Are employees slowly leaking data by adopting new communications services?
We’ve seen a lot of reports on encrypted messaging applications in the news recently, but one question remains unanswered: are data leaks via these applications a real risk for enterprises today?
Ubiquitous communications is more of a norm now than an exception as employees increasingly have access to new ways of communicating with colleagues, business partners and customers. It has become more than commonplace to carry out discussions using solutions such as WhatsApp, Telegram or even things like Slack.
These types of solutions are attractive to employees because they provide convenient channels for real-time communications versus the traditional e-mail, which may or may not be delivered or read in a timely fashion. At the same time, these solutions provide a full set of features allowing users to share more than just messages: files, pictures, screenshots, voice…
Mobile messaging apps in particular have become one of the most prevalent communication solutions in business, but have also regularly been in the news due to personal information leakage and security concerns. Most recently we saw reports of a possible backdoor in WhatsApp as well as security issues with Telegram, with some reports even claiming that the app has been compromised by the FSB.
This blog will not rehash the issue on how the encryption protocol should or should not work, but rather explore the risks of mobile messaging apps from a data leakage perspective. Let's say it was possible to backdoor or break the encryption protocol for one of these apps. This might give government agencies, competitors or even malicious parties the ability to spy and gather the conversation happening could provide insight into current business activities.
Conducting Business Using Messaging
Employees have turned to these types of messaging apps to plan meetings, discuss business or collaborate on projects. This may be occurring employee to employee or even employee to customer or partner. It has become an easy channel for business communications, especially in today's business world where business is conducted at all hours of the day and across multiple time zones and geographic locations. Outside of the attraction of real time communications, it is also attractive to users because of the 'free' nature of the service – that is, these apps rely on data network services instead of sending expensive SMS or photo calls.
The risk here is the lack of ability to track and control distribution of confidential data or IP to unintended or unauthorized recipients. One example that comes to mind is the sharing of customers’ contact information with a third party partner. This act might be in violation of GDPR or other privacy and security regulations. How do you control this when the information is encrypted end-to-end (or device to device)? There could even be issues of sharing of information such as insider trading or trade secret theft. How would you be able to monitor this, or worse, how can you report for compliance reasons?
This is potentially the biggest risk as messaging apps can become an unmonitored mechanism for a malicious insider to leak data via a variety of methods. The user could copy email text or capture screenshots of file attachments and securely exfiltrate them via the messaging solution. Some of the voice sharing features could even be used to record and transmit meetings. Again the concern here is that we are faced with solutions that provide end-to-end encryption. The fact that the primary platform is a mobile device is not an inhibitor as most of these solutions provide a lightweight client for desktop machines, facilitating yet another exfiltration method. Again the risks revolve around control and being able to monitor for data loss or compliance issues.
In both previous cases an external party is most likely involved in combination with internal users. The question then falls, based on the recent research and news, can a third party really intercept the messages? Whisper denies the claims that there is a backdoor in WhatsApp or the company’s Signal Protocol on which WhatsApp relies, while Telegram definitely is susceptible to interception of messages – not just through encryption backdoors but through metadata as well. This, of course, opens the door to snooping and capturing exchange data. The metadata aspect is also very concerning as it gives away information about when, who and where messaging is occurring.
Why would this be a risk for in terms of leakage? Let's postulate a scenario, you are the CEO of "E Corp" and are in negotiations with "Ellingson Mineral Company" to buy them out. Metadata might reveal that you are regularly in conversations with each other or that you as CEO have been meeting with your counterpart in a legal firm.
Whether metadata is used to identify business activities or the communications are man in the middled, the risk is the same in that there is a potential for data to be divulged or plans distributed by a loss of IP or unintentional leakage.
What Precautions can you Take?
In the context of business, there is no magic pill. It's extremely hard to control these types of communications methods with the proliferation of ubiquitous devices such as smartphones. The best deterrence remains education and helping your users be aware of the potential risks that might occur if these messaging solutions are used against them and how to avoid accidentally sharing information.
If the business provides the mobile device, make sure it is managed using MDM/MAM solutions and that proper policies are put into place such as not allowing the installation of these apps or controlling the use of the apps when the user is in a company location, including turning off microphones and cameras. Of course this doesn't address the risk of data loss via a user's personal device.
It may be possible to, at minimum, detect connections to these services if the mobile devices are connecting to company data networks and these are monitored. Depending on the messaging solution, it may even be possible to perform content inspection of the packets barring device-to-device encrypted messages.
These communications methods are interesting and can be business enablers. In cases where there is a business benefit, it might be interesting to look at corporate versions that allow users to securely message each other.
Although we've not seen or identified any specific data leaks performed via messaging solutions, is it only a matter time? We regularly see screenshots of weird or compromising conversations on news sites, for example, this leaked WhatsApp conversation in which an employer attempted to take advantage of an employee who was in consideration for a promotion. So how long is it until we see reports of corporate secrets being leaked or stolen using similar methods? That answer isn’t clear yet, but the time to act and address this either via policy and user awareness is now.