Are blackphones the new BYOD security solution?
The feeling most commonly expressed during last month’s Infosecurity exhibition in London was that the focus in cybersecurity has shifted during the previous ten years.
From protecting the perimeter of a network, examining East-West internal network packets, intrusion detection, and searching for malware signatures, most cybersecurity professionals are looking to better protect the human element in an organization’s security posture.
In short, people, not networks, are the new target.
How to prevent a BYOD data breach
The BYOD security risk
That’s at least partly explained by the prevalence of BYOD, although that acronym was coined originally to describe how mobile-savvy employees were bringing into the workplace devices capable of providing necessary work tools.
These days, BYOD (‘Bring your own device’) is more of a catchall term to describe how each of us carries a highly-potent, highly-portable computing device that’s loaded with apps, data, and connectivity.
And not only do we often address work issues in and out of the workplace on these devices, but most of us run many aspects of our lives on our smartphones. We chat with friends (and colleagues), watch movies (and business presentations), call family members (and business contacts) and store personal photos (and workplace documents & media).
— TechHQ (@techhq) June 12, 2019
Those single, powerful devices are the new Swiss Army Knives in our lives. Their ubiquity and their human operatives’ fallibility make them, and us, prime targets for data exfiltration, extortion, and data compromise.
What’s the solution?
At TechHQ, we’ve seen several solutions to the security and data security issues posed by BYOD.
Some solutions are designed to prevent phones’ users making simple, yet understandable errors: saving documents to Dropbox, rather than Dropbox for Business apps, for example. Others attempt to create what’s a virtual walled garden inside a phone’s operating system, whereby an area of the OS is controlled by mobile management systems. These can push approved apps and security updates to users’ devices, and ensure that only specific services are available inside a demarcated ‘work zone’.
There are considerable complications in such solutions, however, due to the multiplicity of BYOD platforms. iOS devices often cannot be managed in ways that are utterly secure, due in part to Apple’s own walled-garden approach and the strictures the company places on apps admitted to the App Store.
On Android phones, the various screen sizes, Android versions, manufacturers’ OEM spins on the OS, and methods like rooting and sideloading make pushing out and installing a single security-focused framework highly problematic.
In either OS, complications create security issues, routes for bypassing protective systems, and problems in security management.
The Blackphone era?
Shortly after the Infosecurity event, we spoke to Tero Savolainen, the Vice President of Defense & Security of Bittium, a company that offers a range of cellphones designed for use by professionals for whom security issues are paramount— people who not only wish to protect the data on their handsets but also communicate and interchange data securely.
The Finnish Bittium joins the small subset of handset providers that provide portable yet highly-secure comms devices for sensitive deployments. Suitable for clandestine government agencies? Sure, but also to business users protecting themselves and their organizations’ IP (intellectual property) from falling into the wrong hands.
“We develop the phones, the hardware, ourselves,” Tero told TechHQ. “By building [the phones] ourself, we can make [them] tamperproof, with the security element already inside the phone.”
That’s a differentiation from the products from Silent Circle, a company that was until only a few years ago, the only serious contender capable of producing so-called ‘blackphones’ at scale.
The celebrity-endorsed Sirin phones, like Silent Circle’s Silentphone and the Blackberry KEYtwo, don’t go quite as far as the Bittium range of devices that have what some might describe as an obsessive level of attention to detail with regards their immutability and security.
A market for immutability
Because Bittium’s Tough Mobile range of devices is built in Finland by the company, each has physical protection baked in. Prise open the casing to get at the storage, and a tamper switch wipes the data.
Even freezing the phone to try and shut down persistent firmware or software routines that might be running even while the handset’s powered off will result in– you guessed it– a complete wipe.
And while the underlying phone is an Android device and therefore an arguably open source OS, the Bittium offerings run software that’s Bittium’s creation. “It’s our own IP— we’re pretty open about that,” Tero admits.
For example, in the relatively expensive (€1550) flagship model— the Bittium Tough Mobile™ 2— Savolainen tells us, “we actually put five different containers inside the phone.”
He is referring not to Docker instances, but rather software-demarcated areas of the highly-customized Android OS, each of which can use a discrete VPN for data traffic and end-to-end encryption at any level you may choose, from carefree, right up to full-on, tinfoil hat-wearing security paranoiac.
Closing the airlock
Since Android’s general release there have been several variations on the OS which deliberately don’t have to include the Google ‘stack’— the apps and virtualization layers that power services like the Play, Maps, Docs and so on.
That’s not to put users to deliberate inconvenience, but rather to create an OS in which Google can’t swallow up a user’s location, photos, metadata and– in fact– anything the company wants to collect.
Bittium’s Tough Mobile™ 2 is soon to appear with two variations on its OS to choose from: one that’s Google-free, and one that bites the bullet and ships with the Play store— and its accompanying low-level snooping.
The high-tech Bittium range also deploys decidedly olde-worlde approaches too. Like the privacy-conscious Librem laptop range from Purism, users can physically isolate the mic and camera on the devices, as well as encrypt all media and data traffic to and from the machines.
Bittium handsets typically have five years’ support available, so the high price tags (from €1229 to €1550) need averaging out on that basis. During that time, if your organization deploys Bittium’s device management suite and you happen to stray from pre-approved geo-tracked locations, your data is– you guessed it– remotely and irretrievably wiped.
Are blackphones viable?
For organizations and companies that take their executives’ and operatives’ security seriously, the blackphone marketplace is one that will need to be explored. Government spooks aside, companies may feel they need the level of security, encryption, and infallibility offered by Bittium, Silent Circle, Sirin and the like.
But as the data giants’ leanings towards data-vacuuming from devices becomes more apparent, expect to see this type of security technology much more widely available.
Encryption, VPNs and manual shut-offs from tracking and interception may well even become standard for every handset. Until that’s the case, expect hackers continue to target the weakest link in most cybersecurity defenses, the humans walking into the workplace every day carrying portable computers of great power and not insignificant risk.
11 December 2019
10 December 2019