Enhancing Smart Device Security: Protecting

Critical Information in the Field

Jeff Voas, PhD, FIEEE, FAAAS, FIET

Jeff.voas@nist.gov

Story

1. Invite Reason: Possibly some of your folks work in the

same hostile environment in the Middle East as do US

soldiers

2. Approached by DARPA in Feb. 2010 with the question:

how do you vet mobile apps for security concerns?

3. DARPA had a new software acquisition model in mind

(economic)

4. Military wanted smartphones versus radio packs

5. Outcome: Methodology for rebuilding OTS smartphones

for hostile and non-hostile environments

6. Starting point: What does it mean to assure and trust

smart devices and apps?

“A consumer [patient] may not be able to assess accurately

whether a particular drug is safe, but [they] can be reasonably

confident that drugs obtained from approved sources have the

endorsement of the U.S. Food and Drug Administration (FDA)

which confers important safety information. Computer system

trustworthiness has nothing comparable to the FDA. The

problem is both the absence of standard metrics and a

generally accepted organization that could conduct such

assessments. There is no Consumer Reports for

Trustworthiness.”

[Source: “Trust in Cyberspace,” National Academy of Sciences Report,

National Academy Press, 1998.]

Old, But Sadly Still True:

1998?

Terminology

• Assurance is a function of

• Assessments, that are a function of

• Measurements

Premise for App Vetting

Third party apps should be tagged with some guarantee (or “warm

fuzzy”) about the app’s quality.

•Situation: Software Of Unknown Pedigree (SOUP)

•Goal: Software of Known Pedigree

Problems:

1. What is “good” software?

2. Or is the question “good enough”?

3. Or is the question “better”?

4. Who creates “a” vetting criteria of quality?

5. What is the criteria?

Why Is the Problem Hard?

• Software is non-Physical!

• Physical sciences have measures

• Software has measures, often direct, but with no

correlation to behaviorally “how good?, better?”

• Question: Is there physics (e.g., a periodic table)

for non-physical systems?

• Question: A Defined, Timely, Repeatable

Vetting (Certification) Process that Ensures

Fairness?

Ah, But a Solution?

• We know how to build highly reliable software

in accordance to specific guidelines

• Q: Who does this?

• A: Regulated industry sectors (e.g., nuclear,

avionics, medical)

– $1K+/LOC?

– Will anyone “non-regulated” pay such costs?

Three Key Messages That App Vetting

Can Convey

• Compliance with Standards vs.

• Compliance with Requirements vs.

• Fitness for Purpose

Threat Space

Environment Software

Physical

System

System{Reliability, Security, Performance, Availability, Safety, ..}

Assurance ‘Grand Scheme’ Model

3rd party

t0 t∞

Threat

Space Environment

Software

Time

P1

E2

E1

T1

P2

v1 v2

T2

Physical

System

Assurance is Temporal: Time

Changes Everything

outpost

App

Developers

App

Store

Banks

• Concerned originally

about apps

• Vetted 3rd party apps go

into app store

• If feedback is good, an

app becomes app store

accepted and money is

deposited

Smartphone Project

Supply Chain Problem?

Goal (not original): Take an OTS smart-phone

(Phone A), and re-engineer it through

customizations (becoming Phone B) such that a

user:

(1) Notices little difference between A and B,

(2) Receives greater data security advantages,

(3) Retains expected performance, and

(4) Receives a smartphone that satisfies military needs in

battlefield/hostile situations

Risks in Mobile Security Supply Chain

Devices

Secure Verify Test Deploy

Ente

rprise

Security

Ente

rprise

Security

Ente

rprise

Security

Ente

rprise

Security

Ente

rprise

Security

Devic

e

Pro

vis

ionin

g

Hardware & App

Providers

Military Concerns

• Lost Phone - Forensics

• Password Length

• Counterfeit phone parts or apps

• Personnel Localization

• Camera Localization

• Identity Management

• Power Consumption

• Upgrade Policy

Approach

• Quarantine “any” functionality if deemed “risky.”

