Feeds

Vodafone Germany looks to provide end-to-end encryption with SIM signatures

Emails, docs, VPN connections signed, encrypted by the SIM

The Essential Guide to IT Transformation

German SIM card manufacturer G&D has announced that it will be supplying Vodafone Germany with an end-to-end security system based on the phone SIM.

Emails, documents and VPN connections are signed and encrypted by the SIM so that the user doesn’t have to enter a password or use a security token. The service will not be offered to individual subscribers but will be available through corporate and government sales.

It is available now for Android phones, with BB10 and Windows Phone planned, but iOS will be locked out as it does not provide the necessary access to the firmware.

The SIM integrates with a layer of the software which in turn uses the native handset apps for email and VPN access to corporate networks. All keys are held on the SIM card. Secure voice will follow.

Something Apple DOESN'T have...

Security as a service is a great attraction for mobile phone companies as there is a level of protection they can offer which is not afforded by Over The Top players. A telco has full access to signalling information and so can spot spoofed CLIs (calling line identifiers), the location a call is made from as well as mine connection data.

The GSMA has an initiative to use SIM cards and mobile phone numbers as personal identifiers. It is seen by Vodafone in particular as a way to provide value added services that cannot be done from outside the network, particularly aimed at companies with BYOD policies.

Crypto-technology does, however, fall under dual-use restrictions governed by the Wassenaar Agreement which means it can’t be exported to places where UN sanctions exist. A Vodafone Germany customer who took his phone with a crypto-SIM to one of those countries would be liable for prosecution. Ironically those are just the countries where you would probably want secure communications.

Rolf Reinema, director of security at Vodafone Germany, told The Register that while Vodafone will issue advisories, it is down to the individual company or subscriber to make sure they observe laws which govern what they take into any country they are visiting.

He did note, however, that many of the banned countries do not make the infrastructure necessary for secure calls available to visitors. A Vodafone Germany customer travelling to the UK could be required to disclose keys under The Regulation of Investigatory Powers Act 2000 (RIPA).

Under most circumstances, Vodafone does not have access to the content of the data stream, but in exceptional cases a government agency can request a legal intercept and Vodafone will provide access. I was once told by someone at a well-known telecoms company that there were three government agencies which had intercepts on Princess Diana’s phone.

No price has been given for the secure SIM solution, but the firms hint at it being reassuringly expensive (although not bad for the head). Vodafone Germany has also announced a lower cost secure voice service aimed at individual consumers using Secusmart for Blackberry 10 and has perhaps unwisely dubbed it the “Chancellor phone”.

There is a significant advantage in offering voice services through the telco rather than an over-the-top player like Counterpath, in that the mobile number can be used as the way to call both securely and insecurely depending on what bandwidth is available.

While these services are currently only available to customers in Germany, and Vodafone UK was unable to confirm any plans, it is likely that we'll see them rolled out to other territories over time. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Fiendishly complex password app extension ships for iOS 8
Just slip it in, won't hurt a bit, 1Password makers urge devs
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.