Who says Android is the most insecure mobile OS around? Not the National Security Agency, which is conducting a pilot of 100 Motorola smartphones running the Android OS that it says are already good enough for its employees to make top-secret and classified phone calls from the field.
“There are vulnerabilities in every OS,” said Margaret Salter, a technical director in the NSA’s Information Assurance Directorate (IAD), during a talk Wednesday morning at the RSA Conference in San Francisco. “The beauty of our strategy is that we looked at all of the components, and then took stuff out of the (Android) OS we didn’t need. This makes the attack surface very small.”
Other U.S. government agencies such as the Bureau of Alcohol, Tobacco, Firearms and Explosives and the National Oceanic and Atmospheric Administration (NOAA) are dumping Blackberries for iPhones.
For the NSA, the open-source nature of Android tipped the balance in its favor.
“It’s not because iOS was lousy, no. It’s because of certain controls we needed. We were able to make some modifications to Android. Android had that freedom,” she said.
Does that mean the NSA is wedded to the Google OS? “It’s not our intention to use only Android.”
Since the NSA’s founding in 1952, the IDA had been the sole creator of proprietary equipment used by U.S. Government agents for secure communications. The disadvantage of this approach was that it was more expensive, “took us years to approve a device,” said Salter, and also resulted in gear that “though incredibly secure, was not incredibly easy to use.”
The Android smartphone pilot, nicknamed Project Fishbowl, is part of the IAD’s move away from GOTS (Government-Off-The-Shelf) technology towards best-of-breed COTS (Commercial-Off-The-Shelf) gear that the IAD will customize and integrate.
Salter didn’t disclose which Motorola model the NSA is testing. But it is likely to be one of Motorola’s Business Ready Smartphones, most of which come securable with Sybase’s Afaria. The NSA’s aim is to make its secure mobile phones as easy to use as regular consumer smartphones, and the overall architecture easy to upgrade.
“If some part of the architecture is not working the way we want, we have to be able to switch it out and plop a new box,” she said.
(The slide above is from Salter’s presentation. You can download the entire deck here.)
But the IAD’s attempts “to go shopping” for such technology were severely hampered by a lack of interoperability with encryption and other security technologies. “We wanted everything to be plug and play. And. That. Was. Hard,” Salter said.
That forced the NSA in some instances, when choosing software, to sacrifice performance in favor of broader support. She urged vendors interested in supplying the NSA to visit www.nsa.gov/ia/programs, where they can view the NSA’s requirements. “We need a partnership with industry,” she said.
To cloak the voice calls, the NSA uses two independent layers of encryption, one at the VoIP layer, and the other at the VPN layer. The NSA “put a big X through an SSL VPN client” because, according to Salter, “there is no such thing as an SSL interoperable VPN standard.”
Moreover, all voice calls using the Android phones are routed through the NSA’s servers. That helps secure the calls so that the phones can be used with any carrier. The final layers of security include a pair of authentication certificates residing on the handsets, as well as requiring users to log-in with a password before they can use the SIP (Session Initiation Protocol) server. This gives the NSA “good assurance to know who are the users,” she said. Doubly encrypting the calls plus the extra routing did make it initially hard to maintain good voice quality, said Salter. But as of today, there “is only a little bit of delay” in the calls. “You’d only notice it if you were in the same room as the caller and could see his lips moving. But I hope you’re not using our phone in that context.”
Using the phones overseas does add “some risk, but we also believe that we’ve spent a lot of effort to completely minimize this risk,” Salter said, without going into details. “We actually have more trouble getting the phones to run in certain countries.”
With the NSA satisfied with Fishbowl’s handling of voice calls, Salter is already looking forward to testing the use of the phones to send and receive data and also do other forms of Unified Communications. Plans are to keep most data on the server.
To harden the handsets, the NSA had “to make changes to the key store” as well as “make a police app that keeps an eye on everything,” Salter said. Other than that, the NSA hasn’t built any apps yet, said Salter.
The Department of Defense’s IT branch, the Defense Information Systems Agency (DISA), may both emulate the NSA pilot and build apps that the NSA could leverage, she said. If so, those apps would be deployed through an internal Enterprise App Store.