It's now feasible to secure smartphones using virtualization, a technology the NSA currently requires only on tablets and laptops Credit: Peter Sayer The U.S. National Security Agency is now suggesting government departments and businesses buy smartphones secured using virtualization, a technology it currently requires only on tablets and laptopsThe change comes about with the arrival of the first virtualization-based smartphone security system on the U.S. Commercial Solutions for Classified list.CSFC is a program developed by the NSA to help U.S. government agencies and the businesses that serve them to quickly build layered secure systems from approved components.An HTC A9 smartphone security-hardened by Cog Systems using its D4 virtualization platform is now on that list, alongside devices without virtualization from Samsung Electronics, LG Electronics, and BlackBerry. In the modified A9, communications functions are secured by running them in separate virtual machines on the D4 virtualization platform.It’s the first smartphone on the CSFC list to use virtualization, which the NSA has only required on more powerful devices such as tablets and laptops until now. “If virtualization technology was commonly available in the smartphone, we could leverage it for some solutions. To date, the devices that have been considered did not offer that technology,” the NSA’s technical guidance reads.Cog Systems’ position on the list isn’t definitive yet: It’s still seeking certification for the D4/A9 combination against the National Information Assurance Partnership’s mobile platform and IPSec VPN Client protection profiles. Vendors typically have six months to obtain the certification in order to remain on the list. For now, D4’s validation is ongoing at Gossamer Security Solutions’ Common Criteria Testing Laboratory.Vendors don’t seek certification lightly, according to Carl Nerup, chief marketing officer at Cog Systems. “It’s a very expensive process,” he said, between US$500,000 and $700,000 for each new model.Somehow, though, Cog Systems is eating the additional cost of certification: The price for its security-hardened A9 is the same as HTC’s list price for an unmodified phone, said Nerup. “We have multiple groups within the U.S. Department of Defense that have procured the device,” he added.A commercial off-the-shelf (COTS) smartphone like the modified A9 isn’t only of interest to government customers, though, Cog Systems CEO Dan Potts pointed out. “In the oil and gas industry, they want to buy COTS. They want it to be at a competitive price, but with a greater concern for security.”Once certification for the modified A9 is in the bag, Potts is looking forward to seeking certification for D4 virtualization on other smartphones. The first time around takes time because there is a lot of preparatory work to do, but much of that work will also apply to other smartphones. Potts expects certification of D4 on other hardware to go more quickly. Eric Klein, director for mobile software and enterprise mobility at analyst firm VDC Research, has had his eye on Cog Systems since meeting the company at Mobile World Congress.He sees the broadest opportunity for Cog Systems in the enterprise market — and expects that its approach to endpoint security could even take some business away from enterprise mobility management vendors.Let us know about this change on our Facebook page. Related content news Arm patches bugs in Mali GPUs that affect Android phones and Chromebooks The vulnerability with active exploitations allows local non-privileged users to access freed-up memory for staging new attacks. By Shweta Sharma Oct 03, 2023 3 mins Android Security Android Security Mobile Security news UK businesses face tightening cybersecurity budgets as incidents spike More than a quarter of UK organisations think their cybersecurity budget is inadequate to protect them from growing threats. By Michael Hill Oct 03, 2023 3 mins CSO and CISO Risk Management news Cybersecurity experts raise concerns over EU Cyber Resilience Act’s vulnerability disclosure requirements Open letter claims current provisions will create new threats that undermine the security of digital products and individuals. By Michael Hill Oct 03, 2023 4 mins Regulation Compliance Vulnerabilities feature The value of threat intelligence — and challenges CISOs face in using it effectively Knowing the who, what, when, and how of bad actors and their methods is a boon to security, but experts say many teams are not always using such intel to their best advantage. By Mary K. Pratt Oct 03, 2023 10 mins CSO and CISO Advanced Persistent Threats Threat and Vulnerability Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe