Wednesday, January 14, 2009

Obama's new BlackBerry: The NSA's secure PDA?

Bill Clinton sent only two e-mail messages as president and has yet to pick up the habit. George W. Bush ceased using e-mail in January 2001 but has said he's looking forward to e-mailing "my buddies" after leaving Washington, D.C.

Barack Obama, though, is a serious e-mail addict. "I'm still clinging to my BlackBerry," he said in a recent interview with CNBC. "They're going to pry it out of my hands."

Obama's new BlackBerry: The NSA's secure PDA?

One reason to curb presidential BlackBerrying is the possibility of eavesdropping by hackers and other digital snoops. While Research In Motion offers encryption, the U.S. government has stricter requirements for communications security.

"Without more details I would have to say that putting sensitive or classified information on a BlackBerry is a risky proposition," said Greg Shipley, chief technology officer at Neohapsis, a governance, risk, and compliance consultancy.

Fortunately for an enthusiastic e-mailer-in-chief, some handheld devices have been officially blessed as secure enough to handle even classified documents, e-mail, and Web browsing.

Obama's new BlackBerry: The NSA's secure PDA?
The Sectera Edge (Credit: General Dynamics)

One is General Dynamics' Sectera Edge, a combination phone-PDA that's been certified by the National Security Agency as being acceptable for Top Secret voice communications and Secret e-mail and Web sites. Through three separate interchangeable modules, it works with Wi-Fi, GSM, or CDMA networks, and is dust-proof, waterproof, and rugged enough to survive repeated 4-foot drops onto concrete. Physically, it's a chunkier second cousin to the Palm Treo 750, though with an additional LCD display below the keyboard.

The price is $3,350 with a two-year warranty, a princely sum that's reflected in the Pentagon-worthy price tags for accessories: a simple adapter for a lighter plug costs $100. (Never again should you complain about how much your civilian analogue costs.)

The Sectera runs a mobile version of Microsoft Windows, including versions of Word, Excel, PowerPoint, and Windows Media Player. The NSA claims that the installed versions of Internet Explorer, WordPad, and Windows Messenger are good enough for data that's classified at a level of Secret. Presumably the federal spooks have found a way to protect IE from the numerous security flaws that continue to plague the Internet's most popular browser.

The NSA declined to comment on Monday.

L-3 Communications' Guardian, still in development, is similar, but sports a chunkier antenna and a slightly less conventional keyboard shaped like a V. It, too, runs Windows, boasts a stylus and QWERTY keyboard, supports desktop synchronization, and can be used on secure data plans with AT&T, Sprint, T-Mobile, and, internationally, Worldcell. Files stored locally are encrypted.

Both PDA-phones owe their existence to a Defense Department project called SME-PED, meaning Secure Mobile Environment Portable Electronic Device. Because the SME-PED was explicitly designed to act as a classified-information-friendly replacement for a BlackBerry, it should be an easy switch for a President Obama.

That's assuming he still feels like e-mailing after Inauguration Day. Even though President Bush enjoys the same access to NSA-certified handhelds, he has never resumed his daily e-mail habit from the days when he went by the humble moniker of G94B@aol.com. (On January 17, 2001, Bush sent out this sad farewell: "Since I do not want my private conversations looked at by those out to embarrass, the only course of action is not to correspond in cyberspace. This saddens me. I have enjoyed conversing with each of you.")

At the time, Karen Hughes, one of Bush's closest aides, said that the president chose to abandon e-mail because of public records laws. That includes the Freedom of Information Act, or FOIA, and the Presidential Records Act of 1978.

Obama may find the convenience of wireless e-mail a pleasure difficult to give up. News reports during the presidential campaign described how he relied on his BlackBerry to bypass aides, which was even satirized by the Onion.

He checked e-mail during his daughter's football games, e-chatted with actress Scarlett Johansson, and before the New Hampshire primary told CNET News that the BlackBerry was his favorite gadget. On the other hand, Republican VP candidate Sarah Palin's e-mail breach is still within recent memory, as are the Bush White House's legal troubles stemming from the use of Republican National Committee e-mail systems.

"It's not just the flow of information," Obama said in the recent interview. "I mean, I can get somebody to print out clips for me, and I can read newspapers. What it has to do with is having mechanisms where you are interacting with people who are outside of the White House in a meaningful way. And I've got to look for every opportunity to do that--ways that aren't scripted, ways that aren't controlled, ways where, you know, people aren't just complimenting you or standing up when you enter into a room, ways of staying grounded."

Federal law does explicitly exempt from disclosure any "personal records" that do not relate to the president's official function. Those include electronic records that are "of a purely private or non-public character" and don't relate to official duties; the law lists diaries, journals, notes, and presidential campaign materials as examples. Similarly, FOIA prevents files from being released if the disclosure would significantly jeopardize "personal privacy."

In other words, Obama could choose to keep e-mailing judiciously, and trust his lawyers and the law to fend off overly nosy journalists and historians.

Wireless devices: What price convenience?
One thing that security experts can agree on is that despite RIM's efforts, a BlackBerry probably isn't up to the security standards for a leader of the free (or even unfree) world.

BlackBerrys can become infected with viruses that install spyware or turn the microphone on and record conversations, malware can be inadvertently downloaded, e-mail and text messages can be intercepted, and, of course, they can be lost or stolen, said Dan Hoffman, chief technology officer of SMobile Systems, which sells antivirus software for the devices.

The National Vulnerability Database, which is sponsored by the Department of Homeland Security's National Cyber Security Division, lists 14 vulnerabilities for BlackBerrys. Those include ways that a malicious attacker can install malware, and perhaps crash the device through a so-called denial of service attack.

It's not like snoopy computer utilities are difficult to find. Flexispy.com sells spyware that can be installed by someone with physical possession of a phone for 15 minutes. The creators boast that their software, once installed, can "bug a room or person" and "catch cheating husbands."

The U.S. government uses special ciphers for secret information and they use different data networks from the public data networks, said Phil Dunkelberger, chief executive of encryption provider PGP Corp. "Unless you're using point-to-point encryption technology...or the mail itself is encrypted, you would have exposure to people administering the network." And, on a related note, we know that Obama's cell phone records through Verizon were improperly accessed last year.

There's also the risk of someone tracking the coordinates of a BlackBerry through the device's built-in GPS or the carrier's ability to triangulate on the signal--something that police, for instance, claim they should be able to do without a search warrant or evidence of criminal activity. Bush White House aides say that security concerns prompted them to disable the GPS feature on their BlackBerrys.

James Atkinson, president of Granite Island Group, an engineering firm that helps the government protect classified networks and equipment, pointed this out as a possible security vulnerability. "You can identify where a person is without gaining access to the cell phone network just by the timing of the signals, Atkinson said. "You can identify who is sitting in which seat in a conference room from a couple thousand feet away."

Then again, it's not like the president of the United States and his entourage travel incognito that often.

If nothing else works, Obama can always turn to Bush for some tips. Not his immediate predecessor, but former President George H.W. Bush, a late-in-life convert to the joys of e-mail. Bush the Elder has been quoted as saying: "I'm what you might call a black belt wireless e-mailer."

Declan MuCullagh's story was originally published on CNET News.com.

CNET News' Elinor Mills contributed to this report.

  • Worm surge exploits Microsoft vulnerability
  • Sophos: One Web page infected every five seconds
  • No comments: