Software developed by the UK intelligence agency GCHQ for VoIP calls contains weaknesses that make it vulnerable to eavesdropping, with a deliberate 'backdoor' left in encryption that could make calls accessible by hackers.
According to Steven Murdoch, a security researcher from University College London, the encryption process used to secure calls made over the software was vulnerable, enabling third parties to intercept information without the awareness of those using the software to make a call.
The software, developed by the GCHQ, is called Mikey-Sakke and is being held up by the intelligence agency as the gold standard for VoIP technology for both governments and industries to work towards. At least two products are already available which use the standard, both of which are government-certified.
The GCHQ has denied that there is a 'backdoor' into the software, calling such accusations 'totally wrong' and saying that "the Mikey-Sakke protocol enables development of secure, scalable, enterprise-grade products."
"Although the words are never used in the specification, Mikey-Sakke supports key escrow," wrote Murdoch, referring to the inclusion of a feature than allows a third party to access the data sent between two people. "This is presented as a feature rather than bug, with the motivating case in the GCHQ documentation being to allow companies to listen to their employees' calls when investigating misconduct.
"The design of Mikey-Sakke is motivated by the desire to allow undetectable and unauditable mass surveillance. In the vast majority of cases the properties that Mikey-Sakke offers are actively harmful for security. It creates a vulnerable single point of failure, which would require huge effort, skill and cost to secure."