Mobile devices these days are often smaller, thinner, and lighter, but are able to deliver a plethora of content. murdok spoke with Gal Salomon, CEO and Founder of security firm Discretix, about embedded security and security concerns that come along with an industry of smarter phones.
murdok: Please tell us a little bit about what mobile embedded security is.
Gal Salomon: The purpose of embedded security is to establish a trusted core within the device so that services providers and device manufacturers can deploy services while guaranteeing the proper operation of the device. Embedded security for a mobile device is comprised on a number of different components, integrated into the main processor sub-system, operating system and application layer of the device.
1. Applications Layer: Applications such as DRM and SIM Lock as well as security system features such as secure boot and secure debug.
2. OS Layer: encrypted storage, secure key and certificate management and cryptographic services.
3. Hardware Layer: Secure execution environment, cryptographic accelerators, unique device key and a random number generator.
Embedded security solutions are typically delivered as a combination of semiconductor IP and software.
murdok: What kinds of threats are out there for users of mobile devices?
GS: The threats can be divided into 2 main categories:
1. Data – These attacks target information or content stored on device and can range from “ripping” protected content to corporate or private information being accessed by unauthorized personnel. Examples include smartphones that store sensitive corporate information being lost or stolen, or personal data such as PIN codes and addresses being extracted from the device, without the owners’ knowledge or consent.
2. System – These attacks target the inner workings of device and can range from malware to device cloning. Examples include a 3rd party application purchased from an app store that contains spyware to monitor the device and the content stored on it, or a sophisticated attempt by a professional hacker to clone a device.
murdok: What are some ways mobile security issues are impacting marketers looking to go mobile?
GS: Security is [a] key consideration for any application developer looking to go mobile. Vendors like Paypal, RIM and Apple all deploy a wide range of security mechanisms to ensure that their applications are trusted. Moreover mobile security is a moving target, with hackers constantly testing the strength of the underlying security and developers constantly plugging gaps and improving the overall level of robustness of their security solutions.
murdok: How are mobile eCommerce sites affected?
GS: In order for ecommerce sites to capitalize on mobile commerce, they will have to integrate [a] additional security mechanism for mobile commerce.
murdok: What kind of trends do you expect to see this year in mobile security? Any new trends or changes in 2010?
GS: 2009 is undoubtedly the year of the smartphone with Apple, Nokia, RIM, Google, Palm and Microsoft all delivering amazing products. Smartphones change the threat level significantly, and will boost the awareness and deployment of mobile security solutions. Smartphone are based on an open (and as such insecure) operating system vulnerable to malware, viruses and spyware. Moreover smartphones are design to deliver a wide range of applications (commerce, mobile TV, enterprise apps and music) each with its own set of security threats and requirements.
We’d like to thank Mr. Salomon for sharing his insight into mobile security with murdok readers.
