Skip Navigation
BlackBerry ThreatVector Blog

Why Phone Calls Aren't Necessarily More Secure Than Email

Businessman using mobile smartphone and icon network connection data with growth graph customer, digital marketing, banking and payment online, analysis and planning of business.

How many times do enterprise executives or managers today get into a crucial discussion via online channels only to decide that it's "too sensitive for email?” They take the conversation offline to avoid having their written conversation intercepted, spied upon, or possibly taken out of context by the wrong people. So, they hop onto the phone for the presumed safety of a voice-only discussion.

With the drastic increase in the number of people working remotely as a result of social distancing measures to combat the spread of the coronavirus, significantly more business is being conducted on mobile devices and outside of the corporate firewall.

Executives and corporate staff in general need to keep in mind that the state of technology today is such that sensitive phone calls may be just as vulnerable to risk as any other kind of online communication.

Mobile Device Vulnerabilities

Rampant vulnerabilities in cell phone networks and in the mobile devices themselves make it trivial to collect voice data. Meanwhile, rapid advancements in voice-to-text speech recognition, and artificial intelligence analysis of voice data, greatly simplifies the process of sifting through all of those spoken conversations.

The truth is that the risk profile of voice calls has changed tremendously over the last few years. Unfortunately, most enterprises aren't adjusting their cyber strategies to reflect that sea change. Even a decade ago, voice conversations were relatively vulnerable to attacks by government entities and technically advanced criminals seeking to breach cell networks and devices to pick up the conversations of specific targets.

However, the barrier to entry was fairly high for collection of this data—it took quite a high level of technical investment to carry out. Even higher was the cost of manually parsing all of that information to create easily readable and searchable text to truly gain timely intelligence from it.

So, while the possibility of these attacks has been high for a long time, the probability of suffering an attack remained low for many years. Which is why we've been lulled into a false sense of security about voice channels. However, all of the barriers to entry are being swiftly knocked over due to a number of factors:

Collection is Trivial

Well-established pathways for voice network hijacking and remote compromise of smartphones are quickly becoming commoditized. There was a time when only government agencies could buy something like the Stingray device to intercept voice conversations.

Now anyone can get their hands on tools like these. According to an article last year in Vice, it's a piece of cake to build a homemade IMSI-catcher similar to a Stingray in under 30 minutes with $20 in parts from Amazon.

Processing is Cheap and Scalable

Four or five years ago, automated speech recognition technology was still too unreliable to depend upon for accurate decoding of voice data into text. But advances in machine learning and AI-powered services have accelerated the accuracy of the services, making them much more viable for working on large amounts of voice data at scale.

It would have costed someone a minimum of $1.50 per minute several years ago to get a decent human-powered transcription to turn intercepted voice data into text. Not only was it expensive, but there was only so much production any single workforce-dependent transcription service could handle.

Today, machine learning-powered speech-to-text services are somewhere along the lines of 60x cheaper—and very accurate at that. For example, Google Cloud's speech-to-text API service can process between 60 and 1 million minutes of voice data for about $0.024 per minute.

Analysis is Advancing at Warp Speed

Not only are AI advancements powering huge gains in what speech-to-text technology can do with voice data, but it's also driving a revolution in the field of voice analytics. In the legitimate enterprise market targeted toward call centers and the like, companies like VoiceBase and Voice Analytics are offering analysis services that do keyword detection, pattern recognition, sentiment analysis, and knowledge extraction from large swaths of voice data as it is collected in real-time.

Now, imagine these kinds of capabilities being ported over to the criminal underworld to be put to use for nefarious purposes. Research on this field is advancing at such a rapid pace that it's reasonable to assume that with enough motivation the bad guys will find a way to tap into these capabilities in the coming years.

Takeaways

The point here is that the convergence of all of these trends is drastically driving down the cost of conducting voice attacks against phone users. This is not the stuff of crazy spy novels anymore. Organizations need solutions that are designed for today’s threats.

The technology necessary to pull off a range of attacks is now easily accessible by everyday crooks and pedestrian adversaries. The ROI for them to leverage voice attacks for petty theft, casual collection of data, and opportunistic fraud gets better by the day. As a result, the risk profile of voice communication starts to look a lot like that of email.

Organizations are going to need to tweak their cybersecurity investments accordingly. Right now, most large enterprises spend copious amounts of money on email security and the protection of online communication. They wouldn't think to operate without firewalls for their servers and scanning for their email systems. But at the same time, they're leaving their voice conversations completely exposed.

For a long time, they've been able to count on the low ROI of voice attacks to keep them shielded from widespread risk to phone communications. But the economics have changed. We can't afford to assume phone channels are so sheltered anymore.

Chris Hummel

About Chris Hummel

VP and Chief Information Officer at BlackBerry