Where mobile IP goes, security concerns follow

As mobile devices become more powerful, they offer new options for communications and new security challenges, too.

There are different terms for it — voice over IP, IP telephony, unified communications. But however you say it, the convergence of voice communications and Internet connectivity provides new functionality that is driving user expectations.

“The end user wants to be able to communicate anywhere, from any device,” said David Hawkins, unified communications practice manager at Iron Bow Technologies.

Those expectations are driving the adoption of mobile IP in the enterprise. Voice applications for users have matured during the past few years, and increasingly powerful mobile devices that use a mix of traditional cellular and IP connections are being widely adopted in the enterprise. “Where we are playing catch up is in their integration into the network infrastructure,” where efforts must be made to ensure that functionality does not degrade security, Hawkins said.

One infrastructure that integrates VOIP is the Defense Department’s Defense Switched Network (DSN), DOD’s nonsecure dial-up voice service based on traditional Time Division Multiplexing. “Over the last eight years, we have been working very aggressively with DOD because there is an effort to deploy VOIP,” Hawkins said.


Related stories:

Mobile IP is the voice -- and data -- of the future
Commerce to test 4G technology for public safety network


Under the recently renamed Unified Capabilities (UC) program, the Defense Information Systems Agency has begun testing the use of VOIP via the nonclassified portion of the Defense Information Systems Network, which is DOD's data network. DISN includes the Unclassified but Sensitive IP Router Network and Secret IP Router Network.

“UC will allow DOD organizations to connect VOIP products directly to the DISN-NIPRNet for DSN service,” DISA said in a statement about the program. “Over the next 10 years, the DSN backbone is expected to largely migrate to UC.”

The Joint Interoperability Test Center is developing unified capabilities requirements, and only JITC-approved products are allowed to be used on the unclassified network. To provide the security for classified VOIP up to the secret level, DOD has a separate global network named Voice Over Secure IP, which operates via SIPRNet.

“VOSIP is nothing more than VOIP over a secure infrastructure, initially,” Hawkins said.

This works for DOD because the department owns the backbone that connects VOSIP enclaves to the rest of the network. But for many enterprises, when new functionality such as VOIP and mobile access are available on a network, the internal networking policies and controls are difficult to enforce for devices coming into the network from outside.

Trellia Networks offers a mobile policy management platform that consists of an agent on the mobile device that enforces policies pushed from a server. It can automatically enforce requirements for secure connections when users connect remotely using VOIP, said Raffi Tchakmakjian, the company’s vice president of product management.

“The user doesn’t have to open up software to get connected and doesn’t have to select any network,” he said. The agent automatically selects and manages the voice connection based on policy.

The security concerns of mobile voice communications are not confined to the enterprise network. Traditional cellular service, which has long been considered difficult to intercept, is becoming vulnerable. In recent months, experts have published a lookup table for GSM mobile phone encryption keys and released an open-source software kit that can enable the interception of calls with less than $2,000 worth of commercial equipment.

“This changes the threat profile for mobile telephone interception,” said Simon Bransfield-Garth, chief executive officer of Cellcrypt. By reducing the threshold of entry for cell phone interception from about $100,000, the attacks can become mainstream. “This used to be something governments did to each other. Now it’s something much more widely available.”

The attack is significant because GSM, or the Global System for Mobile Communications standard, is the dominant standard for cellular service globally, with about 3.5 billion users — or 80 percent of the global market in more than 200 countries. North America is one of the world’s significant holdouts, with about half of its cellular service based on TDMA, or Time Division Multiple Access technology. But use of GSM is growing here, and organizations with officials who travel abroad must deal with the vulnerability of GSM. Bransfield-Garth said his company’s primary market in the United States is federal agencies with overseas staff members.

GSM technology dates to 1988 when cell phones had little computing power, and strong encryption of the voice channel on the handheld devices was not practical. The technology used a weaker form of encryption with a 64-bit key.

“Unfortunately, technology has a way of sticking around,” Bransfield-Garth said, and the weak encryption persisted even as cell phones became smarter and advances in computing power made the 64-bit keys obsolete.

No one upgraded the encryption specified in the standard because intercepting GSM traffic was not easy, requiring a truck full of equipment that costs from $100,000 to $500,000. But that security began quickly unraveling in December 2009 with the announcement by computer engineer Karsten Nohl of the completion of a GSM code book, a lookup table of encryption keys used for GSM calls that was published on the Internet. That was followed this spring by the release of a GSM base station software stack on a bootable CD and a demonstration by Nohl and fellow reverse engineer Chris Paget of how the software and code book could be used with a commercial GSM receiver connected to a laptop to intercept, record and decrypt cellular calls.

Cellcrypt’s answer for securing GSM calls is a mobile device encryptor and enterprise gateway that encrypts voice traffic and moves cellular calls onto the IP data channel.

“Essentially, we’re doing a VOIP call over a cellular network,” said Bransfield-Garth. “It is not particularly easy, but it is efficient and effective when it works.”

The system takes advantage of mobile devices' increased computing power for advanced encryption, but it still must deal with the energy constraints of mobile equipment. “Encryption is not very amenable to battery-powered devices,” he said. To get around that limitation, the company has developed the Encrypted Mobile Content Protocol, a collection of protocols and algorithms to optimize encryption on mobile devices.

That still leaves the problem of latency, which can be deadly to voice communications.

“In pretty much all cryptography, there is a little latency,” Bransfield-Garth said. With Cellcrypt's tools, that amounts to a three-second delay in initiating a call and delays during the call of 0.5 to 1.5 seconds, depending on network conditions. He said that level of latency usually is not a problem. “You get used to it very easily.”

In addition to the added security of strong encryption, the Cellcrypt Enterprise Gateway also provides a VOIP interface with an office PBX that enables secure remote access to office telephony features, such as conference calling.

Meanwhile, the cracks in GSM security keep coming. Early this year, Adi Shamir — he’s the “S” in the RSA algorithm — demonstrated that a more advanced GSM encryption algorithm also is vulnerable to a practical attack. The next generation of mobile telephony, Long Term Evolution, is based on GSM, but it specifies two encryption standards, the Advanced Encryption Standard and Snow 3G. Each standard is intended to provide full security, and two different algorithms are specified so that if one is broken, the system can remain secure using the other.

Two large U.S. carriers, Verizon Wireless and AT&T, have announced plans to build LTE networks, but that does not mean that advanced security for mobile voice and data on these networks will be quickly available. The implementation of LTE networks will not begin widely until 2012, and there will not be much service available until 2014 or 2015. So vulnerabilities in existing systems will be with us for several more years.

NEXT STORY: Can .gov trust .com?

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.