Security Lapse at the EU Leaders’ Summit

In photos made public of several closed-door bilateral meetings between various European leaders last week, there were two common denominators. One was the presence of the French President Francois Hollande. The other was the VoIP phone on the conference table. What is that phone doing there?

In the middle of a major brouhaha over charges that the US National Security Agency had allegedly monitored the phone conversations of foreign diplomats, the officials in those photos were speaking to each other in the presence of this easily-tapped device. According to media reports based on a classified document from former NSA contractor and current fugitive Edward Snowden, an US official from another department handed over to the NSA more than 200 telephone numbers, including those of 35 unnamed world leaders.

That latest revelation sparked the latest round of diplomatic tensions between the US and its European allies, after German Chancellor Angela Merkel accused the US last Wednesday of snooping on her mobile phone. Later revelations have indicated that the US has been spying on Merkel for more than a decade.

With repeated denials by Washington, Merkel and Hollande held closed door meetings on the sidelines of the summit and the German leader said afterward that “being spied on together has brought us closer”.

Yes but hadn’t they realized those meetings also brought the US and any other uninvited keen parties much closer than they would like with that VoIP phone, which appears to be connected, in attendance?

A VoIP phone, a common sight in offices these days, uses the internet instead of the traditional phone network to transmit phone calls. It may be cheap, but for anyone looking for security, VoIP spells danger. And it brings into question the competency of European security agencies to guard the confidential conversations of their leaders.

It’s been proven that those VoIP phones can be remotely modified to become stand-alone listening devices, capturing any sound within the four walls even when they are not in use. This is done by exploiting a loophole in the phone's kernel which handles communication between the hardware and software of the device. Coupled with a voice-to translation capability from Google, one can even transcribe the recorded conversations from the compromised phone to search for chosen keywords, like “terrorists,” “Al Qaeda,” etc.

Therefore, irrespective of whether the US or any other countries had or would stop snooping on its European allies, it is always best practice to be vigilant at all times.

What these photos highlight is a security lapse, thus generating many questions: What else have European countries missed and not done to better protect their leaders from American or any eavesdropping? Apart from removing or disconnecting the VoIP phone, did they scan the meeting rooms for bugs? As these bug sweeps are usually done earlier, did the security personnel search and scan all the attendees, including world leaders, plus the media and staff of those facilities to ensure no one carries or plants any bugging device? Did they collect all the cell phones and smartphones from everyone entering the meeting rooms YouTube footage on some of these meetings fails to demonstrate on this last point.

Have Merkel and other European leaders had their security chiefs fix their mobile phones to prevent bugging and ensure secure conversations? Hackers use radio frequency scanners and a digital data interpreter to listen to any unsecured calls. There are various ways to secure the phones and it is daunting to think the respective European security bureaus have not taken the right measures.

Or they did but were outsmarted by their US counterparts, leading to the tirade against the NSA for spying and damaging trust with Europe?

After all, let’s be honest with ourselves, almost every country spies big or small time.

Scholars have pointed out that espionage is second only to prostitution as the oldest profession in the world. The Bible depicts how Joshua sent two spies to investigate the military strength of the walled city of Jericho in 1200 BC. Julius Caesar was accredited with the first national intelligence system in Rome in the first century BC. Forward to several hundred years ago, Francis Walsingham was one of the earliest well known British spymasters. Russia has Ivan IV, also known as Ivan the Terrible, who founded the Oprichniki, the ancestor of the modern KGB. France can boast of its very own Francois Leclerc du Tremblay.

These national and international issues bring up equally important concerns about the wave of corporate and cyber espionage today, leading to further questions about what companies and individuals can do to protect our online activities.

As for the mobile phones, always remove the SIM card and battery prior to any face-to-face discussions of sensitive and classified matters. Avoid using free wi-fi, especially in crowded places like airports, train stations and malls as these are hotbeds where hackers fish for unprotected signals.

For chats on sensitive topics over the mobile phones, get used to having always readily available multiple spare phones and spare disposable low-value SIM cards. And never reveal the phone numbers to anyone. Just use and discard those spare SIM cards after each call – note the emphasis on low-value cards. And use a different spare phone for each call.

It may seem too paranoid but espionage is brisk business these days and businessmen, executives and diplomats are high value targets.

What about that VoIP phone on your office desk? If your office protocol permits, forward all calls to your mobile phone, which you can forward again to a spare mobile phone for sensitive discussions. And disconnect and remove the VoIP phone. Otherwise, never ever talk about any sensitive matters with a connected VoIP phone in proximity.

(Vanson Soo runs an independent business intelligence and commercial investigations practice specialized in the Greater China region. Blog: Another version of this column appears in The Standard of Hong Kong)