Cellphone Assured Identity Solution Offers Promise
Mobile device use in a secure facility may be possible with hardware safeguards.
Mobile technology is not always available to military or government personnel in all environments. Operating in a secure facility requires cellular phones or other mobile devices to be stowed outside the door. Companies are preparing solutions to enable the use of mobile devices in such accredited facilities in ways not seen before.
“The Defense Department deals with very sophisticated adversaries, and as a result, those devices are banned in many places and need to be controlled,” says Mike Fong, founder and CEO of Privoro.
The Defense Information Systems Agency, or DISA, recently selected Phoenix-based Privoro—a mobile hardware security company—and St. Louis-based World Wide Technology (WWT)—a technology integrator that provides digital strategy, innovative technology and supply chain solutions to large public and private organizations—to create a prototype system for iOS-based devices. The system would provide mobile safeguards and sensor controls and, via a mobile device management platform, enforce device policy compliance. Such a product would enable military and government employees to use an iOS cellphone in a secure facility. And the solution would adhere to the Committee on National Security Systems policy requirements regarding cellphones, Fong says.
Following the development of the prototype, Privoro and WWT will provide a trusted identity solution by attaching individual user characteristics to the secure hardware platform to ensure trusted mobile access. “The solution will address access to sensitive information at the edge, as well as security concerns that have led to smartphone bans across the government,” the companies stated in a recent announcement.
The solution hinges on Privoro’s so-called SafeCase technology, an adjacent-to-the-phone hardware solution that controls an iPhone’s sensors to prevent the device from being used for surveillance either through the cameras or microphone—even if the phone is undetectably compromised by an attacker. “If you deal with sensitive or confidential information, you need the microphones to listen only when you want them to listen,” the CEO says.
A smartphone is designed to collect a lot of data, either through the microphones or the cameras, Fong continues. “For example, the iPhone has four very sensitive microphones and several cameras,” he explains. “It has all these sensors, and more and more, applications may be listening—not even malicious ones—and you need to be able to control it all. And as voice becomes the primary interface for all of our devices, or applications become more and more voice enabled, users need to be able to control the sensors used in those interfaces.”
The platform performs anti-surveillance functions by jamming a device’s microphones and covering the cameras. “It still gives you full use of your phone, so you can use any application, text or email,” Fong states. “If you want to make a phone call, take a picture or record a video, you can in one motion expose the cameras and microphones by raising the hood of our device. It is like an iPhone case. You turn the jamming off, make a phone call, then reactivate the protections.”
The platform goes all the way down to the chip layer, offering independent hardware root of trust. “That, combined with a specialized security architecture, makes us resistant to even chip and firmware-based attacks,” Fong attests. “It starts to let people leverage commercial mobile devices and take advantage of the mobility tidal wave, but does so in terms that meet the security requirements of a government customer. So, suddenly you have something you can trust that is based next to the commercial phone.”
WWT will take the technology that Privoro is developing and integrate it into the DISA infrastructure and architecture, says Rick Pina, chief technology advisor, Public Sector, WWT. “When we are working with a manufacturer like Privoro that has spent considerable time, energy and effort into developing a technology that meets a specific use case, often the manufacturer is not familiar with the nuances and challenges of government agencies,” Pina notes. The company has a laboratory in St. Louis where it will test and integrate the technology to make sure it is a deployable solution for DISA within the Defense Department policies and requirements.
In addition, Privoro has a contract with the Air Force through the Small Business Innovation Research efforts of its innovation hub, AFWERX, and the Air Force Research Laboratory. Under that effort, the company will provide the SafeCase anti-surveillance mobile device technology to be used in conjunction with the Air Force’s mobile device management (MDM) system. The technology will prevent mobile espionage, again by jamming the microphones and blocking the cameras of an iOS device, as well as provide a trusted location solution to aid Air Force Command Center awareness of its forces, improving the safety of its personnel.
“If you are sharing your location information from your commercial phone, it could be compromised and it could create issues related to operational security,” he states. “We use an independent set of sensors to validate that location and once we have that, we transmit the information via our encrypted tunnels from our SafeCase portal, so it can’t be intercepted or have a man in the middle [attack]. We basically act like a trusted location authority.”
Privoro is working with Mountain View, California-based MobileIron, which specializes in creating MDM platforms and policy engines. MobileIron will create the MDM structure to support the trusted identity solution for Air Force use. The MDM system will help identify, manage and track the service’s mobile devices.
The Air Force had indicated that it wanted to set and enforce policy around the SafeCase protections, Fong adds. “For example, let’s say we were going to put a geofence around a facility, and we were going to let people take their phones into the facility,” he explains. “If they were to expose the camera or the microphone inside the facility, we would use our MDM software to take actions on the phone.”
The safe case would report an event to the cloud, and send a message to the MDM, which triggers a policy action, such as issuing an alert, locking the phone, removing applications or taking any other MDM-related steps. “The key for us is to trigger a policy action that is customized, such as an exposed camera or a microphone, or a phone taken out of the SafeCase,” Fong notes.
Down the road, trusted location could be a trait used in assured identity, Fong posits.
“Identity is such a foundational element of cybersecurity, and the important thing is to be able to anchor identity in hardware as opposed to just software because that is a much higher level of security,” the CEO states.