May 30, 2012

Swiss video on mobile phone security



This is an informative video from the Swiss television program Einstein, about the potential threats and risks of mobile cell phones:





The phone shown in this report is the Secure Mobile Phone Omnisec 230 (fact sheet in PDF), made by the Swiss firm Omnisec AG. This is a modified HTC smart phone, with a hardened Android operating system, and with all risk providing applications (like bluetooth and GPS) removed. The microSD Security Module provides encryption with 256-bits key length to secure communication for classification levels up to Top Secret. But, the cost for two of such phones is said to be around 50.000,- Swiss Franks.


UMTS

For most people, a far more affordable way to get better security for cell phone communication is just to use the UMTS or 3G mobile network, instead of GSM. Where GSM only has authentication of the user to the network, UMTS uses mutual authentication, which means the mobile user and the network authenticate each other. This prevents a so called "man-in-the-middle attack" by using false base stations. Also UMTS uses stronger encryption algorithms (KASUMI-based 128-bit key algorithms) for securing the voice and data during the radio transmission between the handset and the base station. For this, GSM uses the rather weak A5/1 algorithm with only a 64-bit key.

Nowadays, UMTS services are widely available in western countries and accessible through high-end smart phones like the popular iPhone 3G and the Samsung Galaxy i9000 series. However, it should be noted that the use of the UMTS-network still bear the risks of intrusions through unsafe applications and malware. Furthermore, UMTS does not provide any end-to-end encryption or authentication between one user and the other. Traffic between between the fixed network stations is still unencrypted and there's authentication only between users and the network provider.


BlackBerry

Another affordable option for more secure mobile communication is by using the BlackBerry smart phone, which is very popular amongst business people and government officials. A BlackBerry encrypts data (including e-mail, but excluding voice) that travels between the handheld device and the BlackBerry Enterprise Server by using either Triple DES or, for the latest models, AES with 256-bit key. This allows the BlackBerry to be the only consumer handheld devices certified for use by government agencies of the US, the UK, Canada and Australia. But again: this only applies to e-mail messages and not for voice conversations.

So, people who want or need the certainty of strictly private phone calls from one person to another, have to assure that through extra applications or specialized hardware features, for example like the aforementioned Omnisec phone or a variety of other highly secure mobile phones.

Update:
In November 2020, the Swiss broadcaster SRF reported that not only Crypto AG sold weakened encryption devices, but that one of its largest competitors, Omnisec AG, did the same, selling less secure devices from their 500-series even to Swiss federal agencies and the UBS bank. Omnisec was founded in 1987 and dissolved in 2018.


Links
- Application for Secure deletion on Android
- Overview of GSM and UMTS Security
- Paper about Cryptographic Algorithms for UMTS (PDF)

May 28, 2012

Obama on vacation



In the previous post we saw the cool phones the American president uses in his Oval Office. This time we take a look at the telephone equipment he uses when he is on vacation, because "Presidents don't get vacations, they just get a change of scenery." as a former president once said.

For this purpose we have two nice pictures from the vacation of president Obama from August 18 to August 29, 2011 on the Blue Heron Farm in Chilmark on the island of Martha's Vineyard, Massachusetts.

In the first picture we see president Barack Obama, reflected in a mirror, conducting a conference call on the situation in Libya with his national security staff. Also participating is John Brennan, Assistant to the President for Homeland Security and Counterterrorism, who sits on the right:


President Barack Obama and his assistant John Brennan in a conference call. August 22, 2011
Note how the telephone and power cables are taped onto the table
(White House photo by Pete Souza - click for a bigger version)


On the table we see two sets of the Secure Terminal Equipment (STE), made by L3 Communications. This is a telephone capable of making secured calls up to the level of Top Secret. The STE is the successor of the legendary STU-III system and is used for secure end-to-end communications throughout the government and the military of the US. For the President Of The United States (POTUS), these phones are used when he is travelling or staying somewhere outside the White House.

In the second picture we see Obama monitoring Hurricane Irene with John Brennan, Assistant to the President for Homeland Security and Counterterrorism (in light blue shirt) and some other officials. They are waiting for a conference call on the hurricane with affected governors and mayors:


Obama monitoring Hurricane Irene with his assistant John Brennan
and some other officials. August 26, 2011
(White House photo by Pete Souza - click for a bigger version)


This picture shows the same table as in the previous one, but with different chairs and different phones. There are two telephone sets on each side of the table: an regular white Panasonic KX-TS108W office phone, and a dark gray Cisco 7975G Unified IP Phone.

The white phone sets are most likely part of the private branch exchange (PBX) of the holiday house and therefore have no special security features. As we can see in this picture, the conference call is made using these white phones.

The Cisco phones are more interesting, because they belong to the highly secure Executive Voice over Secure IP (VoSIP) phone network, which was installed in 2007-2008. For this network the common high end Cisco IP telephone sets are used, but with a bright yellow bezel faceplate, instead of the standard silver one. Yellow indicates that this network is cleared for conversations up to Top Secret/SCI, the highest classification level.

As the second picture is taken some days later than the first one, it looks like the White House Communications Agency (WHCA) eventually installed this secure network instead of the STE phones. In the pictures you can see that the cables of the STE-phones are only provisionarily taped onto the table, but the cables of the Cisco ones are neatly bound by tie bands. The latter phones allows the president to make calls with the highest classification level.

A bit strange however, is the fact these phones are sitting in what seems to be a not very secure room (note the open door in the first and the open window in te second picture and that it's a temporarily hired location). For example former president G.W. Bush had such communications equipment in a special room without windows at his ranch in Texas.

For (non-secure) mobile communications during president Obama's vacation, the telecommunications company Verizon installs two temporary cell towers, known as cell on wheels, on Martha's Vineyard. Apparently the island normally lacks a sufficient cell phone coverage, so these extra towers are needed to provide the president and his staff with a good reception.

This also leads to the somewhat odd situation that local people only have a good cell phone reception during the time the president is on the island. Then suddenly their phones ring and text messages arrive in places where it's quiet during the rest of the year!


- NY Times-article: If Phones Ring, Obama Is Here, With Cell Power