As smart devices become the most important entry point to a wide variety of data, combating potential security threats in order to realize a more secure mobile device environment is top of mind.
Mobile device sales and general penetration are growing rapidly worldwide. As more and more computing functions move into mobile devices, sophisticated yet easy-to-use device-driven computing capabilities are becoming ubiquitous. The variety of services, applications and functions available on mobile devices leads to large amounts of data being stored on devices and transferred to and from devices. Some of this data includes sensitive information such as credit card numbers, user names and passwords as well as confidential business or government secrets. Attackers manipulate mobile devices to access their functions and applications and to sell or use the confidential information they access in the process. In many cases, software fails to protect devices from such attacks and sensitive data is revealed. In order to prevent criminal attacks and protect the confidentiality of data, a certified secured hardware and software solution for mobile devices is necessary.
The number of mobile devices on the market is steadily increasing, and looking ahead, growth forecasts remain positive. In recent years, mobile devices have become more and more intelligent as computing functions and applications move from laptops and PCs to smaller, smart devices such as phones and tablets. Data entry points range from private photos to large data sets required for different applications, both the end user and the providers of services that can be accessed via these devices have an increasing interest in protecting this data. Increasingly popular in the enterprise and government context, these applications use large volumes of data, some of which is extremely sensitive. Typical applications that require high levels of security include corporate, payment and health systems. Here, loss or theft of confidential information could have serious implications.
Criminal activities
Smartphone-related criminal activities are growing rapidly as demonstrated by the rising number of attacks . Attackers gain access through malware, viruses and ransomware. Once they have accessed a device, they can steal the owner’s identity, spy on the user and expose confidential information such as banking and credit card data. An example is the BankMirage app, which pretends to be a legitimate banking app and tricks users into using an in-app login, thereby revealing their login credentials. The loss of data is not only critical for individual consumers but often has an even higher impact on the providers of applications and services whose business information, customer data and other sensitive information is accessed during an attack. In the corporate environment, intellectual property (IP), insider knowledge and customer data are the targets of attackers and can cause immense damage to the reputation of the company affected as well as resulting in loss of business. An attack also carries risks for mobile device OEMs. A highly publicized attack can damage reputation, decrease market share or compromise access to security-sensitive markets.
Recent trends show a dramatic increase in smartphone malware, especially for Android devices – and criminals are not the only ones targeting smartphones. According to media reports, disclosures have shown that surveillance programs run by intelligence services are also extremely interested in data stored on smartphones. Of special interest are social contacts, emails, details about the user’s behavior and location, interests (through search terms, for example), photos and sometimes even credit card numbers and passwords.
Threat impact
Taking into account the variety of motivations for attacks and the increasing skill level of attackers as well as rising system complexity, threats will become even less predictable and will have higher impacts for all parties involved. Unlike past threats, where the impact with, for example, credit card manipulation affected a single user, current and future threats aim at a much wider target group and create multiple impacts.
Current security solutions often focus on protection through software only. However, the problem, as highlighted in the attack examples above, is that there are various ways of manipulating software. Even when dedicated security measures are implemented in software, the basic underlying problem is that software is based on code that can be read out, examined for vulnerabilities or changed by an attacker. For this reason, a hardware-based root-of-trust is required in the mobile device. The following paragraphs give an overview of the benefits of a secure mobile platform based on hardware security, and give a better insight into why and how particular areas of the mobile device need to be protected.
Secure mobile platforms
As mobile networks become more complex and threats become more sophisticated, demand for security is rising. Different players in the ecosystem stand to benefit in different ways from a more robust mobile device security. Mobile device OEMs (e.g. for handsets, tablets) – In order to demonstrate readiness for the enterprise and government market, OEMs need to show that they can provide secure mobile devices that can protect customer data, IP and other sensitive information. In this context, additional security features can act as a door-opener for new industries and revenue streams, and hence as a unique selling proposition. Furthermore, OEM business and brand value would benefit in the long term from more robust protection against counterfeit devices and commercialization of stolen devices.
Mobile network operators – security can be offered as a value-added service to increase customer satisfaction. It can thus prevent customer churn due to security problems. Furthermore, comprehensive security measures will allow MNOs to offer new service-based business models.
Enterprises – in order to protect valuable information such as IP, customer data and business intelligence that could be the key to a company’s long-term market success, companies need to make sure that the mobile devices used by employees are secure. Employees regularly access sensitive corporate information through their corporate or own mobile device, and an attacker who gains access to one device could easily get access to the entire corporate network. The information and data such as IP, process know-how or specific project information lost in the process can decide a company’s future success and should thus be protected with a high level of security. By securing their mobile environment, companies can prevent both direct financial losses caused by extortion and ransomware as well as supporting their long-term success based on their unique knowledge.
