I Can Hear You
A recent article brought to light – again – that all of our collective phone calls, texts, and video chats are completely exposed. This is not new as many articles have discussed the complete lack of security for phone calls. In fact, Facebook got in trouble last year for recording all of our texts and mobile communications. The reality is that, short of buying a black phone (and getting a small subset of applications), there is really no option to protect your mobile communications. And that sucks.
The Real Issue
To be clear, the major providers – AT&T, Verizon and so forth can encrypt all of the traffic end-to-end but they choose not to for a valid reason – risk. They know, as do most of us these days, that none of the major security products enable long-term communications protection. As such, why should they try to protect communications when they will inevitably be responsible when a hack occurs. It is not as if anybody has a secure phone system that consumers can leverage to protect their privacy… But what if that was not the case?
How It Could Work
In order to truly revolutionize telecom systems, any candidate security would have to be capable of continuous, non-disruptive changes as a proactive service and not another static product. These changes would need to be both short-term and long-term. Short-term would focus on constantly changing the security for calls, video streaming and so forth. Every connection for every phone call would have to be unique and personalized for every conversation and yet there cannot be any sort of collective overhead or the entire system would crash. The only realistic option to this end would be a peer-to-peer (P2P) security system… And yet that P2P system would have to have some level of central control or there is no ability to actually manage things. Again, this type of central control cannot produce overhead and it cannot directly interfere with, or read the contents of, any given communication. To this end, the only real option is an out-of-band management approach that leverages peer device reporting to ensure enforcement. Since this system is protecting enterprise and consumer mobile communications, it also has to extend across all types of communications – Ethernet, WiFi, Bluetooth, microwave, satellite, and OTA – and it needs to be invisible to applications on these mobile devices. Imagine trying to force the billions of mobile apps to upgrade security every time a patch comes along! Longer term, this candidate security solution has to be able to modify any, and all, components of its protection without disrupting the devices being protected. This protection, ideally, would lock down device identity, enable P2P authentication, control and protect communications and enable remediation at the point of attack or malfunction. Over time, as different internal security options become vulnerable, this system needs to be able to switch out aspects of its protection with no interference to normal operations. Reacting to new threat vectors has to occur in real-time – again with no unwanted disruptions. When this type of system is created, then telecom providers can feel comfortable providing end-to-end protection for their customers. These providers will have complete control and visibility into their security without ever having to see their customers’ information. Customers would finally get the privacy and security that they, and a growing number of regulations (GDPR, anybody?), are demanding. And the first provider to market would, we think, capture a massive share of this new, safe, mobile world.