New Specification Will Secure Mobile Phones

A new set of security standards designed to lock down mobile devices has been hammered out and is set to be unveiled at the CTIA Wireless IT and Entertainment show being held in Los Angeles next month.

Called the Mobile Security Specification, it is billed as the basis for a new generation of secure phones and mobile devices that will be harder to tamper with. The standards are backed by companies such as Nokia, Samsung Electronics and France Telecom.

The specification has been years in development, said Janne Uusilehto, head of Nokia product security and chairman of the working group developing this technology. “It is a big deal. This is the first time that we have created such common security specifications for all handheld devices,” Uusilehto said.

The new specifications are built on work done by the Trusted Computing Group (TCG), an industry association that has already created similar standards for PCs, servers and networks.

Uusilehto’s Mobile Phone Work Group expects to announce the specification on Sept. 13 at the CTIA show, provided that the remaining minor details can be worked out. The specification will be published here.

The Nokia executive declined to say when his company or others will be producing phones that comply with the new specification, but he predicted that manufacturers would soon begin using the technology to lock down basic parts of their devices, such as the operating system.

When these devices appear, they will make things more difficult for data thieves and mobile virus writers. Down the line, the technology could be used to build electronic wallets into mobile phones.

In general terms, the specification calls on hardware vendors to store protected information in a secure area of the phones called the Mobile Terminal Module (MTM). Similar to the Trusted Platform Module used in PCs, the MTM could be used to ensure that the phone’s operating system, applications and data have not been tampered with.

This type of trusted module could also be used by network operators to ensure that the phones on their network can’t be used if they are stolen, said Mark Redman, a principal engineer with Freescale Semiconductor who is familiar with the specification. “That is probably one of the biggest concerns that the cell phone operators have at this stage,” he said.

Though some companies may be early adopters of the Mobile Security Specification, it could take years before cell phone users reap any benefits, said Roger Kay, an analyst with Endpoint Technologies Associates who serves on TCG’s advisory council. “What typically will happen is that there may be some early adopters who start adhering to the specification before it’s fully accepted,” he said, adding that “just because [the Trusted Computing Group standard] promulgates, it doesn’t mean that it’s going to be adopted.”

Even after years of development, there is still debate about whether trusted modules are the right approach for the PC industry, he said. “The most interesting, most advanced features are going to take years, because everybody has to agree to adhere to the new standard.”

By Robert McMillan, IDG News Service (San Francisco Bureau)

Keep checking in at our Security Feed for updated news coverage.