The use of cell phones (and tablet PCs) for email and SMS services have raised data security concerns in many organizations, but nowhere moreso than among hardware designers and their various partners.
Cellular voice and data communications are often assumed to be protected because the GSM cell phone standard utilizes a type of encryption known as the “A5/1” cipher. A cipher is an algorithm (or series of steps) for performing encryption or decryption. Reportedly the general design of the A5/1 cipher was leaked in 1994 and was almost completely cracked by Marc Briceno in 1999. So you cannot depend on your cell phone service provider to protect your voice and data privacy completely.
More on the GSM “Crack”can be found here.
At the same time, criminals have been perfecting malware for mobile devices. This malware is spread via email, Bluetooth and SMS communication as well as via subverted apps. Modern malware doesn’t always announce itself and many times the victims do not even realize that they have been hacked. Once you have malware, you cannot trust your phone or tablet PC operating system (OS) to ever perform securely again.
Some anti-malware vendors have released mobile versions of their products, and other vendors have come out with software based Virtual Private Network (VPN) solutions to help mitigate the risk, but the effectiveness of software solutions alone is questionable since these must run within the context of the vulnerable smartphone operating system.
Governments and militaries have solved similar problems by reliance on the Hardware Security Module (HSM). These ultra-specialized computer chips are protected from tampering and this protection is often validated by US Federal Information Processing Standard 140-2 (FIPS 140-2). Unfortunately, the cost of a single HSM has prohibited their widespread adoption outside of financial services, core telecommunications and military applications. Enter Moore’s Law and some hard work and we are now seeing phone-friendly HSMs that are smaller than a fingertip and priced (in bulk) around $100!
At RSA this week Go-Trust Technology debuted a microSD card HSM that works with your existing smart phone or tablet PC VPN client. This tiny card provides secure hardware based authentication and encryption/decryption and slots right into your smartphone. No modification is required to the mobile device or OS, not even the installation of a driver.
Go-Trust microSD HSM supports AES, RSA, SHA1, SHA256 and Triple DES as well as Diffie-Hellman key exchange. A 32bit ARM processor and (up to) 8GB of flash memory within the microSD perform all crypto processing and secure data storage, effectively removing the phone OS from the party.S|A
Updated: Minor technical correction, removed ISO/IEC 15408.