Some sources have started speculating if the secret service lets President Barack Obama continue to use some sort of Blackberry. The latest speculations are that he might get a Sectra Edge, a ruggedized and secured Palm Treo 750. You can find the specs here but while they are interesting, they don't (of course?) go into the details of how things are secured in practice. Tomi Ahonen over at Communities dominate brands has a good post on possible angles of attacks. I think these are quite possible for someone with time, monetary resources and a couple of infiltrators. Tomi suggests a couple of countermeasures which I think are quite interesting and I've come up with some of my own while commuting today that I thought I'd share here:
Phone identification and targeting
The first thing that needs to be done is to ensure anonymity. Today, there are two IDs in GSM/UMTS systems that can be exploited if somebody knows them and can get access to the core of the mobile network to find out the current location of the phone up to the level of the radio tower. These IDs are the International Mobile Subscriber Identity (IMSI) on the SIM card and the International Mobile Equipment ID (IMEI) of the mobile phone itself. Also, knowledge of one of the two values can also be used by someone who has access to the core of the mobile mobile network to intercept non end-to-end encrypted voice calls and Internet traffic.
To ensure anonymity these IDs should be changed in regular intervals. If I were the secret service I would get a large number of IMSI's of several network operators, get the SIM card vendor on board and devise a scheme to change the IMSI on the SIM card on a regular basis. Concerning the IMEI a changing random number would do.
Another thing I would do is to use the pool of IMSI's not only for the president but also give similar phones to his aides and other people in the government that need to communicate with him and others securely. This ensures encrypted communication. At the same time more than one IMSI of the pool is active, so its fruitless to get hold of the IMSIs of the pool as the attacker still wouldn't know which one is currently used for the president's phone.
Changing IMSI's on a regular basis has one big disadvantage: Whenever an IMSI is used for the first time it is transmitted in clear over the network. In all subsequent communication establishment requests a changing temporary id (the TMSI and the P-TMSI) is used. So an attacker could use this to try finding the president's phone by scanning the air interface for those rare IMSI based connection establishments. In addition the scanner used would have to be near the location of the phone (i.e. in the same cell) and the attacker would need the list of IMSI's used for the purpose. A very remote possibility and the attacker could not do a lot with the info anyway. A countermeasure would be to have many such phones around the president (e.g. those of his aides) doing the same thing.
Outgoing Voice calls
Both network encrypted and end-to-end encrypted calls could be directly connected to the destination. However, I would put a gateway in the middle to which all calls are sent and which then forwards them over a secured link to a second gateway which brings it back into the public network again. This way the current phone number of the president linked to the IMSI could not be seen at the other end and could also not be tracedby someone having access to the public network.
Incoming Voice calls
A bit more tricky as other persons don't know the presidents current phone number. Again, a gateway would help which knows the current number of the president. It could be informed via an encrypted data connection by the phone itself of the current phone number (see below).
Getting to the Microphone and Camera
Every now and then one can find reports that hackers can get access to the microphone of a phone by giving it a secret hidden call. It might work or not with some public phones but not with one that was inspected by the NSA. Also, frequently changing IMSI's should prevent anyone from knowing which number to call.
GPS Positioning
By controlling the operating system itself and the applications that run on the smartphone it can be ensured that even if the phone has a GPS the coordinates are not smuggled out. Not a big issue here.
Internet connection
I'd only allow a "full tunnel" solution, i.e. everything goes through an encrypted tunnel to a gateway and only from there to the Internet. The tunnel termination on the network side must be well protected, of course, but I think the people working at Ford Meade know how to do that.
Smartphone viruses
With a customized OS version I would ensure that applications can't be installed and that all applications running on the phone have no hidden weaknesses and backdoors. Not trivial but I am sure it could be done with a tiny fraction of the NSA's budget.
The e-mail client must of course be able to use strong end-to-end authentication and encryption, and authentication and encryption for transmission to the server itself. Needless to say that the server should be well secured.
Web surfing
To prevent bad things in web pages harming the smartphone I would run all communications via a secured and monitored web proxy. No direct contact with the Internet for the web browser. Another benefit of the proxy is to anonymize the traffic.
And the rest
I'd block all other Internet traffic from or to the phone to ensure that the e-mail client and the web browser are the only applications that can communicate with the outside world. Also, I'd give the TCP/IP stack a very hard look to ensure no buffer overflows from malformed packets can cause any harm.
Lot's of stuff to be done to secure such a phone, no question about that. But I guess the president of the United States is not the only person requiring air tight security so the cost can be split. Also I would be very surprised if a lot of this infrastructure is not already in place. Like all security measures, securing the BarackBerry is a cat and mouse game and not a one shot operation. I am sure the list above is far from complete. Further ideas?
Secret Service’s very own mobile base station with very low output power and secured communications channel through controlled environment will solve lot of known problems.
Hi Rumpis, true, but letting it follow a person everywhere globally is quite difficult. And the signal can be picked up by others with directional antennas so you’d give away that someone important is in the neighborhood.
Martin
If he continues to use his BlackBerry Email service then his BIS account needs to be secured as well. And the PIN of his device I would think…
So my mobile knowledge is pretty weak. Presumably the IMSI is sent in the clear once per registration on to the cell network before the TMSI/P-TMSI is sorted – I’m thinking at phone power on time as opposed every time a cell switch occurs? Or is it even less frequent than that – once per SIM card/IMSI?
If this is the case, then this phase is probably best done in either a random location (i.e not the White House every time), or within a known secure base-station configuration (e.g a secured White House femto cell) – as well as having plenty of other IMSI registrations going on as well to confuse the opposition?
Correct me if my thinking is wrong – I’m from more of a TCP/IP background and fixed data background, but always keen to learn new things.
Hi Ed,
it’s even less often than that. The IMSI is used:
– When the phone is switched on and the SIM card does not have a temporary id, it is invalid (e.g. timeout). Afterwards the temporary id is stored on the SIM card and used whenever a cell change occurs.
– When a cell change occurs and the new cell belongs to a different mobile switching center
So it’s quite rare that it is used which is both good and bad. But IMSI rotation coupled with intelligent call routing from a node in a secure location as described in my post, a large pool and many users of the pool should take care of that 🙂
Cheers,
Martin