Securing Tablet PC and Cell Phone Voice and Data in the Entertainment Industry – Leticia Smith
M&E Tech has been covering the RSA Conference; one of the most influential information security events in the US for the past 20years. The show floor is full of products to both keep data at rest secured and to enhance secure communications. Many of these products use encryption to render the data unreadable by unauthorized parties.
Professionals in the entertainment industry have already discovered the value of encryption to protect dailies and other large data files from being intercepted by pirates and competitors. However, even these savvy organizations are often surprised by the amount of information that can be revealed by the monitoring of staff voice and data communications over smartphones and tablet PCs.
The use of cell phones (and tablet PCs) for email and SMS services have raised data security concerns in many organizations, but nowhere more than among major movie and music studios, game developers and their various partners. Why?
Cellular voice and data communications are sometimes assumed to be protected because the GSM cell phone standard utilizes a type of encryption known as the “A5/1” cipher. A cipher is an algorithm (or series of steps) for performing encryption or decryption. Reportedly the general design of the A5/1 cipher was leaked in 1994 and was completely cracked by Marc Briceno in 1999. So you cannot depend on your cell phone service provider to protect your voice and data privacy completely.
At the same time, criminals have been perfecting malware for mobile devices. This malware is spread via email, Bluetooth and SMS communication as well as via subverted apps. Modern malware doesn’t always announce itself and many times the victims do not even realize that they have been hacked. Once you have malware, you cannot trust your phone or tablet PC operating system (OS) to ever perform securely again.
Some anti-malware vendors have released mobile versions of their products, and other vendors have come out with software based Virtual Private Network (VPN) solutions to help mitigate the risk, but the effectiveness of software solutions alone is questionable since these must run within the context of the vulnerable smartphone operating system.
Governments and militaries have solved similar problems by reliance on the Hardware Security Module (HSM). These ultra-specialized computer chips are protected from tampering and this protection is often validated according to the US Federal Information Processing Standards 140-2 (FIPS 140-2) or ISO/IEC 15408. Unfortunately, the cost of a single HSM has prohibited their widespread adoption outside of financial services, core telecommunications and military applications.
Enter Moore’s Law and some hard work and we are now seeing phone-friendly HSMs that are smaller than a fingertip and priced (in bulk) around $100!
At RSA this week Go-Trust Technology debuted a microSD card HSM that works with your existing smart phone or tablet PC VPN client. This tiny card provides secure hardware based authentication and encryption/decryption and slots right into your smartphone. No modification is required to the mobile device or OS, not even the installation of a driver.
Go-Trust microSD HSM supports AES, RSA, SHA1, SHA256 and Triple DES as well as Diffie-Hellman key exchange. A 32bit ARM processor and (up to) 8GB of flash memory within the microSD perform all crypto processing and secure data storage, effectively removing the phone OS from the party.
Leticia C. Smith, CISSP @ RSA