Secure Voice Communications

The Missing Piece in Mobile Security

Tony Fascenda, Founder, CEO, KoolSpan Inc.

Secure Customer Access Secure Machine to Machine

Secure Mobile Voice

Secure Networks

Secure PC/Laptops

Security Landscape: Wide Open, Complex

71% of large enterprise IT managers say IT security solutions are too complex

- 2008 Mobile Trust Survey

IT Infrastructure

• Multiple Problems to solve– Trusted vs. un-trusted users (login management)– Network Access (24 x 7 access)– Hackers, viruses, malware– Firewalls: packet inspection– Intrusion detection / Intrusion prevention– Patch Management– Standards / RFCs

• “Box for every problem”– 900+ vendors for IT infrastructure– “Defense in depth”– Everything must work together

• Never ending series of problems to solve

Nearly 70% of all large enterprise IT managers say mobile phones are used to

discuss business topics considered confidential.- 2008 Mobile Trust Survey

The Mobile Security Threat

Data vs. Voice

Focus• IT Engineers may spend entire career protecting data• Mobile Phones have two problems: data & voice• When it comes to voice, the user is left naked• Most important information is that which is spoken• Many security conscious companies prohibit

discussing sensitive data on mobile • Voice calls operate on the PSTN and possibly IP networks• ROI on call interception is very high

• Difficult to quantify because this is usually a risk not publicized

• Security is difficult to implement/easy to crack

“Vodafone, Ericsson Get Hung Up In Greece's Phone-Tap Scandal”

June 2006

“Phone Taps in Italy Spur Rush Toward Encryption”

April 2007

“Taliban Terrorises RAF Families”

August 2007

“Silently tapping into a private cellphone conversation is no longer a high-tech trick reserved for spies and the FBI…cellular snooping may soon be affordable enough for your next-door neighbor.”

February 2008

Mobile Voice BreachesGaining Attention

Operator A

Operator B

Operator C

Hacker Exploit of Lawful Call Monitoring Taps

Access at Network Facility

Tower spoofing

Illegal Monitoring

Four Typical Attack Vectors

How Is A Cellular Call Intercepted?

What Would it Take for Someone to Intercept Your

Mobile Communications?Just Google it!

• 100,000s of hits• Large community • Illegal, but vibrant

marketplace• Many solutions for

law enforcement, but ‘hijacked’ by bad guys

Mobile Phone Points of Attack

• Only protected part of communication is between handset and base station

• Switched-connection• Mandatory to bridge different phone types• Cleartext available anywhere between base-stations

• At either operator’s switch• Anywhere in the cloud that connects operators• Impossible to detect wiretap

Threat Envelope

Impact of Compromise:

• Operational Security

• Direct Financial Loss

• Intellectual Property (IP)

• Physical Safety Risk

• Cyber Security Risk

• Reputational / Brand Risk

• Legal Risk

• Stock Risk

What’s At Risk?

Mobile Voice Threat Envelope:What’s Changed

• 1945: Most of government secrets were held by government• 2009: Most government secrets held by private industry• Internationally, boundaries between state and criminal espionage blurred• Increased Competition• Foreign Nationals: no risk, no fear!• Wider availability of network access• Attacks, easier and easier to accomplish• Naive CEOs, CFOs, CSOs• Only companies damaged by economic espionage take threat seriously!• ROI on mobile intercept is HIGH!

