May 30, 2012

Swiss video on mobile phone security



This is an informative video from the Swiss television program Einstein, about the potential threats and risks of mobile cell phones:





The phone shown in this report is the Secure Mobile Phone Omnisec 230 (fact sheet in PDF), made by the Swiss firm Omnisec AG. This is a modified HTC smart phone, with a hardened Android operating system, and with all risk providing applications (like bluetooth and GPS) removed. The microSD Security Module provides encryption with 256-bits key length to secure communication for classification levels up to Top Secret. But, the cost for two of such phones is said to be around 50.000,- Swiss Franks.


UMTS

For most people, a far more affordable way to get better security for cell phone communication is just to use the UMTS or 3G mobile network, instead of GSM. Where GSM only has authentication of the user to the network, UMTS uses mutual authentication, which means the mobile user and the network authenticate each other. This prevents a so called "man-in-the-middle attack" by using false base stations. Also UMTS uses stronger encryption algorithms (KASUMI-based 128-bit key algorithms) for securing the voice and data during the radio transmission between the handset and the base station. For this, GSM uses the rather weak A5/1 algorithm with only a 64-bit key.

Nowadays, UMTS services are widely available in western countries and accessible through high-end smart phones like the popular iPhone 3G and the Samsung Galaxy i9000 series. However, it should be noted that the use of the UMTS-network still bear the risks of intrusions through unsafe applications and malware. Furthermore, UMTS does not provide any end-to-end encryption or authentication between one user and the other. Traffic between between the fixed network stations is still unencrypted and there's authentication only between users and the network provider.


BlackBerry

Another affordable option for more secure mobile communication is by using the BlackBerry smart phone, which is very popular amongst business people and government officials. A BlackBerry encrypts data (including e-mail, but excluding voice) that travels between the handheld device and the BlackBerry Enterprise Server by using either Triple DES or, for the latest models, AES with 256-bit key. This allows the BlackBerry to be the only consumer handheld devices certified for use by government agencies of the US, the UK, Canada and Australia. But again: this only applies to e-mail messages and not for voice conversations.

So, people who want or need the certainty of strictly private phone calls from one person to another, have to assure that through extra applications or specialized hardware features, for example like the aforementioned Omnisec phone or a variety of other highly secure mobile phones.

Update:
In November 2020, the Swiss broadcaster SRF reported that not only Crypto AG sold weakened encryption devices, but that one of its largest competitors, Omnisec AG, did the same, selling less secure devices from their 500-series even to Swiss federal agencies and the UBS bank. Omnisec was founded in 1987 and dissolved in 2018.


Links
- Application for Secure deletion on Android
- Overview of GSM and UMTS Security
- Paper about Cryptographic Algorithms for UMTS (PDF)

1 comment:

anna2 said...
This comment has been removed by a blog administrator.
In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties