Some sources have started speculating if the secret service lets President Barack Obama continue to use some sort of Blackberry. The latest speculations are that he might get a Sectra Edge, a ruggedized and secured Palm Treo 750. You can find the specs here but while they are interesting, they don't (of course?) go into the details of how things are secured in practice. Tomi Ahonen over at Communities dominate brands has a good post on possible angles of attacks. I think these are quite possible for someone with time, monetary resources and a couple of infiltrators. Tomi suggests a couple of countermeasures which I think are quite interesting and I've come up with some of my own while commuting today that I thought I'd share here:
Phone identification and targeting
The first thing that needs to be done is to ensure anonymity. Today, there are two IDs in GSM/UMTS systems that can be exploited if somebody knows them and can get access to the core of the mobile network to find out the current location of the phone up to the level of the radio tower. These IDs are the International Mobile Subscriber Identity (IMSI) on the SIM card and the International Mobile Equipment ID (IMEI) of the mobile phone itself. Also, knowledge of one of the two values can also be used by someone who has access to the core of the mobile mobile network to intercept non end-to-end encrypted voice calls and Internet traffic.
To ensure anonymity these IDs should be changed in regular intervals. If I were the secret service I would get a large number of IMSI's of several network operators, get the SIM card vendor on board and devise a scheme to change the IMSI on the SIM card on a regular basis. Concerning the IMEI a changing random number would do.
Another thing I would do is to use the pool of IMSI's not only for the president but also give similar phones to his aides and other people in the government that need to communicate with him and others securely. This ensures encrypted communication. At the same time more than one IMSI of the pool is active, so its fruitless to get hold of the IMSIs of the pool as the attacker still wouldn't know which one is currently used for the president's phone.
Changing IMSI's on a regular basis has one big disadvantage: Whenever an IMSI is used for the first time it is transmitted in clear over the network. In all subsequent communication establishment requests a changing temporary id (the TMSI and the P-TMSI) is used. So an attacker could use this to try finding the president's phone by scanning the air interface for those rare IMSI based connection establishments. In addition the scanner used would have to be near the location of the phone (i.e. in the same cell) and the attacker would need the list of IMSI's used for the purpose. A very remote possibility and the attacker could not do a lot with the info anyway. A countermeasure would be to have many such phones around the president (e.g. those of his aides) doing the same thing.
Outgoing Voice calls
Both network encrypted and end-to-end encrypted calls could be directly connected to the destination. However, I would put a gateway in the middle to which all calls are sent and which then forwards them over a secured link to a second gateway which brings it back into the public network again. This way the current phone number of the president linked to the IMSI could not be seen at the other end and could also not be tracedby someone having access to the public network.
Incoming Voice calls
A bit more tricky as other persons don't know the presidents current phone number. Again, a gateway would help which knows the current number of the president. It could be informed via an encrypted data connection by the phone itself of the current phone number (see below).
Getting to the Microphone and Camera
Every now and then one can find reports that hackers can get access to the microphone of a phone by giving it a secret hidden call. It might work or not with some public phones but not with one that was inspected by the NSA. Also, frequently changing IMSI's should prevent anyone from knowing which number to call.
By controlling the operating system itself and the applications that run on the smartphone it can be ensured that even if the phone has a GPS the coordinates are not smuggled out. Not a big issue here.
I'd only allow a "full tunnel" solution, i.e. everything goes through an encrypted tunnel to a gateway and only from there to the Internet. The tunnel termination on the network side must be well protected, of course, but I think the people working at Ford Meade know how to do that.
With a customized OS version I would ensure that applications can't be installed and that all applications running on the phone have no hidden weaknesses and backdoors. Not trivial but I am sure it could be done with a tiny fraction of the NSA's budget.
The e-mail client must of course be able to use strong end-to-end authentication and encryption, and authentication and encryption for transmission to the server itself. Needless to say that the server should be well secured.
To prevent bad things in web pages harming the smartphone I would run all communications via a secured and monitored web proxy. No direct contact with the Internet for the web browser. Another benefit of the proxy is to anonymize the traffic.
And the rest
I'd block all other Internet traffic from or to the phone to ensure that the e-mail client and the web browser are the only applications that can communicate with the outside world. Also, I'd give the TCP/IP stack a very hard look to ensure no buffer overflows from malformed packets can cause any harm.
Lot's of stuff to be done to secure such a phone, no question about that. But I guess the president of the United States is not the only person requiring air tight security so the cost can be split. Also I would be very surprised if a lot of this infrastructure is not already in place. Like all security measures, securing the BarackBerry is a cat and mouse game and not a one shot operation. I am sure the list above is far from complete. Further ideas?