• Secure/Vet all software apps

• Build app vetting process and app-store

• Secure hardware

• Rewrite encryption

• Sign “our” vetted apps

• Encourage a policy for app updates

• Secure the OS (as best possible)

• Rewrite app permissions when warranted/allowed

28

App Vetting Workflow

App Testing Portal

TRANSAPPS

MARKETPLACE

Developer

App (Source/APK)

ATP

App (Source/APK)

Assessor

Approver (DARPA)

NIST-Signed APK

Summary, Risk Assessment, Recommendation

Approve/Disapprove

User

NIST-Signed APK

Test Tools

…

Metadata, status, reports App (Source/APK)

Reports

Metadata, status

Repository

29

Component Architecture

App Testing Portal

App (Source/APK) NIST-Signed APK

Metadata, status, reports App (Source/APK)

Reports

ATP

Request

Manager

Tool

Adapters

Report

Manager

Marketplace

Adapter

UI

Manager

Repository

Manager

App

PreProcessor

Tool Adapter

Manager

App Status

Manager

APK and File

Manager

Configuration

Manager

Configuration files APK, reports

Metadata, status

App Testing Portal

Management Interface

Result (1)

• Thousands of modified smart-phones (from

this project) in use today – Afghanistan/Iraq

– 2013 Obama Inauguration

– 2013 Boston 4th of July Celebration

• Reduced the need for soldiers to carry

heavy radio packs while offering most of the

core features of smart-phones, e.g.,

cameras, apps, localization, velocity, etc.

that radio packs may lack

• Language translation, better maps

Result (2)

Transition Plan: To a Federal government

agency such as DISA, NSA, DHS, or DoJ

currently in discussions – DARPA makes the

final decision as to whom within the Federal

government it is transitioned to (and/or

commercializes it).

General Conclusion for NIST’s App

Vetting Workflow Process

A 3rd party software vetting approach such as the one built at

NIST for DARPA can be employed for COTS, GOTS, open

source, and a variety of hybrid software types.

NOTE: This is likely not a viable model for app assurance for a

major commercial app store enterprises, where apps are

numerous and sold for minimal dollars. Scalability is an issue.

The key to 3rd party app vetting is: (1) tools, (2) how good are

they?, and (3) how accurate/reliable is the human assessor

and/or approver?

Vendor testimonials and other vendor supplied artifacts can

also be used as partial evidence to support the argument for

inclusion in an app store.

Closing Thoughts

1. Apps are often 3rd party

2. Apps may carry “inherited behaviors” and potentially

“malicious” or “faulty” behaviors

3. Counterfeit apps are problematic

4. App malware is inevitable

5. NIST Special Publication (SP) 800-163: Technical

Considerations for Testing and Vetting Mobile Applications

(DRAFT) addresses assessing 3rd party apps via a defined

process. Currently in NIST internal review. Advanced copies

can be released to USGov employees if requested and

approved.

QUOTES TRANSAPPS/PANTHR - Same

• “In three tours, being fielded lots of systems I’ve

always been left wanting for more. Not this time.”

-MAJ Casiano, 4/4 CAV Squadron XO

• "I'll keep my analog 'til the day I die, but the

technology on this I'm sold!” -CPT William - A Co

CDR

• "If it weren't for these phones it would be

catastrophic. Wouldn't have hit our objective” -

2LT Villanueva - 1PLT A Co CDR

• “These gizmos are gonna save some lives. It's

gonna save a lot of lives!” -CPT William - A Co

CDR

• "I hear nothing but good things about those

phones from my guys!“ -1SG - A Co 1SG

• “My squad leader showed this device to me on

an Air Assault Mission. It was perfect, it led us

directly to the HVT house. I can’t wait to get

one.” –SPC Kidwell, point man for 3 PLT/B/2/87

IN

• "These phones are money! All my guys are

singing praises because of them” -CPT

William - A Co CDR

• “Thank God for TransApps on that air assault,

we pushed 1.5k north and had no mapsets-it

wasn’t anticipated to go there.” –CPT

Ferguson, Cdr, C/2/87 IN

• "I told my ex-wife (she’s military) all about this.

