Trusted Computing Group

Can You Trust Your Mobile Device?

by TCG in Action,

Can You Trust Your Mobile Device? 

 

You can't swing a cat these days without hitting someone pecking away on their smartphone, tablet, or notebook PC. From the UPS delivery person to the CEO and surgeon, we're all wired in, all the time. Of course, the flip side of all this convenience and connectivity is...security. Not a big surprise, but many network security, IT and others are scrambling to keep up with the rising tide of devices and resulting issues.

 

If we think of mobile device security as levels, or layers, at the bottom layer would be security of the device itself. To some degree, user-enabled passwords and locking systems offer some protection - but very little. In fact, research this week notes that the iPhone password is VERY quickly hacked - in less than two minutes, says one researcher (http://www.pcmag.com/article2/0,2817,2402256,00.asp). 

 

Better yet is hardware-based security that is in the core circuitry of the phone. This approach, deployed successfully in hundreds of millions if not billions of PCs, involves a variant of the Trusted Computing Group Trusted Platform Module, or the Mobile Trusted Module (http://www.trustedcomputinggroup.org/developers/mobile). The MTM incorporates the key concepts of the TPM, including  assurance of platform integrity, device authentication, secure channel between device and UICC and secure software download.  

 

Nokia Research Center has developed MTM proofs of concept. ETRI and Samsung have also developed functional MTM proofs-of-concept. Codenomicon has utilised NRC's MTM source code to successfully implement a MRTM fuzzer (test suite).

 

At the next layer, we talk about applying security to applications or use cases. TCG's Mobile Phone Work Group has created a number of use cases showing how a trusted mobile phone can be used for mobile commerce, for healthcare apps, mobile ticketing and more. You can read more here (http://www.trustedcomputinggroup.org/resources/mobile_trusted_module_20_use_cases).

 

Last month, at the RSA Conference and Mobile World Congress, TCG members Wave Systems and Trusted Logic on a prototype MTM . According to the news release, "Utilizing the smartphone as a token to authenticate the user, the solution allows encrypted data held in a corporate laptop computer to be unlocked. This is enabled by secure software based on the industry standard Mobile Trusted Module (MTM) to check the integrity of the smartphone...Trusted Logic Mobility provides the MTM software, building on its Trusted Foundations^TM security solution while leveraging the ARM® TrustZone^TM secure hardware architecture. Wave Systems developed the application in the smartphone for communicating with the laptop as well as the software to evaluate the smartphone's integrity and provides the service for managing the MTM and the laptop's Self-Encrypting Drives." (http://wavesys.com/news/press_archive/12/120228_TrustedLogic.asp#).

 

Beyond the MTM and managing it for various uses, the next layer would be infrastructure - how does a trusted mobile device connect to the network and how can it be secured? TCG's Trusted Network Connect work group with its TNC network security architecture has enabled such security and TCG members including Juniper have implemented solutions via their products to ensure varying levels of access based on trust. You can read more here in a new architect's guide. (http://www.trustedcomputinggroup.org/resources/architects_guide_mobile_security_using_tnc_technology/)

 

Other TCG work groups are addressing the issues of mobile security. Stay tuned for more!

 

News & Events

Read Post