RSA CONFERENCE 2012 – Starting with Android and a handset from Motorola, the National Security Agency (NSA) said they have essentially taken offerings from column A and some from column B and come up with an idea for a secure smartphone.
“Project Fishbowl”, which is what the NSA is calling their initiative, seeks to develop a solidly secure smartphone, using commercially available designs and technology on the Android platform. The plan, the agency’s Margaret Salter explained, is to build the phone using off-the-shelf technology, strip out the unneeded components, and layer the protections in a way that lowers the attack surface.
“There are vulnerabilities in every OS,” Salter said during a talk at the RSA Conference last week, “The beauty of our strategy is that we looked at all of the components, and then took stuff out of the OS we didn’t need. This makes the attack surface very small.”
Android was selected over Apple’s iOS, Salter noted, not because there wasn’t any value in it, but that iOS didn’t have the controls needed. It’s just that Android allowed the NSA to make the modifications they wanted for this first generation of secure devices. In the future, Android will not be the only platform that the agency will use. At the show, while it was disclosed that Motorola made the handset being tested, the actual spec and model was kept out of the picture.
Developer Resource: 2011 Device Developers’ Security Report
The NSA is opening up the Fishbowl project, and the public website for it contains the draft release of the Secure Voice over IP (SVoIP) for the Enterprise Mobility Architecture.
“As a first step, this version contains guidance on the required procedures necessary to build and implement a SVoIP capability using commercial grade cellular mobile devices. Future releases will build on this architecture and will include mobile device management and data applications; and ultimately integrate the Wi-Fi service with an expanded list of end devices,” the overview explains.
Still in the development stages, Fishbowl hopes to set the standard for government and private sector mobile security. “…our hope is someone will show this to the vendors and say ‘I want that,’” Salter said.
