German SIM card manufacturer G&D has announced that it will be supplying Vodafone Germany with an end-to-end security system based on the phone SIM.
Emails, documents and VPN connections are signed and encrypted by the SIM so that the user doesn’t have to enter a password or use a security token. The service will not be offered to individual subscribers but will be available through corporate and government sales.
It is available now for Android phones, with BB10 and Windows Phone planned, but iOS will be locked out as it does not provide the necessary access to the firmware.
The SIM integrates with a layer of the software which in turn uses the native handset apps for email and VPN access to corporate networks. All keys are held on the SIM card. Secure voice will follow.
Something Apple DOESN'T have...
Security as a service is a great attraction for mobile phone companies as there is a level of protection they can offer which is not afforded by Over The Top players. A telco has full access to signalling information and so can spot spoofed CLIs (calling line identifiers), the location a call is made from as well as mine connection data.
The GSMA has an initiative to use SIM cards and mobile phone numbers as personal identifiers. It is seen by Vodafone in particular as a way to provide value added services that cannot be done from outside the network, particularly aimed at companies with BYOD policies.
Crypto-technology does, however, fall under dual-use restrictions governed by the Wassenaar Agreement which means it can’t be exported to places where UN sanctions exist. A Vodafone Germany customer who took his phone with a crypto-SIM to one of those countries would be liable for prosecution. Ironically those are just the countries where you would probably want secure communications.
Rolf Reinema, director of security at Vodafone Germany, told The Register that while Vodafone will issue advisories, it is down to the individual company or subscriber to make sure they observe laws which govern what they take into any country they are visiting.
He did note, however, that many of the banned countries do not make the infrastructure necessary for secure calls available to visitors. A Vodafone Germany customer travelling to the UK could be required to disclose keys under The Regulation of Investigatory Powers Act 2000 (RIPA).
Under most circumstances, Vodafone does not have access to the content of the data stream, but in exceptional cases a government agency can request a legal intercept and Vodafone will provide access. I was once told by someone at a well-known telecoms company that there were three government agencies which had intercepts on Princess Diana’s phone.
No price has been given for the secure SIM solution, but the firms hint at it being reassuringly expensive (although not bad for the head). Vodafone Germany has also announced a lower cost secure voice service aimed at individual consumers using Secusmart for Blackberry 10 and has perhaps unwisely dubbed it the “Chancellor phone”.
There is a significant advantage in offering voice services through the telco rather than an over-the-top player like Counterpath, in that the mobile number can be used as the way to call both securely and insecurely depending on what bandwidth is available.
While these services are currently only available to customers in Germany, and Vodafone UK was unable to confirm any plans, it is likely that we'll see them rolled out to other territories over time. ®