May 21, 2013

General Dynamics secures commercial smartphones for classified information

(Updated: November 2, 2016)

In February this year, the communications division of defense contractor General Dynamics presented a software platform called GD Protected. This is the first product that secures commercial available Android smartphones in a way that they can be allowed to handle classified information.

For decades, General Dynamics has been manufacturing devices for securing top level communications of the US government and armed forces, like the Sectéra voice encryption family. One of those products was a highly secure cell phone for GSM, which was produced from 2002 until 2012.



Securing common cell phones generally requires hardware solutions, but to keep in pace with the fast evolving commercial smartphone technologies, security measures are now being implemented by using software applications. For smartphones there are already quite a number of apps for encrypting voice and data, but GD Protected also secures the Android operating system (OS) in order to meet the requirements for handling classified communications.


Dual systems

To achieve a high security level, the phones need a specific hardware feature called TrustZone. This is a set of security extensions programmed into the ARM processor of the smartphone, which make that a single processor core can run a dual operating system, a secure and a normal one. The specific implementation details of TrustZone are proprietary and have not been publicly disclosed.

Initially, GD Protected comes in two different versions, one for the LG Optimus 3D Max, and one for the Samsung Galaxy S IV smartphone. General Dynamics is looking to converge the two approaches in the future, as well as supporting a broader range of Android devices. The pricing has yet to be disclosed, but the company said it would be licensed on a "very competitive" basis.

Both versions make it possible to use the same smartphone for both accessing commercial phone and internet services as well as making encrypted voice calls, using secure email and even accessing classified networks.


Secure voice and data apps

These secure communications are provided by a number of approved apps from a controlled government or enterprise app store. These include a Secure Voice over IP (SVoIP) app which encrypts voice communications and runs over the data network. Other app offerings will include secure chat and secure video conferencing. These are expected to be available in 2014.

With these apps the (voice) data will be secured using two independent layers of encryption, one at the VoIP layer, and the other at the VPN layer, using IPsec. Finally, these double encrypted data will go through servers of the NSA to be verified, logged, and re-encrypted, before being sent back out to the carrier data network and on to its destination.

For authentication there are a pair of authentication certificates residing on the handsets, as well as users being required to log-in with a password before they can use the SIP server.


GD Protected for the LG Optimus

General Dynamics first presented GD Protected at the Mobile World Congress (MWC), which was held in Barcelona from February 25-28, 2013. For this occasion, the product was installed on an LG Optimus 3D Max smartphone and demonstrated to press and public:



Demonstration of the LG Optimus 3D Max, secured by General Dynamics


For this phone, GD Protected provides two separate copies of the Android operating system, one for personal use and the other for business use. A dedicated hardware button on the phone is used to flip between the two environments. This so-called dual-persona feature allows users to seamlessly switch between personal and secure operating modes, indicated by thin green and red borders, respectively.

The personal side is completely open and acts just like a conventional smartphone, whereas the secure side is more restricted. Data is firewalled between the two sides so, for example, data from the secure side cannot be accessed or copied over to the personal side, and the secure side cannot be tampered with by malware.

This partition of the handset into two separate virtual smartphones is controlled by the OKL4 mobile hypervisor or "microvisor" platform, which was gained by General Dynamics from its acquisition of Open Kernel or OK Labs in September 2012.

Additional security is provided by the Fixmo Sentinel Integrity Services. This offers an integrity verification through advanced monitoring and remediation techniques, proactively detecting and preventing mobile device operating system tampering, policy violations, system-level state changes, and the presence of unverified third party apps. The Fixmo Sentinel Integrity Service was developed as part of an agreement with the NSA and is also used by other governments.


Overview of the GD Protected solution for the LG Optimus smartphone
(source: Engadget.com)

Compared to the solution for the Samsung Galaxy smartphone (see below), the use of a dual Android operating system for the LG Optimus offers slightly less security, but almost complete freedom on the personal side of the phone. The secured LG Optimus 3D Max will be available through General Dynamics from the end of July 2013.


GD Protected for the Samsung Galaxy

For the new Samsung Galaxy S IV smartphone, the GD Protected software comes on top of Samsung's KNOX platform, which was also presented at the Mobile World Congress in February and was developed in cooperation with General Dynamics. KNOX runs a Security Enhanced version of Android, or SE Android, which has been developed by the US National Security Agency (NSA).

The KNOX platform, which is available for government and enterprise users only, protects both data which are stored on the smartphone and data which are sent and received. KNOX creates an isolated and secured container within the memory area, with its own home screen, launcher, applications, and widgets. Applications and data inside the container are separated from applications outside the container. This secured container is created by a TrustZone-based Integrity Measurement Architecture (TIMA).

Stored data are encrypted using an Advanced Encryption Standard (AES) algorithm with a 256-bit key. For secure communications the Samsung KNOX container comes with a FIPS-certified VPN client called "per-app VPN". This supports strong IPSec VPN encryption, including Suite B cryptography, which is suited for the majority of sensitive communications by government agencies.


