Feeds

Vodafone Germany looks to provide end-to-end encryption with SIM signatures

Emails, docs, VPN connections signed, encrypted by the SIM

Choosing a cloud hosting partner with confidence

German SIM card manufacturer G&D has announced that it will be supplying Vodafone Germany with an end-to-end security system based on the phone SIM.

Emails, documents and VPN connections are signed and encrypted by the SIM so that the user doesn’t have to enter a password or use a security token. The service will not be offered to individual subscribers but will be available through corporate and government sales.

It is available now for Android phones, with BB10 and Windows Phone planned, but iOS will be locked out as it does not provide the necessary access to the firmware.

The SIM integrates with a layer of the software which in turn uses the native handset apps for email and VPN access to corporate networks. All keys are held on the SIM card. Secure voice will follow.

Something Apple DOESN'T have...

Security as a service is a great attraction for mobile phone companies as there is a level of protection they can offer which is not afforded by Over The Top players. A telco has full access to signalling information and so can spot spoofed CLIs (calling line identifiers), the location a call is made from as well as mine connection data.

The GSMA has an initiative to use SIM cards and mobile phone numbers as personal identifiers. It is seen by Vodafone in particular as a way to provide value added services that cannot be done from outside the network, particularly aimed at companies with BYOD policies.

Crypto-technology does, however, fall under dual-use restrictions governed by the Wassenaar Agreement which means it can’t be exported to places where UN sanctions exist. A Vodafone Germany customer who took his phone with a crypto-SIM to one of those countries would be liable for prosecution. Ironically those are just the countries where you would probably want secure communications.

Rolf Reinema, director of security at Vodafone Germany, told The Register that while Vodafone will issue advisories, it is down to the individual company or subscriber to make sure they observe laws which govern what they take into any country they are visiting.

He did note, however, that many of the banned countries do not make the infrastructure necessary for secure calls available to visitors. A Vodafone Germany customer travelling to the UK could be required to disclose keys under The Regulation of Investigatory Powers Act 2000 (RIPA).

Under most circumstances, Vodafone does not have access to the content of the data stream, but in exceptional cases a government agency can request a legal intercept and Vodafone will provide access. I was once told by someone at a well-known telecoms company that there were three government agencies which had intercepts on Princess Diana’s phone.

No price has been given for the secure SIM solution, but the firms hint at it being reassuringly expensive (although not bad for the head). Vodafone Germany has also announced a lower cost secure voice service aimed at individual consumers using Secusmart for Blackberry 10 and has perhaps unwisely dubbed it the “Chancellor phone”.

There is a significant advantage in offering voice services through the telco rather than an over-the-top player like Counterpath, in that the mobile number can be used as the way to call both securely and insecurely depending on what bandwidth is available.

While these services are currently only available to customers in Germany, and Vodafone UK was unable to confirm any plans, it is likely that we'll see them rolled out to other territories over time. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Apple grapple: Congress kills FBI's Cupertino crypto kybosh plan
Encryption would lead us all into a 'dark place', claim G-Men
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.