Did Apple just boost mobile security?

I have been working on mobile security for many years, and things haven’t moved much: justifying mobile security is always painful. Whyshould Ispend more money? There aren’t that many attacks! Some business use cases seemed like a good justification, but the economics are unclear and remain in the order of “if youget hacked, it could cost you a lot of money”.

With iPay, Apple just proved to many people that mobile security can have a favorable economics. By embedding a biometric sensor and putting their critical credentials on an embedded secure element, they have been able to negotiate a lower transaction fees on their payments and save millions in the future. Mobile security brings millions instead of just boring geek stuff? Now, that’s innovation.

Of course, the security of the iPhone 6 must live up to these high expectations. As much as the latest announcements bring a boost to mobile security, the announcement of a hack allowing a guy to steal a phone and use it “illegally” has the power to bring us back to the dark ages.

One Comment

  • It really depends on who is attempting to hack the secure element of Apple’s smart devices.

    Secure elements contain cryptographic processors that are made from huge companies known to have rather complex relationships with state agencies and SIGINT/COMINT units of nation states.

    NXP (EU), Atmel (US), Freescale (US) … are just a few of the foundries that have a steady supply of cryptographic capable chips for secure elements and the likes. They have a common thing which is relationship to Governments.

    We know that technology empowers both ways and is commonly considered a dual use product (Govt and Civil). A country can make justifications to backdoor a product for their own access which would leave the other users not within their legal jurisdiction seriously impaired on the security side now that the backdoor keys are held in certain Govt’s hands.

    If we are talking about petty theft and hacking just for monetary profits, some of these so called secure elements from large foundries have already been badly shamed by their false advertisement of security which given an operator’s manual and a couple of time to think through and experiment, a university research student or a knowledgeable and motivated hacker might find a way through due to silly mistakes.

    If we are talking about compromisation and sniffing of foreign important people’s iPads, Blackberries, Android phones and other portable smart devices, they are as insecure since the backdoor keys to the cryptographic chips used to secure portable smart devices used by national diplomats and important people are compromised at the foundry levels.

    You can imagine what happens if Nation A uses chips made by Nation B finds that Nation B snoops on Nation A and the relation can be complex when Nation B accidentally fields the chips into it’s national services and what if Nation A manages to find the backdoor.

    How secure is secure element ? In this current age of Govt’s eagerness to implement key escrow and backdoors, we are no less secure because security is observed by it’s weakest link where the weakest link is that one single master backdoor key that makes or breaks a system. We all we we are careless with keys and keys are not always labelled or handled with care. What happens if this single master backdoor key gets leaked into the world where it should never have been in the first place …….

Leave a Reply

Your email is never shared.Required fields are marked *