People are becoming more and more concerned about the security and privacy of electronic communications, particularly wireless. When a wireless system is compromised, the intrusion is not detected until harm has been done to the system or to its subscribers.
Wireless versus Wired
Eavesdropping on RF links in a telephone system. Heavy, straight lines represent wires or cables; zigzag lines represent RF signals.
Wireless eavesdropping differs from conventional wiretapping in two fundamental ways. First, eavesdropping is easier to do in wireless systems than in hard-wired systems. Those old-fashioned hardwired phone sets might not always be convenient, but your privacy is more likely to be maintained than in the case with a system that uses any form of wireless. Second, eavesdropping of a wireless link is nigh impossible to physically detect, but a tap can usually be found in a hard-wired system.
If any portion of a communications link is done by wireless, then an eavesdropping receiver can be positioned within range of the RF transmitting antenna (above figure) and the signals intercepted. The existence of a wireless tap has no effect on the electronic characteristics of any equipment in the system.
Levels of Security
There are four levels of telecommunications security, ranging from zero (no security) to the most secure connections technology allows. No Security (Level 0 ): In a communications system with level 0 security, anyone can eavesdrop on a connection at any time, provided they are willing to spend the money and time to obtain the necessary equipment. Two examples of level 0 links are amateur radio and citizens band (CB) voice communications.
Wire Equivalent Security (Level 1): An end-to-end hard-wired connection requires considerable effort to tap, and sensitive detection apparatus can usually reveal the existence of any wiretap. A communications system with level 1 security must have certain characteristics in order to be effective and practical:
- The cost must be affordable.
- The system must be reasonably safe for transactions such as credit-card purchases.
- When network usage is heavy, the degree of privacy afforded to each subscriber should not decrease, relative to the case when network usage is light.
- Ciphers, if used, should be unbreakable for at least 12 months, and preferably for 24 months or more.
- Encryption technology, if used, should be updated at least every 12 months, and preferably every six months.
Security for Commercial Transactions (Level 2 ): Some financial and business data demands protection even beyond the wire equivalent level. Many companies and individuals refuse to transfer money by electronic means because they fear criminals will gain access to an account. In a communications system with level 2 security, the encryption used in commercial transactions should be such that it would take a potential intruder (also called a hacker) at least 10 years, and preferably 20 years or more, to break the cipher. The technology should be updated at least every 10 years, but preferably every 3 to 5 years.
Military Level Security (Level 3): Security to military specifications (also called mil spec) involves the most sophisticated encryption available. Technologically advanced countries, and entities with economic power, have an advantage here. However, as technology gains ever more (and arguably too much) power over human activities, aggressor nations and terrorists might injure powerful nations by seeking out, and striking at, the weak points in communications infrastructures. In a communications system with level 3 security, the encryption scheme should be such that engineers believe it would take a hacker at least 20 years, and preferably 40 years or more, to break the cipher. The technology should be updated as often as economics allow.
Extent of Encryption
Wireless-only encryption. Heavy, straight lines represent wires or cables; zigzag lines represent RF signals.
Security and privacy in wireless networks and communications systems can be achieved by means of digital encryption. The idea is to render signals readable only to receivers with the necessary decryption key. This makes it difficult for unauthorized people to gain access to the system.
For level 1 security, encryption is required only for the wireless portion(s) of the circuit. The cipher should be changed at regular intervals to keep it fresh. The block diagram of above figure A shows wireless-only encryption for a hypothetical cellular telephone connection.
End-to-end encryption. Heavy, straight lines represent wires or cables; zigzag lines represent RF signals.
For security at levels 2 and 3, end-to-end encryption is necessary. The signal is encrypted at all intermediate points, even those for which signals are transmitted by wire or cable. above figure B shows this scheme in place for the same hypothetical cellular connection as depicted at A.
Security with Cordless Phones
Wireless tapping of a cordless telephone
Most cordless phones are designed to make it difficult for unauthorized people to pirate a telephone line. Prevention of eavesdropping is a lower priority, except in expensive cordless systems. If there is concern about using a cordless phone in a particular situation, a hard-wired phone set should be used.
If someone knows the frequencies at which a cordless handset and base unit operate, and if that person is determined to eavesdrop on conversations that take place using that system, it is possible to place a wireless tap on the line. The conversation can be intercepted at a point near the cordless phone set and its base unit, and then transmitted to a remote site (above figure) and recorded there.
Security with Cell Phones
Cellular telephones are, in effect, long-range cordless phones. The wider coverage of cellular repeaters, as compared with cordless base units, increases the risk of eavesdropping and unauthorized use. Some cell phone vendors advertise their systems as “snoop proof.” Some of these claims have more merit than others. The word “proof” (meaning “immune”) should be regarded with skepticism. Digital encryption is the most effective way to maintain privacy and security of cellular communications. Nothing short of this is really of any use against a determined hacker.
Access and privacy codes, as well as data, must be encrypted if a cell phone system is to be maximally secure. If an unauthorized person knows the code with which a cell phone set accesses the system (the “name” of the set), rogue cell phone sets can be programmed to fool the system into thinking they belong to the user of the authorized set. This is known as cell phone cloning.
In addition to digital encryption of data, user identification (user ID) must be employed. The simplest is a personal identification number (PIN). More sophisticated systems can employ voice pattern recognition, in which the phone set functions only when the designated user’s voice speaks into it. Hand-print recognition, electronic fingerprinting, or iris print recognition can also be employed. These are examples of biometric security measures.