The National Security Agency (NSA) has developed an ultra-secure Android phone built using off-the-shelf kit that allows US Government staff to discuss top secret materials.

About 100 of the Fishbowl phones were developed and released to government staff. They were designed to comply with the NSA’s tough information security rules yet be as cheap as possible and easy to use.

Margaret Salter

The phones were designed and built by the NSA’s 40 year-old Information Assurance Directorate, which is responsible for providing secure communications to the US Government, including the Department of Defence.

The division’s head, Margaret Salter, said anyone can reproduce the phone using specifications published online today because it uses off-the-shelf components.

“The plan was to buy commercial components, layer them together and get a secure solution,” Salter said. “It uses solely commercial infrastructure to protect classified data.”

Salter said she would previously need to “speak in code” if using a commercial mobile device to discuss classified information.

Users will be able to install defence applications on the device from an enterprise app store run by the US Defence Information Systems Agency. This would ensure only secure applications were installed, and remove the need for NSA staff to otherwise vet the integrity of third party applications.

The phone is part of a wider NSA Mobility Program to design all communications technologies used for classified discussions from commercial off-the-shelf components.

The aim, Salter said, was to produce secure devices that had the ease-of-use at a low cost.

Tech troubles

The Information Assurance Directorate ran into a string of problems during the build due to a lack of interoperability between vendor products.

Salter said a lack of interoperability between SSL VPN options forced designers to use IPSEC.

Several other compromises were made but none that reduced the security of the phone, Salter said.

“We needed a voice app that did DTLS (Datagram Transport Layer Security), Suite B and SRTP (Secure Real-time Transport Protocol) and we couldn’t buy it,” Salter said. “But the industry was thinking more about session description … so we went with that.”

Fishbowl encryption

Designers were also challenged by the functionality in commercial products. Vendors were chosen not by reputation or preference, but by their support of required functionality. Each was plotted on a grid and chosen by “drawing a line through the list”.

Salter said the security specifications, such as those sought for the voice application, would be useful to everyone.

She urged colleagues to demand vendors improve unified communications interoperability.

“We need to send a message [about] standards, interoperability and plug and play," she said.

All traffic from the phone is routed through the enterprise as a primary security design goal.

“If we let it go to all kinds of places, we lost control of figuring out what the phone was doing. If I want pizza, I have to go through the enterprise which has to route me to Pizza Hut.”

Voice calls are encrypted twice in accordance with NSA policy, using IPSEC and SRTP, meaning a failure requires “two independent bad things to happen,” Salter said.

She said the Android operating system and key store were customised to be made secure enough for top secret conversations, and a “kind of police app” was designed to monitor operations on the device.