It has been claimed that the security protocol behind Mikey-Sakke, the GCHQ-developed Secure Voice encryption standard, has a built-in backdoor that allows the UK spy agency to intercept and snoop on phone calls.
Dr Steven Murdoch, of University College London, has published a detailed analysis of VoIP encryption and the main weaknesses of the government-endorsed cryptography. In the report he says that the standard is weak by design.
Mikey-Sakke is used to encrypt VoIP calls and has ‘key escrow’ by design. This means that a third party has access to the data generated in a conversation using the software – a backdoor. Network operators – or a hacker purporting to be a network operator – could, therefore, listen to calls or even authorise someone else to do so.
GCHQ has disputed the researcher’s findings. A spokesperson for CESG said: “We do not recognise the claims made in this paper. The Mikey-Sakke protocol enables the development of secure, scalable, enterprise-grade products.”
Justin Harvey, chief security officer at Fidelis Cybersecurity, offers the following comment: “It’s interesting that GCHQ has developed its own VoIP encryption protocol, although like any form of technology, ‘key escrow’ is not inherently evil. There are legitimate cases for having key escrow that are not even government-related. Sometimes, for example, employers or organisations may need the ability to go back in time and find out what was said or what was recorded. This is perfectly legal and ethical as long as the participants understand. This means that these users should be made aware through an employment agreement or software license that this capability exists.
“The UK Government is currently advocating backdoors in encryption products that can supposedly only be used by law enforcement to enable them to read secure messages, such as text messages, emails and internet traffic.
“The Government should come to the realisation that the inclusion of backdoors in encryption isn’t merely a legislative or privacy mandate, however, it is technically impossible to control the use of a backdoor in this way. I liken the pro-backdoor encryption movement to complaints about the weather; some people complain about rain, snow or sunshine and wish it were otherwise, but in the end, we can’t do anything about it. The same is true for strong encryption.”