I can care less for her but these phones will

save lives!” -1SG - D Co 1SG

• "OMG this is some next level sh*t!” -CPT William

- A Co CDR

• “You know what’s cool about this? This is what

Land Warrior should have been.” -1LT Skidmore,

XO, B/1/32 IN

• “The success of this mission was due in part to

the TransApps devices” -CPT Herr

• "Using common graphics (building numbers)

and the TransApps smart phones, Attack Main

provided a talk-on to the position to BJ26 on the

Battery Net. Persistent surveillance by the

PGSS, common graphics (building numbers),

and the use of the smart phones allowed Attack

Company to provide a rapid and concise talk-on

to Blackjack Battery.“ -CPT Herr

• “Awesome.” –MAJ Reeves, Battalion XO, 1/32

IN

• “[TransApps] will give us a definite advantage

over our adversaries” -COL Kolasheski

• “I like it!” -MAJ Nguyen

• “Even standalone these are really useful.” -MAJ

Klein

• “I love it! It’s great!” -CSM Knight, BDE CSM

• "I am 50 years old and I got no training on it.

But I got it right away. And if an old guy like me

can get this then those 20 year old Joe's will be

all over this!“ -CSM Knight

• “I love how user friendly it is. If we want to get

on there and add anything we can. It is

awesome. All the squad leaders, platoon

sergeant, and PL love this device. We want to

take it back to the states.” - SSG Courson

• LTC Matos:“Are there any systems that can do

what TRANSHEAT can do? Provide the data

like in the way TRANSHEAT can?” Jeff

Bierman: “No”

• “ I specifically like that I can scroll over to

where the fire is coming from and have a grid

faster than the FO. It takes him a while to dig

out the laser range finder and figure it all out.” -

SSG Courson

• “If it wasn’t for the HH we would still be lost” -

SGT Washington

• “Just the Maps app alone is great”, SGT Berk

said “ This is great we can put all of our stuff on

here”.

• 1-5IN Bn CSM – CSM Bowen

• · Other competing devices

(GD300+Land Warrior) will fade in the near

future. “[TransApps] will never disappear. It will

be around for a long time."

• “You know how much smaller this is than land

warrior?” –SSG Matthew Huck, 3/B/1-5IN PSG

• “I love TransApps! It’s better than everything

else. Everything else I’ve seen is just junk and a

waste of money.” –SSG Oneal, 3/C/1-5IN PSG

• “This just put Land Warrior out of Business!” -

2LT David Brunett, 2/C/1-5IN PL

• “Land warrior set someone on fire!” –SSG

Falls, 1-25IN BDE NCO

• “This is already better than Land Warrior!” –

CSM Speedie, 1-5IN Bn Ops CSM

• “I use the ACOZ because it links up twice as

fast as the DAGR” -1/C/1-5IN Commo

• “I guarantee if these phones talked to one another I would

stop using my radio”-SSG Matthew Huck, 3/B/1-5IN PSG (as

he expressed his frustration with his MBITR always dropping

connection)

• “This is the best piece of equipment I have ever had; other

than my woobie!” ”-SSG Matthew Huck, 3/B/1-5IN PSG

• “This is a lot simpler [compared to FBCB2]. Saves time!”-CPT

Griffin, 1-10CAV Officer

• “The primary job of Land Warrior FSRs are to

remove Land Warrior from the vehicles.” -1-

25IN BDE NCO

• “This is useful for making waypoints because

FBCB2 takes way too f*ing long” –SFC Griffin,

1-10CAV NCO

• “I am very impressed with the clarity of the imagery!” –

CSM Biggs 4-23 BN CSM

• “I feel that this device will be able to replace 4 or 5

different things they need to carry on mission.” –MAJ

Bookout 4-23 S3

• “The consensus is this the best piece of equipment we

have been issued hands down.” -Co 2/504 FSNCO

• “When I first received the device I thought it would sit

on the shelf and collect dust, but now that I understand

it’s capabilities, I’m excited to put it to work [in our

Brigade].” -3-2 ID BDE S6 MAJ Robinson

• “Can I make a recommendation, Can this replace the FBCB2”-

SGT Woods

• “ This is great we can put all kinds of information on here” -

1SGT FulFord

• “This has pretty much everything” - SGT Cooley

• “ I am very pleased with this operating system” - SSGT Uling

• “Why didn’t we have this 6 months ago”- LT

Schiferli

• “I can’t believe they pay me this much money

to play with this” - SSG Smith

• “This is a common sense approach to system

development” - Mike Cantwell (BDE DSE)

• “This phone’s been very beneficial setting up specific

routes.” -3C/2-87 – CPL Shovlin (team leader)

• The phones are making leaps and bounds, and it’s

only going to go further when connected wirelessly.”