Overview of the KNOX platform for the Samsung Galaxy S IV
(source: Samsung.com)

With the additional GD Protected the original Android operating system of the Samsung Galaxy S IV will be replaced by a hardened Android version with even more security measures. This replacement is done by simply calling General Dynamics with the IMEI number and then the Android operating system will be replaced via an over-the-air reflash.

The hardened operating system includes root certificates from General Dynamics that replace those from Samsung. This means that any subsequent changes need to be digitally signed by General Dynamics, ensuring the integrity of the Android operating system.

Compared to the dual Android operating systems on the LG smartphone, the Samsung solution of installing new firmware offers a slightly higher level of security but at the expense of user freedom. The GD Protected platform for the Galaxy S IV will be available from May 2013.





Access to US Department of Defense networks

General Dynamics' GD Protected platform was developed according to the requirements of the program for secure mobile communications, codenamed FISHBOWL, which was presented by the NSA in February 2012. The goal of this program is to provide a secure Voice over IP capability using commercial available devices that can be approved for handling classified information.

In October 2012, the US Department of Defense (DoD) announced that they were looking for industry contractors to develop a secure communications system for at least 162.500 iPhones, iPads and Android systems. This should provide alternatives to the BlackBerry, which was until then the only device approved for secured email access to the Pentagon’s unclassified networks.

An interesting coincedence was, that when General Dynamics presented their GD Protected product last February, DoD published a plan to equip up to 600.000 mobile device users with "secure classified and protected unclassified mobile solutions" based on commercial-off-the-shelf (cots) products. This program may eventually be expanded to handle up to 8 million devices.

For use by the US military, General Dynamics already offers a two-factor sign-on process. This is done by inserting a military Common Access Card (CAC) into a separate card reader, which connects to the smartphone through Bluetooth. When a PIN code is entered on the phone, it will validate the PIN against the CAC. This was also shown in a demonstration at the MWC in Barcelona, using a Samsung Galaxy S III:



Demonstration of the two-factor sign-on process
using a Common Access Card (CAC)


On May 3 it was announced that mobile devices equipped with the Samsung KNOX platform were approved by the US Department of Defense (DoD) for use in DoD networks. The BlackBerry 10 phones, the PlayBook tablet and the BlackBerry Enterprise Service 10 were also approved, and it's expected that Apple's iPhone and iPad should gain DoD approval later this month.

However, these approvals only grant access to unclassified DoD networks (like the NIPRNet), which is often not specifically stated in press reports. Until now, the only mobile devices approved for access to classified networks are General Dynamics' Sectéra Edge and an NSA directed test version of the Motorola Razr Maxx.

When equipped with GD Protected the LG Optimus and Samsung Galaxy S IV will be the first commercial available smartphones to get access to classified networks. At the moment this can only be used for Sensitive But Unclassified (SBU) communications, but General Dynamics is hoping to attain an NSA certification for classified communications (Confidential, Secret or even Top Secret) in 2014. Only by then may these phones get access to secure networks like the SIPRNet.
Updates:

Samsung announced on October 21, 2014 that NSA had approved the Galaxy Note 4 and Galaxy S5 for use with classified US government networks and data.

As of August 2015, the GD Protected Solution left DISA's pilot stage and became operational for users of the DoD and other federal agencies. They can now access networks classified up to the level of Secret (like the SIPRNet) via commercial Samsung Galaxy smartphones under what is officially called the DoD Mobility Classified Capability - Secret (DMCC-S). DISA will now start testing devices that can work in an TS-SCI environment.


A Boeing alternative?

Early 2012 not only General Dynamics announced the development of a secure smartphone solution, but also the aerospace and defense company Boeing. The announcement of the latter company got most media attention, but this was probably mainly because (secure) phones seemed quite a strange new product for Boeing, which is by most people only known for its civil aircrafts. A preview can be found in this PDF-brochure of the Boeing Secure Mobile Enterprise program.



Unlike General Dynamics, Boeing has no history in making encryption products and as General Dynamics already presented it's software last February, nothing was heard from Boeing anymore. After a request in March, a Boeing spokesperson told this weblog, the company is still developing a trusted mobile device that will serve the US government, defense and security market. When this phone will be launched is not known yet.
Updates:

Boeing eventually launched it's secure mobile phone, called Boeing Black, in March 2014. This is a custom made device with dedicated security features.

In November 2016 it was reported that NSA director Rogers received a Boeing Black secure smartphone during a test phase for this device.




Sources and links
- DISA presentations: DoD Mobility (2016), DoD CIO’s Areas of Focus (2015)
- 29-10-2012: Pentagon plans to buy iPhones, Androids in threat to BlackBerry’s market share
- 25-02-2013: General Dynamics secures Samsung and LG Android smartphones
- 25-02-2013: General Dynamics locks down Android
- 28-02-2013: Samsung Takes Low-Key Approach on Cellphones After Reaching the Top
- 28-02-2013: General Dynamics eyes government-level security on smartphones
- 03-05-2013: DoD grants network access to Android, BlackBerry 10 devices
- 26-11-2013: DISA to Roll Out Unclassified and Classified Mobile Capabilities, App Store

No comments:

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties