The NSA (National Security Agency) has developed an Android phone that meets "Top Secret" criteria using off-the-shelf components. Dubbed the fishbowl phone, 100 units were built and deployed by IAD (Information Assurance Directorate) and division head Margaret Salter says that anyone can recreate the phones using the specs published at the NSA website.

The plan was to buy commercial components, layer them together and get a secure solution. It uses solely commercial infrastructure to protect classified data.

 -- IAD Department head Margaret Salter

The new phones, which even have their own secure enterprise application store, mean that users no longer have to speak in code when talking about government secrets. Using IPSEC VPNs, and having voice sessions use Datagram Transport Layer Security and the Secure Real-time Transport Protocol means that calls are safe from prying eyes, and this was published because Salter thinks the voice application security specification would be useful to everyone. Voice calls are encrypted twice, and all go through the NSA enterprise servers to maintain control and keep communications safe between only the parties involved. 

It appears that choosing the components was a bit difficult, and Salter urges her colleagues to "demand vendors improve unified communications interoperability". The parts weren't chosen by brand, and instead were chosen for the way they supported the required functionality. This means that a part from one vendor had to work well with a part from another vendor, which proved difficult. None of the compromises that had to be made reduced the security of the phone. In addition, a "police app" was designed to monitor all operations of the device in case any portion was compromised. 

'Droid does top secret.

Source: SC Magazine; via Android Central forums

Thanks, DenverRalphy!


Reader comments

NSA builds Android phone for 'Top Secret' communication


Jerry I had to log in just to post a thanks for the great article and the humor of the picture. I love "Get Smart" I think Maxwell would fit in just fine as NSA Agent lol!

You can get most of what they offer with your won Asterisk server accepting TLS connections. Then you Andorid phone just uses its data network and a Sip Client to make TLS Encrypted SIP connections to that Asterisk box.

The interesting thing here is that the phone relies on double encryption layer techniques to transmit voip over Virtual Private Networks (pretty much ignoring the entire carrier voice channels).
This is a pure Voip solution.

There is not a great deal new here in the voip call handling portion, other than how they handle the server side of stuff. Basically they propose to use SIP/TLS connections (already supported by CSipSimple, Asterisk, and many SIP providers.)

This then is wrapped in a VPN that runs between the SIP Servers, so that there is no place along the path where the data (voip channel) is not encrypted, and in many cases its encrypted via two layers.

You use a VPN on your phone (android already has that), and then you send VOIP/SIP thru that VPN with TLS encryption layered in.

That the NSA is suggesting this, says to me that cracking the encryption afforded by VPNs and TLS data streams (on the fly) is not that hard for them any more. Why else would they suggest a method publicly that they themselves couldn't monitor?

You pretty much can't buy an encrypted phone any more commercially.

But with CsipSimple (as well as a couple other android clients) you can use TLS, have great voice quality, and be assured the only place where the packets aren't encrypted is inside the SIP server itself if both ends are on the same server. If that server is your own asterisk server you are golden.

"That the NSA is suggesting this, says to me that cracking the encryption afforded by VPNs and TLS data streams (on the fly) is not that hard for them any more. Why else would they suggest a method publicly that they themselves couldn't monitor?"

That seemed reasonable to me at first, but, after thinking about it, I'm not so sure. This would only make sense if they were absolutely sure that only they have the ability to crack that encryption, and that would be a foolish assumption to make. I'd be willing to bet that, if the NSA can do it, the Russians and Chinese can, too, or, if they can't right now, they'll soon be able to do it. If that's the case, it would be quite foolish to deploy these devices for extremely sensitive government communications, which is exactly what they're doing.

What I think they're more worried about are security breaches involving high-value government and corporate communications, especially when people travel overseas, especially to countries like China, where you have to operate under the assumption that, if you've got information that would benefit the Chinese in any way, they're actively monitoring you from the moment you arrive to the moment you leave, and potentially after if they can compromise your phone or computer while you're there. Those are the kinds of leaks that the government and corporations want to stop. And, think about it, if the NSA is perceived by these companies as being the guys who are helping them improve their security, then they build good relations, which means the NSA can later call in a favor or two, and they're likely to be received warmly. As for you and me, it isn't likely that we're going to switch to a system like this because, to make it work, you need a central server for the traffic to be routed through, and then all your friends and family have to use that server to talk to each other.

But such a system could indeed benefit the NSA, even if they can't decrypt the traffic. If some group they're interested in were to adopt such a system, that means that group needs a central server to route traffic, and that's a point where, if you can get access, you can see where all the connections are coming from. You may not know what's being said, but you will know who's talking to whom, something that might be harder to do on an international level when traffic is being routed all over the place and possibly through telecom companies that aren't going to let the NSA have access to their switches. I'm not saying that monitoring in that way is impossible, but, with this system, each group implementing it is creating a nice little map of all their members via their devices and central server.

Actually, a locked bootloader would be a good idea in this case, provided you were the one who locked it. Since the security is contained in the phone's software, the best way to compromise it would be to flash a compromised ROM onto it. As a user, you don't want that to happen, and that's where the locked bootloader comes in. Of course, as the user, you want to be able to unlock it and re-flash, either if you suspect the device has been compromised or on a regular basis, just in case.

Why? Google knows that any government device will be locked down like a supermax prison. But what Google also knows is that Android's adoption by government will bolster Android in the business sector. And Google also benefits from NSA essentially developing the security elements of Android for them.

I love that they have their own app market.
Remote Wiretap Extreme HD for Tegra $4.99
Brute Force .Rar Password Cracker $2.99 - *Updated in this version: New neon color themes! - boogaloo green, flagrant pink, electric blue, candy yellow!

"Would you believe that it has Jellybean?"
"Would you believe Ice Cream Sandwich?"
"Ah, uh, how about Gingerbread then?"

Or the ever popular "Missed it by [holds fingers about 1mm apart] [i]that[/i] much."

RIP Mr. Adams.