Pan-agency secure communications – the quest to replace consumer apps

As UK police forces and public sector bodies are under pressure to move away from the use of unregulated social media apps like WhatsApp, one company is delivering the vision of a secure communications platform.

Wouldn’t it be great if people working in one government agency or police force could also communicate easily and securely with those working in any other. In short, to be able to collaborate with colleagues with complete peace of mind. A cloud-based, cost efficient solution to the social media conundrum where people in different agencies need to share information, using a device that they have with them all the time but without the associated security risks.

At the moment many agencies are still using free social media apps like WhatsApp for messaging, voice and video calls, and for sending attachments/photos/documents.

So what is the problem with consumer apps?

The overriding issue with other free social media app is the issue of where data is held and who has access to it. This includes metadata - details of where you have been, who you spoke to and when. Important information that you don’t want to get into the wrong hands, even before the content of such communications is taken into account. Many social media apps do have reasonable security while the data is in transit, but there are many other aspects of security which are neglected. The key motivation for any social media platform is to monetize, and access to user data is a potentially lucrative asset, that could be sold to the highest bidder.

Understandably police and government security experts are concerned about this and are putting pressure on IT and telecoms departments to move away from such insecure practices.

SS7 hack

Though its media encryption uses the respected Signal protocol, WhatsApp has been shown to be susceptible (in the same way as similar applications such as Telegram and Viber) to attacks using flaws in SS7 that allow an attacker to mimic a victim’s device. SS7 (Signaling System No. 7) is the system that connects mobile phone and landline networks to each other and enables phone networks to exchange information needed to process calls and text messages across disparate networks. WhatsApp relies on the integrity of your mobile phone number to identify you but this can be faked at the SS7 level. Hackers can take on the victim’s WhatsApp identity, sending and receiving messages to other users. A hacker with access to the SS7 system can control voice and SMS services to and from a mobile, intercepting calls, reading SMS messages and tracking the phone’s location.

Rogue encryption keys and URLs

Other vulnerabilities include WhatsApp’s ability to force the generation of new encryption keys for offline users, and where URLs typed directly into WhatsApp ping the website in question. These vulnerabilities threaten the privacy of those using the service.

Big data – unregulated lists

Those registered with WhatsApp run the risk of appearing in large super lists that can be built using WhatsApp in a web browser. APIs are available on the web that enable anyone to request information about any number registered in WhatsApp, it doesn’t need to be in your address book. Information that is freely available includes your profile picture, your ‘about’ text and your online/offline status. Using this method it is possible to build a database of almost limitless size and construct timelines showing user activity.

Pan-Agency Secure collaboration platform

While we cite WhatsApp, it is one example – almost any other social media app is likely to have similar vulnerabilities and issues with privacy, including where and how your data is stored.
So what is the answer? For any sensitive, official or corporate communications social media apps should never be used. Better to use an app that you control so that you know where your data is at all times, and that has security and privacy baked in.

Several police forces are currently trialing a cloud based secure communications platform, that will enable users to talk to colleagues, send messages and attachments, conduct video conferences, make calls to and from desk-phones, and business applications such as Skype for Business. This solution is CPA, FIPS and NATO approved. A pan-police community is already being built, similar to one in existence for central Government departments. The police forces and government departments taking part are able to use the same modern everyday communications features that users have come to expect, but from a much more secure footing, with better control of the data and meta data. What’s more there is the added flexibility of ‘push to talk’ capabilities for those groups of users that need them.

Andy Lilly, Director and co-founder, Armour Communications

For more information about secure collaboration platforms from Armour Comms visit our website, call or email us.

Tel: 
020 36373801

Supplier Profiles

Black Watch Tactical

Being a trusted advisor to the Security Industry you have to that one to one commitment with your client and visualize what they require in the way of service and when the time is right act.

SecuLution
FLIR