The Government Communications Headquarters, United Kingdom’s spy agency, has created a new encryption tool for government employees to protect their communication from hackers. But there’s a catch: it contains backdoor access for the UK government.
GCHQ developed the tool primarily to secure voice call transmissions between government employees in the country, but security researchers warn that it could also be used to perform mass surveillance without causing a blip on the radar of public notice.
Security experts fear the encryption could be adopted by commercial providers because it is built as an open source software. When that comes into reality, the British government could then exploit a flaw in the encryption and use the tool to spy on UK citizens. Worse, hackers could also find a flaw in the encryption and infiltrate private communications of government employees and private individuals.
There is now a growing concern over how GCHQ manages encryption keys following its existing standards called MIKEY-SAKKE. This security standard is dependent upon several master keys generated by the service providers themselves in order to help secure the call sessions. However, according to security experts, the master key is vulnerable to manipulations intended to decrypt the call sessions.
The fact that a master private key can be used to decipher voice calls between users presents a serious security risk to users, making them an easy target for attackers lurking in the corner. This also includes calls made from one country to another, as the calls can be decrypted at a gateway that would lead the call being exposed to snooping.
What makes this a glaring intrusion into user privacy is the fact that the British government can order service providers to surrender the content of the voice calls to authorities and decrypt the content because they hold the master keys. In comparison, Apple’s end-to-end encryption makes the GCHQ’s encryption a remote choice for security geeks, because with Apple’s encryption, even the company itself has no way of decrypting secured data.
Security researchers say the backdoor embedded in GCHQ’s encryption is understandable because of the agency’s obligation to secure the government communications and eliminate unauthorized access to it. It is only natural for the spy agency to want to have a full view of the communications passing through its infrastructure in order to probe intelligence leaks.
The only concern over the MIKEY-SAKKE protocol is that commercial companies might get interested in adopting the encryption for their voice call offerings. But GCHQ assures the public that the standard can be scaled for enterprise-grade application.