For many people, their mobile device, serves as their primary computer in day-to-day life. Modern mobile devices offer a rich, flexible set of features and allow users to add new features just by downloading applications. Users can manage virtually every facet of their lives from their mobile devices — send emails, schedule appointments, make purchases and more. Mobile devices now account for 55% of the network device market share, and the World Advertising Research Center (WARC) predicts that, by 2025, 72% of internet users will access the web solely via smartphones. The Trusted Computing Group (TCG) is expanding trust in mobile devices to enhance security in users’ everyday lives.
A Growing Risk
The popularity and utility of mobile devices makes them attractive targets for attackers.Mobile devices have many of the same security vulnerabilities as laptops as well as other vulnerabilities unique to mobile architectures. In addition to re-using traditional laptop exploits, hackers can justify the resources to develop, deploy, and sell more sophisticated attacks. Powerful tools for password guessing, impersonation and side channel attacks are widely available on the Internet, giving minor criminals free or low-cost access to the same sophisticated tools used by crime syndicates and nation states.
Mobile device vulnerabilities create greater risk for users who rely on their devices for day-to-day activities. Stolen personal or identity data can cause a major breach of privacy. Any compromise of financial credentials, transactions, or other data can cost users both time and money. When mobile devices are used for business, attackers can leak intellectual property or sensitive security data, ultimately causing financial losses. Finally, disruption in availability of the mobile device or network, can range from inconvenient to debilitating.
Mobile devices, payment cards and payment information are some of the most common use cases for attacks. As the cashless society becomes more pervasive, more people will use mobile devices in lieu of cash or a physical credit card. Any mobile payment solution faces the technical challenge of optimizing the trade-offs in security and usability. Mobile payments are often made with devices that host an association with a credit card, debit card, or prepaid cash portal. These associations and any mobile payment transactions must be sufficiently secure to be viable solutions. They must also be easy to use in order to gain traction with users. Mobile banking popularity is also increasing, with growing demand for anytime and anywhere convenience. Similar to mobile payments, mobile banking applications require confidentiality and integrity to limit the risk of compromise to user finances.
Another security challenge that impacts mobile devices is that consumers do not want to pay for security. The majority of users assume that their systems — laptops, mobile devices, or anything else — are secure.They often do not worry about the personal risk they incur by using mobile devices. As a result, there is a weak market justification for mobile handset manufacturers and mobile network operators to spend resources on enhanced mobile security.
TCG Addresses the Challenges
TCG addresses technical mobile security challenges by expanding traditional, effective security measures to mobile devices and ecosystems. In 2013, TCG published the Trusted Platform Module 2.0 Library Specification (TPM 2.0), ISO/IEC 11889. The TPM 2.0 is a secure cryptoprocessor and hardware root-of-trust that provides protected capabilities. It is a solution that protects against attacks of varying levels of sophistication. TCG published the TPM 2.0 Mobile Common Profile, the TPM 2.0 Mobile Command Response Buffer Interface, and the TPM 2.0 Mobile Reference Architecture to adapt the TPM 2.0 to modern mobile device architectures. This collection of specifications provides the core capabilities to enhance the trustworthiness of mobile devices.
Mobile security challenges go beyond mobile devices themselves. To cope with financial and other challenges, trusted computing and trusted networking technologies must also support mobile infrastructure systems. Mobile network and service providers require some assurance that mobile devices are healthy before they permit access to their services. Service providers do not want malicious or compromised users to disrupt other users’ security and privacy. Similar requirements exist within enterprise environments. TCG has published the Trusted Mobility Solution Use Cases Version 2.0 – Enterprise, Financial, & NFV, with much more detail on TCG technologies for a broad range of mobile ecosystem use cases. TCG has also published TCG Trusted Network Communications for Mobile Platforms, which describes solutions for network administrators to measure and assess mobile device integrity before granting devices access to network resources.
TCG also provides guidance on how TCG solutions can tackle more advanced security requirements. The Multiple Stakeholder Model proposes solutions for multiple stakeholders to coexist safely on the same mobile device. Runtime Integrity Preservation makes recommendations to ensure mobile device integrity during operation. These efforts confront some of the issues that mobile handset manufacturers and mobile network operators consider barriers to adopting trusted mobile solutions.
Mobile Security Collaboration
TCG is committed to the adoption of sound trusted computing technologies in the market. However, no organization can secure the mobile ecosystem alone, so TCG collaborates with other standards organizations. TCG has formal liaisons with GlobalPlatform, the European Telecommunications Standards Institute (ETSI) and the Alliance for Telecommunications Industry Solutions (ATIS). TCG also has informal collaborations with numerous other organizations including 3GPP, GSMA, IETF, IEEE, and SAE. Together, these organizations represent a broad set of mobile devices and networks. These collaborations ensure that standards are compatible and robust to multiple mobile technologies. It is easier for mobile device implementers and network managers to adopt trusted computing technologies when the applicable standards are coherent.
In 2012, TCG and GlobalPlatform partnered to address growing mobile security challenges. GlobalPlatform’s Secure Element (SE) and Trusted Execution Environment (TEE) components are implemented in most mobile devices today. This partnership was originally focused on mobile topics, aligning TCG and GlobalPlatform specifications on mobile roots-of-trust and device architectures. For example, the TPM 2.0 Mobile Reference Architecture describes a Protected Environment to host a TPM Mobile. The two organizations cooperated to ensure that a GlobalPlatform TEE is a valid implementation of a TCG Protected Environment. These alignments enable mobile device designers, manufacturers and developers to build solutions that meet industry-wide standards.
TCG expects to expand its formal and informal collaborations to include more topics in the future, including Remote Attestation, Security Automation, 5G, and Network Function Virtualization. TCG will continue its mission to enhance mobile ecosystem security so that users can safely leverage modern mobile capabilities.