A security researcher has claimed that Mikey-Sakke, the security protocol behind the GCHQ-developed Secure Voice encryption standard, has a built-in backdoor that allows the UK spy agency to intercept and snoop on phone calls.
The findings come from Dr Steven Murdoch of University College London, who published a detailed analysis of VoIP encryption and the main weaknesses of the government-endorsed cryptography.
In general, Mikey-Sakke works by generating encryption keys that are used to encrypt and decrypt voice conversations. But the standard is weak by design, according to Murdoch.
“Mikey-Sakke is designed to offer minimal security while allowing undetectable mass surveillance though key-escrow, not to provide effective security,” he said.
Murdoch explained that Mikey-Sakke’s support for ‘key-escrow, a system set up so that a third party has access to any data sent between two people in a conversation, is a concern for citizens.
“If the network provider is served with a warrant or is hacked into it is possible to recover responder private keys and decrypt past calls without the legitimate communication partners being able to detect this happening,” said the researcher.
“[The technology] facilitates undetectable mass surveillance. This is presented as a feature rather than bug, the motivating case in the GCHQ documentation being to allow companies to listen to employees’ calls when investigating misconduct, such as in the financial industry.”
Secure Voice and Mikey-Sakke were developed by the Communications-Electronics Security Group (CESG), GCHQ’s information security wing.
“In the vast majority of cases the properties that Mikey-Sakke offers are actively harmful for security,” said Murdoch. “It creates a vulnerable single point of failure, which would require huge effort, skill and cost to secure, requiring resource beyond the capability of most companies.”
GCHQ has disputed the researcher’s findings. A spokesperson for CESG said: “We do not recognise the claims made in this paper. The Mikey-Sakke protocol enables the development of secure, scalable, enterprise-grade products.”
The news comes amid increased controversy about the UK government’s stance on encryption in the wake of the Draft Investigatory Powers Bill. The government claims that it has “no intention” of weakening encryption standards, but many critics, including major technology firms, have voiced opposition to the proposals.
Most recently, Apple called on the UK government to rein in key sections of the draft bill. “The creation of backdoors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers,” the firm said in a written submission to the government.