NSA builds Android phone for top secret calls

Powered by SC Magazine
 

Blueprints released to public.

The National Security Agency (NSA) has developed an ultra-secure Android phone built using off-the-shelf kit that allows US Government staff to discuss top secret materials.

About 100 of the Fishbowl phones were developed and released to government staff. They were designed to comply with the NSA’s tough information security rules yet be as cheap as possible and easy to use. 

Margaret Salter

The phones were designed and built by the NSA’s 40 year-old Information Assurance Directorate, which is responsible for providing secure communications to the US Government, including the Department of Defence.

The division’s head, Margaret Salter, said anyone can reproduce the phone using specifications published online today because it uses off-the-shelf components.

“The plan was to buy commercial components, layer them together and get a secure solution,” Salter said. “It uses solely commercial infrastructure to protect classified data.”

Salter said she would previously need to “speak in code” if using a commercial mobile device to discuss classified information.

Users will be able to install defence applications on the device from an enterprise app store run by the US Defence Information Systems Agency. This would ensure only secure applications were installed, and remove the need for NSA staff to otherwise vet the integrity of third party applications.

The phone is part of a wider NSA Mobility Program to design all communications technologies used for classified discussions from commercial off-the-shelf components.

The aim, Salter said, was to produce secure devices that had the ease-of-use at a low cost.

Tech troubles

The Information Assurance Directorate ran into a string of problems during the build due to a lack of interoperability between vendor products.

Salter said a lack of interoperability between SSL VPN options forced designers to use IPSEC.

Several other compromises were made but none that reduced the security of the phone, Salter said.

“We needed a voice app that did DTLS (Datagram Transport Layer Security), Suite B and SRTP (Secure Real-time Transport Protocol) and we couldn’t buy it,” Salter said. “But the industry was thinking more about session description … so we went with that.”

 

Fishbowl encryption

Designers were also challenged by the functionality in commercial products. Vendors were chosen not by reputation or preference, but by their support of required functionality. Each was plotted on a grid and chosen by “drawing a line through the list”.

Salter said the security specifications, such as those sought for the voice application, would be useful to everyone.

She urged colleagues to demand vendors improve unified communications interoperability.

“We need to send a message [about] standards, interoperability and plug and play," she said.

All traffic from the phone is routed through the enterprise as a primary security design goal.

“If we let it go to all kinds of places, we lost control of figuring out what the phone was doing. If I want pizza, I have to go through the enterprise which has to route me to Pizza Hut.”

Voice calls are encrypted twice in accordance with NSA policy, using IPSEC and SRTP, meaning a failure requires “two independent bad things to happen,” Salter said.

She said the Android operating system and key store were customised to be made secure enough for top secret conversations, and a “kind of police app” was designed to monitor operations on the device.

Copyright © SC Magazine, Australia


NSA builds Android phone for top secret calls
 
 
 
Top Stories
ATO shaves $4m off IT contractor panel
Reform cuts admin burden, introduces KPIs.
 
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Do you direct debit customers? Read this
Oct 10, 2014
Authorities have been targeting direct debit practices with iiNet and Dodo receiving formal ...
Optus expands 4G coverage
Oct 10, 2014
If you rely on an Optus phone for work you might be interested to know that there are now 200 ...
Microsoft Office is now free for some charities
Oct 10, 2014
Microsoft has announced that eligible Australian non-profit organisations and charities can now ...
Vodafone lights up 4G in Adelaide
Oct 9, 2014
Live and work in Adelaide? Vodafone has switched on its 4G network in the city and suburbs.
Next year tradies will be able to take payments using ingogo
Oct 3, 2014
Ingogo is going to provide a card payment service for Xero users.
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  13%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  25%
TOTAL VOTES: 440

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  54%
 
No
  46%
TOTAL VOTES: 211

Vote