New security proposed for do-it-all phones
Trusted Computing Group is set to lay out new hardware-based security standard for mobile phones.
The Trusted Computing Group (TCG)--backed by big names like Nokia, Motorola, Intel, Samsung, VeriSign and Vodafone--plans to unveil its plan Tuesday at a conference sponsored by the Cellular Telecommunications & Internet Association. The TCG has already developed similar specifications for PCs and servers.
In addition to voice calls, cell phones are increasingly used for taking pictures, keeping a calendar and sending text messages and e-mail. In the future they could replace wallets, say industry pundits, with consumers whipping out a specially equipped phone instead of a credit card to pay for a purchase. That would make securing the gadgets even more important.
Locking up cell phones
The Trusted Computing Group provides 10 examples of what its plan for hardware-based security could enable in mobile phones.
1. Platform integrity to ensure the hardware and software are in a state intended by the manufacturer.
2. Device authentication to protect and store identities of users and bind the device to the appropriate user.
3. Digital rights management to protect content on the phone.
4. SIMlock/device personalization to ensure a device is locked to its network and can't be easily stolen.
5. Secure software download to enable the safe download of updates, patches and other software.
6. Secure channel between different parts of the phone to prevent tampering by malicious software.
7. Mobile ticketing to enable the secure download of tickets and manage them.
8. Mobile payment to enable the secure execution of payments.
9. Software use to ensure software is safe, and if not, that it can be removed, replaced or not executed.
10. User data protection to allow users to prevent their information from being accessed or viewed by unauthorized people and to give users access to services or data that might not require personal information.
Source: Trusted Computing Group.
"Without proper security, mobile phones may become a target for hackers and malicious software," said Janne Uusilehto, senior technology manager at Nokia and chairman of the TCG's Mobile Phone Working Group. "The benefit of hardware-based security is that users can rely on their phone and (know) that private data is protected."
The proposed standard doesn't just protect user data. The security hardware also enables copyright protection, according to the TCG, a feature demanded by the entertainment industry. This so-called digital rights management technology could mean access to more exclusive content on cell phones, but it could also limit the content that will play on devices.
Additionally, says the TCG, cell phone operators could use the technology to get more control over the devices they sell. Operators would get a better way to lock devices to their networks and tighten control over which services and software can run on the gadgets. But user-rights advocates complain that such things limit consumers' choice and freedom.
The TCG's plans call for mobile handset hardware to support features similar to those of the Trusted Platform Module. The TPM is a security chip designed for PCs and servers that enables a variety of security features, including authentication, protected storage and secure e-mail. The TPM technology will need to be adapted because mobile phones are much smaller than PCs.
At the CTIA wireless event, the TCG will introduce its plans by sharing "use cases" for hardware-based security in cell phones. The group
plans to release a blueprint designed to make it possible to include security technology in mobile handsets in the first half of 2006, representatives told CNET News.com.Adding hardware-based security to cell phones can enable services such as electronic ticketing and mobile payments, according to the TCG. It can also provide for secure storage of personal information such as an address book, text messages, e-mail and pictures. And, in the future, payment data such as credit card numbers will be added to the mix, the TCG said.
"Nowadays my Treo 650 has some files from my corporation. It would be nice to have the phone rendered unusable if it gets lost," said Thomas Hardjono, a principal scientist at VeriSign and member of the TCG Mobile Phone Working Group. The Palm Treo 650 is a phone with features such as e-mail, a calendar and a camera.
As handsets get smarter and used for more than just voice calls, the threat of hacker attacks and mobile phone viruses rises, Nokia's Uusilehto said. The new security features can protect the devices against such threats, he said.
"Mobile phones are becoming full of security-demanding services," Uusilehto said. "Attacks are not a major problem today, and that makes the timing pretty good for us. We have time to do security properly, where we are not in a firefighting mode."
In addition to enabling new services and protecting user data, the TCG's proposals can also be used to secure copyright-protected data on mobile phones. That use of the new security features is critical to content services, said VeriSign's Hardjono. VeriSign is a significant player in the mobile content business with its Jamba and Jamster services.
"We want to sell content, but the folks in Hollywood don't want to sign the paperwork because they want guarantees that the devices have got proper security," Hardjono said. "No DRM, no content."
But digital rights management is one way the proposed security technology could restrict cell phone users, say some user-rights advocates. Operators would also get a better way to lock phones to their networks and close control of the services and applications that can run on devices.
"A lot of carriers have a model of trying to tax everything that goes into a phone, which we think is unfortunate," said Seth Schoen, staff technologist at the Electronic Frontier Foundation. "The TPM is just another tool to let them do these things."
Although the Trusted Platform Module is controversial on the PC because consumers expect a lot of freedom when using their
computer, the same is not true for mobile phones. "In the cell phone market there is an assumption--rarely questioned--that restricting the end user is the natural thing carriers do," Schoen said. "I don't see the TPM in phones changing the user experience."Hardware-based security is not new to the mobile phone space, said Nokia's Uusilehto, but manufacturers have so far each gone their own way. The Trusted Computing Group aims to provide a standard, which should reduce costs for handset makers and let component suppliers standardize.
"Today we're wasting a lot of resources and inventing the wheel again here and there, instead of doing it together in this open approach," Uusilehto said.
Nokia, the world's biggest handset maker, plans to use the TCG's security specifications, Uusilehto said. However, he could not say which products would include the technology and when those might become available.
It took several years for PCs with TPM chips to appear. Gartner analyst John Pescatore believes it won't be until about 2008 before cell phones with the new security technology hit stores.
"The major problem is not that the technology is so difficult, but that the market is fractured," he said. While the PC market is dominated by Intel and Microsoft, the mobile phone space has many different players who will need more time to coordinate, he said.
Though the industry sees broad use for its security technologies, Pescatore thinks large businesses will be the first to buy devices that have the added security technology. Employees are accessing corporate data on their mobile devices and there is a need for more "trustable" devices, he said.
Consumers initially will not want to pay for the extra features, Pescatore said. "What consumers really want are smaller phones and lighter phones, and they don't want to pay a lot for them. Adding security hardware can make the phone more expensive, thicker and take more battery power."