington federal practice at
Price Waterhouse Coopers, told UPI that, in
general when it came to new technology, "ease
-of-use considerations tend to trump security."
"It's not until after the technologies are in use
that we realize the vulnerabilities," he said.
----------------------------------------------------------------------------------------------------
World Class, Professional, Ethical, and Competent Bug Sweeps, and
Wiretap Detection using Sophisticated Laboratory Grade Test Equipment.
----------------------------------------------------------------------------------------------------
James M. Atkinson Phone: (978) 546-3803
Granite Island Group Fax: (978) 546-9467
127 Eastern Avenue #291 Web:
http://www.tscm.com/
Gloucester, MA 01931-8008 E-mail: mailto:jm..._at_tscm.com
----------------------------------------------------------------------------------------------------
We perform bug sweeps like it's a full contact sport, we take no prisoners,
and we give no quarter. Our goal is to simply, and completely stop the spy.
----------------------------------------------------------------------------------------------------
Received on Sat Mar 02 2024 - 00:57:26 CST