And “We’ve been able to help the mortar teams a lot.”

– SGT D'achille (squad leader)

• “Your 5590 battery adapter at work, in the field,

providing long range situational awareness and battle

tracking.” -Terese, Timothy MAJ USA 5-20 IN S3

• "A heads up for you guys the story of this

win is gonna have to be told because the

other programs are not producing these

kinds of results and it is mostly because

they're not structured right.” -Dr. Dugan

(DARPA Director)

• “The PANTHR devices and client laptops

are being tracked like a pacing item in the

BN. TRANSAPPS slant is actually part of

the report to the BN CDR.” --CPT Strickland

is the BN S6 for 3/85th MP BN

• “We work with 1-5 IN and during our interaction with them we

noticed that they were using Dell handhelds and some tablet

device used for plotting enemy and friendly locations, as well

as waypoints for SIGACTs. We wanted to know if we could get

some of these devices to try out on our operations here. We

do a lot of dismounted patrols as well as Special

Reconnaissance missions up in the mountains and in hide

sights and these devices could greatly assist in our

operations.” –CPT Ben Harrow, Special Forces Detachment

Commander (via email)

• “The PANTHR devices and client laptops are being tracked

like a pacing item in the BN. TRANSAPPS slant is actually

part of the report to the BN CDR.” CPT Strickland

• “TRANS APPs has potential in greatly increasing the overall

situational awareness of al users, and ultimately easing the

execution of the combat mission across the battlefield.” –

SSGT Mychal Hoyt (JTAC feedback on TransApps 8 Febuary

2012)

• “Wow, this is awesome. I’m impressed!” –CW5 Kelly

• “This is very cool. I’m excited!”- Theater DSE

• “Our TransApp devices were invaluable to the success of

this mission!” –SSG Morgan D Co 1/504

• “The consensus is this is the best piece of equipment we

have been issued.” –SSG King A Co 2/504

• “This is exactly what I was truping to find to help me

accomplish my mission. This really is the ultimate COIST

tool.” –SGT Switzer B Co 2/504

• “We got issued these devices prior to JRTC and since we

have arrived in theater have been issued more. Soldiers and

leaders love them. The FSR support we have, Aarow, is prior

service and is one of the best FSRs we have. I have CC’d

him. They are still working through the networking issue and

our ability to use them with 117G and 152 for comsec

reasons. Highly recommended Division purchasing them and

letting us take ours home with us.” –email from MAJ Mills,

BDE S-6

• "As an Infantry Platoon Leader, the PANTHR Device has completely changed the way I operate on the battlefield. Where I once had to carry numerous maps, GTAs, and pamphlets, I am now able to carry everything I need in one light and compact device. The PANTHR Device has set a new standard for battlefield technology." - 2LT Wallace, Charleston PL, 2nd PLT, C. CO, 1-23 IN / 3-2 SBCT

• “We have seen the evolution of battle field technology in various forms through time; I have in my hand the greatest, and most practical development thus far.”

• “What I love about it (PANTHR device) is its many

features; it takes the place of my digital camera, DAGR,

paper maps, and pen and paper." "I still have all that stuff

on hand, but its kept out of the way, and leaves me free to

carry other mission essential gear.” –SSG Logue

• “I take the Trans Apps with me every time I go out, ever

since I got it I have never gone outside the wire without it.”

“This is an amazing time saver, instead of carrying a

laptop with pictures and other sensitive information on it, I

just carry this.” “This is far more than just a cool toy, it is a

tool that allows me to do my job effectively.” -Mr. Kevin

Conner 1-14 CAV LEP

• "I literally have my TransApp in one hand and my rifle in the

other.” -HHT commander

• MAJ Curtis, 5-20 S3 - "the streak, when used as intended, is one

of the most valuable assets the soldiers and leaders have on the

battle field.”