Banking & online retailers – in order to prevent financial loss and loss of customers, all banking and online retail providers need to be able to rely on mobile device security and also reliably assess whether a mobile device can be trusted to protect confidential financial information.
Cloud service providers – the priority for users of cloud services is to protect personal data such as login credentials or photos, and to prevent financial losses. There is a risk that consumers who are not convinced that their data will remain confidential will withdraw from services such as cloud computing or not even use them in the first place. Adequate hardware security solutions can help to create a secured mobile environment in which consumers trust cloud applications and services and thus continue using them.
Consumers – for consumers, the main concern often lies in the fear of losing personal information such as private photos or messages. Furthermore, concerns might be focused on what happens if the personal device is misplaced, lost or stolen. Since a variety of applications such as banking, online shopping and others are accessed through the mobile device, access to the device by an unauthorized party and to these applications could have serious impacts and result in large financial losses as well as in feelings of discomfort and embarrassment when private information becomes public.
Platform security
Specific mobile device threats which will be faced by mobile device users and manufacturers fall into three areas to be addressed – platform security, application security and authentication. All smartphone apps run on an underlying platform comprising the operating system and hardware. Building security into apps has little benefit if the platform is not secure enough. Attackers who break the platform have broken all the apps. There are various ways to improve platform security and thus help to protect the apps. User data should be protected through volume encryption in order to prevent data from being easily read and stolen by a third party. In order to prevent dictionary attacks, devices should be equipped with brute force protection. A secured boot process and continuous device compliance checks (runtime integrity) can monitor the device’s integrity prior to use. This information can help service providers to notify the user or restrict access if the device is compromised. Integrating a kill switch enables stolen phones to be deactivated. This prevents black market sales. A mobile security controller could be remotely commanded to set a kill bit that can only be reset with a special command from the handset manufacturer for the phone in question. The sale of counterfeit devices and accessories can be prevented through the integration of a unique cryptographic key certified by the manufacturer. This can be remotely verified by the manufacturer or mobile network operator
Application security
Consumers and corporate users employ a wide variety of apps on their phones. Most of these apps can benefit from greater hardware security. Today, remote wipe functionality is implemented in MDM software. Security can be improved by having secured, certified hardware to store master encryption keys, and through a secured mobile platform controller, which could be commanded to remotely delete those keys.
Strong authentication
Companies and government bodies need strong authentication functionality to ensure that only legitimate employees access internal networks or specific applications. To avoid the perils of password-based authentication (including the risk of password loss and theft), enterprises have increasingly moved to multi-factor authentication. Multi-factor authentication is generally performed by adding another element to the traditional user name and password or passphrase. This could be a hardware or software token, a biometric check or device authentication step. Thus it is always a combination of knowledge (e.g. a password) and something the user has (e.g. a token or fingerprint). However, these authentication techniques add cost and complexity while reducing interoperability, and they sometimes leave security loopholes. For example, a software token or software certificate can be stolen by malware. The new FIDO Universal Second Factor (U2F) protocol and Universal Authentication Factor (UAF) standards offer improved protection, especially when implemented in hardware. When authentication is needed, the user is prompted to swipe their finger and/or enter a password. This triggers the phone to perform a cryptographic authentication. Thus, two or even three authentication factors are employed: the phone, the fingerprint and the password. This approach reduces cost because no separate hardware token is required. It is also convenient for users and offers effective protection against phishing, malware and other attempts to steal the user’s credentials.
Hardware-secured platform
Software alone can be easily accessed and manipulated. Software alone cannot protect software. In contrast to the rather small impact such a manipulation could have on a single user and the environment, the impact created by an attack on the software of connected devices is rising exponentially as the manipulation can spread easily. In order to protect the massive amount of data stored on the device and used in different applications, all involved parties will have an interest in using the highest level of protection – hardware-based security becomes inevitable. The question that manufacturers as well as service providers and end users (corporate or private) will have to ask themselves is – “How much is my data and information worth?”
In view of the threats that mobile devices currently face and will increasingly have to contend with in the future, a solution combining hardware and software security is an absolute must to protect mobile devices. Including a root-of-trust based on certified secure hardware in the mobile device allows software and applications to rely on this trust anchor. The mobile device environment would no longer have to rely on the ‘thin ice’ software layer beneath applications.