Smartphone Market Eclipses Computer Market

Source: Wall Street Journal

Smartphones are new Laptops

• Susceptible to intercept but more probably to being left behind at airport security

• Mobile device loss results in:– Potential exposure to enterprise / network etc.– Loss of valuable data / trade secrets– Loss of productivity from user

• Smartphones handle both voice and data• Data often exchanged with enterprise• Stored in phone or in plug-in memory

cards• Not enough to protect the ‘pipe’ — you

must protect and secure the data at all times

“More than 10,000 laptops are reported lost at the 36 largest airports in US each week. Only 35% ever reclaimed”

- engadget

“More than 250,000 mobile phones and handheld devices will be left behind at U.S. airports alone this year and only 25-30 percent will be reunited with their owners”

- Technet.microsoft.com

“100,000 devices left on London Underground each year”

- British Authorities

“More than 10,000 laptops are reported lost at the 36 largest airports in US each week. Only 35% ever reclaimed”

- engadget

“More than 250,000 mobile phones and handheld devices will be left behind at U.S. airports alone this year and only 25-30 percent will be reunited with their owners”

- Technet.microsoft.com

“100,000 devices left on London Underground each year”

- British Authorities

Hurdles to “Enterprise Ready” Smartphones

InformationWeek Cover Story, October 2008

“Unfortunately, IT directors’ ability to manage these devices as corporate assets, while controlling the data and applications that run on them, hasn’t kept pace.”

~ InformationWeek

Business applications for Smartphones are proliferating

Increasingly, many business people choose to “leave their laptop behind”

Vulnerable to eavesdropping onphone calls as well as attacks onthe data applications

Challenges to Mobile Communication Security

YES44%

NO56%

Are you aware of any compromises to voice communicationson cellular/mobile networks?

~ Mobile Trust Survey, 2007

Wide Gap: Problem Recognitionand Solution Implementation

Why the Unmet need incellular encryption?

Would consider an easy, cost-effective solution

72%

14%

Already deployed

14%

Among Respondents Interested In Secure Voice Solution (58% of Total)

Planning a deployment

~ Mobile Trust Survey, 2007

Because…

• It’s hard to do

• It’s difficult to manage

• Manufacturers don’t provide security hooks

• Enterprises don’t yet realize the threat

Wide Gap: Problem Recognitionand Solution Implementation

Phones are Insecure

• Phones aren’t managed by IT Department• Phones don’t use IT infrastructure• Phones can connect to anyone, anytime• Phones not designed to protect your data

– Result: mobile voice is insecure– Result: mobile data is insecure

OEM Over-Exposure

Data Port

GSMCDMA

SIM CardSD Card

BluetoothWi-FiEdge/3GCSDGPRS

ApplicationsE-mail

InternetCRMData

Etc., etc.

• Security Issues are pervasive within device

• Dealing with all of them is next-to-impossible

• No OEM has yet to adopt a platform security solution

• FIPS and other certs?

• Way too many entry points to adequately address the issues

WinMoSymbianBlackberryLinuxAndroid

Application Implementation

• Customer Application Example– Access to real-time data vital– Data is important to both customer and company– Secure access is vital– Data-in-motion + Data-at-rest must be secure

• Developer Implementation?– What’s available to me?– What’s best practice?– How do I design, develop, test and certify?

Application ImplementationCustomer Application Example

Authentication & Encryption Solutions

Biometric SolutionsFobLock

Good TechnologyGoodLink MobileDefense

Mobile ArmorData Armor

PalmSecurity 5p

PointSec

RSA SecuritySecurID

SafeBootDevice Encryption

TealPoint SoftwareTealLock

Management & Security Solutions

Credant Mobile Guardian

IBM Tivoli Configuration Manager

iAnywhereAfaria

Intellisync Mobile Systems Management

Trust Digital TRUST Enterprise Secure

NovellZenworks Handheld Management

Transmission & Security Solutions

AventailWorkplace

F5Firepass

IBMWebSphere Everyplace Access (WEA)

MeetinghouseAEGIS WLAN Security Solution

CerticommovianVPN

MergicMergic VPN

Nortel NetworksAlteon SSL VPN

WorldNet21anthaVPN

Cryptography/PKI Toolkits

CerticomSecurity BuilderCrypto

CoperaAESLib

DiversinetPassport

RSA SecurityBSAFE

Ntru CryptosystemsSecurity Toolkit

Messaging/Data Solutions

Good TechnologyGoodLink

NotifyNofifyLink Enterprise Edition

IntellisyncMobile Suite

SEVENSystem SEVEN

VistoMobile Access Solution

Extended SystemsOneBridge MobileGroupware

My Solution!

Application ImplementationCustomer Application Example

• Multiple Solutions are really multiple problems

• Multiple instances of same/competing libraries

• Resource Utilization

• Host Processor Performance

• Platform Security is better approach

Secure Voice Issues

• Voice must be secured between two users– no intervening infrastructure involved

• Users may not belong to same organization– how to manage credentials?

• Peer-to-peer authentication• Platforms are not consistent

(WinMo/Symbian/RIM/iPhone etc.)– Audio re-routing issues difficult on Symbian, next to impossible on

WinMo; not available on RIM

• Connecting two incompatible platforms is not easy

Evaluating Solutions to Mobile Communication Security

Implementing Security

• Three areas of expertise (in descending importance)

1. Key Management

2. Authentication

3. Encryption

• Each have particular issues to be handled– Multiple solutions for each abound– But…all components must be carefully integrated

• Platform vs. point-specific solutions

• Fine mesh system• Carefully tuned• Fully integrated

Need for end-to-end Security

• Connection– Hub-and-spoke?

– Peer-to-Peer?

– Conferencing?

• Security– End-to-end?

– Managed?

• Data Security– In Motion?

– At Rest?• Key escrow

• Lawful Intercept– Mandated capability

Networks themselves must be considered insecureIn a global context, IT infrastructure approach ill-suited

Data must be available only to designated partiesAccess to secure data must be easily manageable

Not good enough just to have a “VPN”Data must be protected at all times: at rest, in USB tokens,memory cards etc.Securing the pipe is only a partial solution

Need to support lawful access without divulging underlying technology

Examples of three popular platforms

• Blackberry / WinMo / iPhone– Three distinctly different operating systems– Why do enterprises like each?– How have each handled security?– What are their risks?

Blackberry

• Winning in the Enterprise/Gov’t– Because of Email Integration & Security– Widely adopted throughout the world

• E-mail handled by BES – adequate security

• Other applications don’t have security• Voice security not addressed

Windows Mobile• Highly integrated into Enterprise

– Easily understood and managed by IT administrators

• Recent efforts at improving security infrastructure

– Improved methods for device connectivity

– No consistent method for application security

• Authentication/Security– Left up to individual application designer

– Key Management mystery; often poorly managed

– Voice Security left unaddressed

• Result– Device often packed with multiple separate instances of

security technologies that often bring with them more vulnerabilities than the solution they provide

– No service opportunity for managed security

iPhone

• Easy-to-use, consistent interface• Not fully integrated into enterprise• Rapidly gaining market share• Powerful, elegant, flexible• App Store• Voice security unaddressed

• Voice and Data security common problem– Both must be addressed

– Ensure business voice calls are encrypted

• Networks are un-trusted pipes• End-to-end security is preferred

– Data must be secured at all times: in motion, at rest

– Security must persist no matter what

• Educate senior staff on risks• Ensure that employees understand the nature of mobile phone

intercepts

Best Practices for Mobile Voice & Data Security

• Platform security makes sense• Use standards-based approach wherever possible• Integrate data-at-rest, data-in-motion security• Common framework for both transport and application security• Use single, well thought out integrated Key Management, Authentication and

Encryption solution supporting multiple contexts• Implement in plug-in hardware

– Adaptable to any modern handset– Secure hardware resolves all security issues– Software bridges adaptability– Best of both worlds! – Management must be secure at all times

Best Practices for Mobile Voice & Data Security

Thank YouTony FascendaKoolSpan Inc.4962 Fairmont Ave.Bethesda, MD. 20814Phone: 240 880-4402E-mail: tfascenda@koolspan.com

http://www.koolspan.com