Scrambl3: First commercial offering of NSA's Mobility Program derails surveillance

Michael Kassner
Updated

This article, Scrambl3: First commercial offering of NSA's Mobility Program derails surveillance, originally appeared on TechRepublic.com.

 Image: iStock

The Guardian's Spencer Ackerman posted an article on June 9, 2015 titled Obama lawyers asked secret court to ignore public court's decision on spying. The article starts out:

"The Obama administration has asked a secret surveillance court to ignore a federal court that found bulk surveillance illegal and to once again grant the National Security Agency the power to collect the phone records of millions of Americans for six months."

With Congress deadlocked on this issue, and the surveillance program shut down since May 31, 2015, Ackerman reports the Obama administration has moved forward. What's up for debate is whether the steps taken by the current administration are legal. Until that shakes out, each of us will have to decide how we feel about governments or anyone else surveilling what most perceive to be personal, therefore private.

Three points of view about mobile data surveillance

When it comes to surveillance of mobile-device traffic -- voice, text, or data -- three points of view surface.

  • Good: If it helps law-enforcement agencies, I'm all for it.

  • Ambivalent: I have "nothing to hide," so it does not matter.

  • Not good: Personal privacy is an individual's right. Techies with the "not good" point of view have an additional argument: If government agencies figured out how to surveil mobile traffic, the bad guys have as well.

jonhanourusmobile.png
jonhanourusmobile.png

USMobile's Jon Hanour

 Image courtesy of Jon Hanour and USMobile

Those with the "good" or "ambivalent" point of view have no concerns regarding surveillance of mobile traffic. However, people believing it is "not good" are searching for a solution, and mobile developers are working hard to provide a fix. One gentleman, in fact, was all over this before any evidence about mobile surveillance surfaced.

Phil Zimmermann (who is decidedly on the mobile surveillance is not-good side) and his team created their Silent Circle network back in 2012. I remember Zimmermann mentioning his now famous quote during a phone conversation in July 2012, "I should be able to whisper in your ear from a thousand miles away."

There are other mobile platforms, but security and privacy pundits are not happy with them. A recent announcement by USMobile, however, has the experts interested.

"The 'Dark Internet Tunnel' technology employed by USMobile's Scrambl3 private mobile platform produces an exponential increase in smartphone and tablet privacy compared to existing commercial solutions, providing peace of mind for its users," said USMobile President Jon Hanour. "Scrambl3 creates trusted connections over untrusted networks."

Scrambl3 technology

Dr. Yongge Wang, chief cryptographer/security officer at USMobile and professor at the University of North Carolina at Charlotte (UNCC), was instrumental in Scrambl3's development. Wang wrote that Scrambl3 is the first commercial offering of NSA's Mobility Program, also known as the Fishbowl Project. A key concept that Scrambl3 technology derives from the project is the use of multiple layers of encryption. Wang explained.

"Specifically, all end devices need to establish the first layer VPN channel to a common VPN server (Scrambl3's or a corporate version) before any communication can be initiated. This will keep all information flow within the corporate perimeter. After the first layered VPN protection, the actual voice/text communication is protected via a second layer of encrypted channel, which is nested within the first VPN channel."

Wang is quick to point out that secure VoIP and secure phone-call technology are not new, alluding to Zimmermann's Silent Circle technology. "However, Scrambl3 is the only solution based on publicly reviewed open standards," asserted Wang. "These standards are approved by NIST/NSA for the protection of US Federal confidential information and have been widely deployed in the industry for the protection of corporate confidential information."

As to concerns about information being stored on Scrambl3 servers, Hanour offered this explanation, "Scrambl3 only maintains Scrambl3 names and customer emails on its servers, which are highly encrypted, but not of much use because our customers are anonymous."

Dr. Yuliang Zheng, professor of cryptography at UNCC, and the independent source who conducted an analysis of Scrambl3, suggested that besides employing AES-256 and Curve P-384 based elliptic curve Suite B cryptographic techniques, Scrambl3 has the following features:

  • Double-layer encryption. No existing VoIP system is known to employ this technology.

  • Cryptographic techniques that give it a security level of 192-bits.

  • PKI-based key management that is more robust than key management techniques used by existing secure VoIP deployments.

  • It is based on deployed, mature technologies such as VPN and TLS.

Simple to use

Like most products of this type, the platform does not use the voice-side of the cellular networks; instead, mobile traffic uses 3G, 4G, or Wi-Fi to access what USMobile calls its Private Mobile Network.

Those interested can sign up for a free 60-day beta account (after the 60 days, the service will cost $10 per month). After registering, download the Scrambl3 app from Google Play (an iPhone version is forthcoming), log in to your Scrambl3 app, and start using the secure communications service.

According to my unscientific poll, the hardest part will be convincing other individuals of the need for secure mobile communications. Experts agree, suggesting businesses are likely to be more interested in this technology. To that end, Scrambl3 offers an enterprise edition.

Scrambl3 Enterprise

Dr. Wang says there are two types of VPN servers: Scrambl3's and a corporate version. USMobile partnered with IBM to test Scrambl3 Enterprise. "With Scrambl3 Enterprise, businesses and governments can create their own top secret grade mobile communications network and mobile intranet that runs exclusively on their private servers," mentions the press release. The platform will cost $500 per month for up to 50 users, and should be available in the third quarter of 2015.

NSA?

I have been writing about security long enough to know that USMobile working with the NSA on a surveillance-blocking technology such as this brings to mind the possibility of a backdoor. When I asked Hanour about this, he replied:

"Absolutely not. Scrambl3 has no backdoors and will not have backdoors. USMobile is building its reputation on providing customers with the strongest protection from all forms of surveillance, including government intrusion.

"Even though USMobile collaborated on the NSA Fishbowl architecture from 2011 to 2013, USMobile independently and uniquely engineered Scrambl3 as a Software Defined Network implementation of the Fishbowl architecture.

"The Fishbowl encryption algorithm and Internet Protocol standards employed by Scrambl3 are implemented through the use of Open Source software components, which undergo constant scrutiny by the cryptographic community."

I then asked Hanour about USMobile's collaboration with the NSA on Fishbowl. Here's his response:

"USMobile shared its virtualization experience necessary to implement the Fishbowl architecture as a 'Software Defined Network,' making it affordable for companies and certain government agencies to adopt. USMobile also shared its experience with making a mobile VPN practical by employing technology to maintain a VPN connection while a mobile device is dynamically changing its Internet connection from Wi-Fi to cellular and back."

What's your take?

Does this news from The Guardian change your mind about encrypting mobile-device communications? Do you think you'll try Scrambl3? Tell us in the discussion.

Also see

Note: TechRepublic, CNET, and Tech Pro Research are CBS Interactive properties.