Three billion mobile subscriptions are expected worldwide by the end of 2007 and four billion by 2010. Cell phones, PDAs and other devices will be likely targets for attack. Add that to an increasing number of services, especially those that involve financial transactions, and mobile devices could become the prime target for malware.
Hundreds of thousands of handsets, with increasing amounts of personal information, are lost or stolen every year, requiring a means to protect the content and preferably bar usage of the device altogether after theft. In addition, mobile devices increasingly access corporate networks and retrieve, process and store data that is hidden behind the corporate firewall.
Developed by the Trusted Computing Group (TCG), the TCG Mobile Trusted Module (MTM) Specification provides the means to address security aspects now, rather than waiting until security is a problem. The first component of the mobile trusted module, an open industry specification to provide integrity, authentication and identity, was announced in September 2006. The second half of the specification, TCG Mobile Reference Architecture, now completes the MTM and finalizes the development process of several years.
An industry-led organization with about 160 member companies, TCG provides specifications across platforms and devices and is the focal point for security standardization for traditional computing products.
More than 50 million personal computers have implemented improved security based on the TCG specifications. The foundation of that security in personal computers, the item that provides the secure hardware, is a chip — a microcontroller — known as a trusted platform module (TPM). The TPM stores passwords and digital keys to uniquely identify the PC and establish roots of trust based on hardware that cannot change. For the MTM, the security foundation can be implemented in various ways, including as part of an integrated chip, a virtual engine or a separate chip to provide flexibility to manufacturers.
With the recently published TCG Mobile Reference Architecture (June 2007), mobile security has built on TCG’s expertise and industry standards, providing a path to enabling strong and interoperable security that serves various stakeholders in the mobile space. The Reference Architecture gives system designers hardware and software options for implementing the MTM in a mobile platform.
The functional requirements defined in the MTM specification can be integrated at different levels in mobile platforms, providing additional design flexibility. In fact, two different MTMs are specified. With the mobile remote-owner trusted module (MRTM), phone manufacturers and cellular network providers can preset some portions of the phone, including access to international mobile equipment identity (IMEI) and the cellular network. The mobile local owner trusted module (MLTM) supports cell phones similarly to the existing TPMs for computers, taking into account the characteristics of phone technologies.
The trusted mobile platform consists of engines and TCG-enabled platforms that establish trust for each specific stakeholder. Users, device manufacturers, communications carriers and service providers each have their own trusted engine to protect their specific interests. However, each stakeholder can permit data owners to use those data protection mechanisms. While some engines are mandatory, others are discretionary. Trusted services can be implemented by dedicated hardware or software or a combination of the two, based on the flexibility built into the specification.
Strength of functions in the MTM relies on the same mandatory cryptographic algorithms, key lengths and equivalences as does the well-established TPM. Furthermore, shielded locations and protected capabilities are designed to resist the same general types of attacks as the TPM.
As mobile devices have started to shape the internet and are rapidly converging with the PC space, TCG’s open mobile security specifications provide the means to avoid security issues that continue to plague PC users. The next step for mobile security is one of implementation to stay ahead of the inevitable security attacks.
Janne Uusilehto is chairman of TCG’s Mobile Phone Work Group and head of Nokia product security.