Convergence Q&A; Wireless Analog Opens Vulnerability

Feb. 13, 2013
Non-digital keyboards, headsets and microphones can create an easy hole for eavesdroppers to listen in on corporate secrets

The analog-to-digital transition has obviously been a hot topic in the security industry for several years. Here is a situation where not moving from analog to digital can have serious security impacts:

Q: During a recent training meeting I noticed that the meeting room’s wireless microphone system had frequencies listed on the equipment. Doesn’t this mean that someone could buy a matching receiver and listen in on our meetings?

A: If the system is typical analog technology, the answer is yes.

Analog wireless microphones, headsets and keyboards are all subject to eavesdropping attacks that can be accomplished with less than $100 worth of equipment. Search YouTube or the web and you will find countless examples and guides. Wireless vulnerabilities are easy to exploit because it can usually be done from outside the building.

If there has been no recent security assessment of meeting rooms and executive offices, and no survey of employee desktop equipment, performing one as soon as possible would be a wise move. This might be combined physical security/IT collaboration, as for any sizeable organization the most likely available resource for desktop inspection is the team of patrolling security officers. An alternative would be to have business unit managers perform checks in their own areas.

Wireless Keyboards: Analog wireless keyboards broadcast every keystroke typed, which of course includes passwords, security phrases, account numbers, and other private and sensitive data. This kind of snooping is rarely detected because it does not require any additional equipment to be plugged into the computer.

Wireless Headsets: An extremely vulnerable situation is an analog wireless headset that is “on” all the time. Sitting on the desk or hanging on the display monitor, it acts as a broadcasting microphone, transmitting conversations outside the office and building walls.

A broad spectrum of data is vulnerable within office and meeting room transmissions, including meeting participants, travel schedules, and other information that can enable physical access breaches via social engineering.

Wireless Microphones: A good wireless microphone system requires pairing of each microphone to the base station using a unique electronic serial number. Simultaneous physical access to both devices should be needed to pair the two. Some systems provide optional software for use in configuring advanced features, requiring you to put the base station on the network. For security reasons, be sure to take the base station back off the network when configuration is completed. For both security and future-proofing reasons, a wireless microphone system should also support upgradable hardware and firmware.

Ideally, a wireless microphone system would allow adjustment of the microphone’s transmission distance to confine it within a room or only a few feet beyond. Transmissions can also be encrypted — this capability also helps to eliminate interference between devices when multiple systems are used in the same building.

Once the security features are in place, be sure to check the audio quality provided by the microphone system. There are wireless systems today that provide the same audio quality as wired microphones. One system that meets all these requirements is the Executive HD MaxSecure 8-Channel Wireless Microphone System from Revolabs.

Periodically, wireless microphones must be physically inspected to make sure that the devices have the same serial numbers as those originally installed. Clever eavesdroppers can drop an extra same-brand microphone into the room — or replace an existing one — to listen in. Typically, meeting room users trying the rogue microphone would think it is broken and simply switch to a different microphone. If the microphone trouble is actually reported, that’s usually after the meeting—and any eavesdropping session—are concluded.

Security Policies

Starting around 2008, wireless keyboard and headset manufacturers began switching over to secure digital technology. When upgrading from analog wireless systems to digital, look for technology that supports AES 256-bit encryption, which is the standard for many government agencies and is appropriate for executive meeting rooms. Still, a number of organizations specifically forbid the use of wireless keyboards, analog headsets and microphones. Many IT departments have specific wireless products on their acceptable products list (APL) and prohibit the use of others. Which situation is your company in?

Write to Ray about this column at [email protected]. Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is also a member of the Content Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).