• It was “100% easier to brief on TransApps” device versus any

other method used

• 2LT Jimenez (C/1-504 COIST OIC) – “We are hardcore

dependent on [TransApps]…I don’t know how others went without

this!”

• CPT Vest (A/2-504 Cdr) – “It is the best product I have ever seen

the Army issued.”

• CPT Vest (A/2-504 Cdr) – “I love how I can have historical data

right in the palm of my hands.”

• 1LT Harting (A/2-504) – “Awesome tool. Better than all the other

garbage they give us.”

STORIES

• A few weeks ago [a platoon] used [PANTHR] to

recon the area around an objective they were

going to assault. When conducting the recon

using TA imagery they found a possible position

that they could be ambushed from. They planned

for this and maneuvered around the locations.

They then deemed that no hostiles where at the

location and it proved to be a perfect position to

set up a support by fire line while they assaulted

the objective.

• 4APR they had to escorted a media team with them

on a dismounted patrol. He was the lead squad and

used planned his route using map draw and saved

it as a layer. He would reference his location and

when a few hundred meters away from a house

would run ahead with his squad and clear the

building or possible threats. His goal was to keep

these civilians as safe as possible and felt that TA

was able to help him with this task.

• We rode with the 209th MP’s to ACS-4 (A Co 1-10 CAV). After about 45 min into the convoy we noticed that we started to make a couple of U turns. We asked the CPL if some of the vehicles got turned around (i.e. your lost). She replied “we are where we are supposed to be”. We pulled the HH out to see our location and quickly figured that we were lost because when we looked at the HH our location was outside the BDE’s AO. Well about 10 minutes later she saw Javier sitting beside her messing around on his HH and she noticed the imagery and Javier tracking our position. She said to Javier “ Can we use that? We are lost” . They had gone out of the AO and could not find ACS-4. Javier put in the grid made a spot and hit Nav To then handed the HH up to the TC. We were at ACS-4 within 10 minutes or less. In other words we saved the day. When we arrived Javier had a mob of people around him, the MP’s were really impressed and asked how they could get them. Turns out they are under 1-10 but they were not on the BDE fielding plan. One of the MP’s SGT Washington said “If it wasn’t for the HH we would still be lost”

• A few weeks ago [a platoon] used [PANTHR] to

recon the area around an objective they were

going to assault. When conducting the recon

using TA imagery they found a possible position

that they could be ambushed from. They planned

for this and maneuvered around the locations.

They then deemed that no hostiles where at the

location and it proved to be a perfect position to

set up a support by fire line while they assaulted

the objective.

• "Yesterday was a slow day. 1st PLT had gone out on patrol and didn't come back until late. I was in the TOC at the time of SAF, however and there was confusion over where 1st PLT was. They couldn't find them on the cameras and the grid they were giving was not showing anything either. The XO grabbed the mic and said 'Use your TransApps! What's your location?' After that they were able to focus on a 10 digit grid and the plt was found in a grape row.” –Suzanne Rashka

• "Yesterday, SSG Mills of the ASG platoon used MILTRANS application to communicate with a detainee while he waited for the interpreter to show up. He was able to extract basic information from the detainee just using the device.” –Aaron Hartwig

• Two days ago while on a dismounted patrol in the Horn of Panjwai,

his platoon received small arms fire from a village. 2LT Wallace

used the distance tool in the Maps application on his PANTHR

device to calculate the distance from his position to his element

taking fire, and also the distance from the element taking fire to the

enemy that was engaging them. He used that information to walk in

his remaining elements to fix and finish the enemy.

• Two weeks ago, after one of his men was struck with an IED, 2LT

Wallace used the Medevac application to find the grid of a HLZ.

Enabling him to call up the 9 Line Medevac request while moving

the casualty. Saving precious minutes of time.

• Last month LT Wallace received a complaint from a local

farmer, claiming that the US Army damaged his property and

killed some of his livestock. Using the Risk Estimate

Distance program on his PANTHR device, 2LT Wallace was

able to show his CO the exact grid where the indirect fire

struck, the minimum safe distance of the munition used,

and exactly where the locals property was located in relation

to the indirect fire, well away from MSD circle.