Skim milk

Dave Kleidermacher

March 15, 2011

Dave Kleidermacher

Similarly, when the smartphone's payment app is ready to forward the payment data to the processor, this connection is also established using TrustZone partitioned security software. It should be noted that the same trust anchor (for example, TrustZone + secure bootloader/OS) prevents rooting of the mobile device—in other words, to disable the security functions we have nicely hardened outside of the main phone OS.

Ideally, the TrustZone software security functions manage crypto in hardware—for example, a tamper-resistant secure element such as a smart card chip within the phone. If a physical attack can recover the mobile device's private key, the attacker can not only steal the locally swiped card data, but the mobile device can be used to launch attacks within the payment network.

Don't think Verifone's payment terminals are immune from security problems. While they have better hardware protection functions, these terminals usually run insecure software and rely, to a large extent, on security-by-obscurity. As a defense-in-depth measure to guard against increased card cloning and fraud via smartphones-as-terminals, consumer registration with the payment service and the use of a PIN at the point of sale would be advisable.  But we must trust the phone to keep the PIN private—we need trusted path / virtual PIN keypad that is, again, fully isolated from the main phone OS.

There are many other exciting applications of smartphones that require protection of high value assets: mobile money (such as NFC), in-person proof, eTickets, remote control of automobiles, just to name a few. To make this vision reality, we must make smartphones into trustworthy platforms.

Dave Kleidermacher is CTO of Green Hills Software. He writes about security issues, sharing his insights on techniques to improve the security of software for highly critical embedded systems.