Steven Sprague, Cofounder and CEO of Rivetz reveals a viable solution when it comes to decentralising security. He argues that there is great promise for creating mobile device security with blockchain technology
The world was introduced to the first commercial mobile phone in 1983 with the launch of the Motorola DynaTAC 800x, which stood at a height of 13 inches, weighed 1.75 pounds and took 10 hours to recharge. In the early days of the mobile phone industry, it was incredibly simple for attackers to clone a phone’s identity and run up all sorts of charges on your account.
Over the last few decades, mobile has experienced quite a metamorphosis from the “brick” of the 1980s to the compact, feature-packed smartphone of today. Now, mobile is king – people across the globe use their mobile devices not only to communicate but also to read the news, get directions, stream music, check bank accounts, store assets and so much more.
As we increasingly rely on our mobile devices, new avenues of attack continue to emerge. So much of our sensitive personal information and digital assets – such as corporate data and bank account and credit card numbers – are accessible via our mobile devices. They have become treasure troves for attackers.
Blockchain and mobile device security
There is great promise for creating mobile device security by combining secure enclaves – also known as ‘roots of trust’ – with blockchain technology. Blockchain is a distributed ledger technology that protects a digital transaction through complex mathematical algorithms. Because of the strength of this math, the transaction can only be created by those who hold a valid private key.
Private keys were developed as a means of protecting our digital transactions. A private key is a piece of cryptographic code that allows a user to prove who he or she is – in other words, it’s a digital signature that says the user is, in fact, the one who is executing a digital transaction.
Private keys are used to secure a variety of transactions on mobile, including messaging, cryptocurrency and more. Here’s the downside: if an attacker steals your private key, they can impersonate you, and then access and abuse your data and digital assets. The prevalence of mobile devices has made them some of the largest repositories for private keys.
The biggest challenge in decentralised cybersecurity is that we cannot prove the transaction was intended. If an attacker steals your private key and transfers $5,000 to a third person, there is no way to prove that the attacker – and not you – performed the transaction. Rivetz ensures an intended transaction by establishing that it occurs from a known device, in a known condition, with an authorised user, under the required conditions. Rivetz performs “device attestation” to ensure a user’s devices are in a “known” condition by executing regular health checks to ensure the device integrity. Each device’s integrity is recorded on the blockchain so future health checks can be compared with the baseline, establishing that those devices are in a condition the user intended.
As the rise of the internet brought digital fraud and attacks on identity, innovative industry leaders banded together to fight that fraud and formed organisations such as the Trusted Computing Group (TCG). TCG developed specifications that have become standard for securing devices, as well as the data and identity on those devices, such as personal computers and laptops.
Trusted computing uses hardware to protect users. It ensures a device will consistently behave in the expected ways, protected by a secure enclave or a ‘root of trust’ embedded within the device’s hardware. A root of trust is isolated from the device’s software operating system (OS), allowing it to execute code that cannot be seen by the OS. One such root of trust developed by Global Platform is the Trusted Execution Environment (TEE), which enables trusted computing technology for mobile devices. The TEE already is built into the hardware of more than 1 billion mobile devices. Today, most private keys are generated within software, which is much more susceptible to attack than hardware. The TEE is capable of protecting a user’s private key within the device hardware, a method that is far more secure than performing these operations in standard software.
A single system of security may not be enough to protect against the variety of cyber-attacks possible today. It is more pressing than ever to provide multi-layered protection of digital assets across two or more security domains. That way, even if an attacker were to breach one point of security, the other(s) still would need to be compromised, offering an extra layer of protection for important digital assets – whether that’s your personal information or your hard-earned money.
One of the most ubiquitous roots of trust is the subscriber identity module, or SIM card. The SIM is a protected hardware environment and was created to combat mobile fraud and to protect the device identity. With the pervasiveness of both the TEE and the SIM, Rivetz saw an innovative opportunity to use these isolated roots of trust to work together to protect mobile users. In conjunction with ElevenPaths, the cybersecurity unit of Telefónica, the world’s third-largest mobile carrier with more than 300 million subscribers, Rivetz uses both the TEE and SIM to protect our private keys – introducing the Dual Roots of Trust.
The solution leverages the TEE along with the SIMs deployed by Telefónica. With Dual Roots of Trust, Rivetz-enabled apps generate private keys in hardware, then cryptographically distribute those private keys between the TEE and the SIM. This delivers built-in security from both the mobile carrier and the device manufacturers, to create decentralised key protection.
By distributing a private key across these two roots of trust, attackers would have to breach both secure systems in order to steal a single private key. As an added security feature, two different entities – or independent control planes – aid the user in controlling their private keys. Through a special application authorised to perform activities inside the TEE, the user remains in control of the secrets stored in the TEE. If your mobile device is lost or stolen, a simple interaction with your mobile carrier can disable the SIM, permanently or temporarily until the device is found. So even if a thief has your device, you remain in control and your private keys are still safe.
The Rivetz solution has an unlimited number of use cases, such as sensitive work apps, mobile wallets, social media accounts and mobile banking. One of the most unique applications of Dual Roots of Trust is the ability to provably control specific applications on a device. This feature is especially useful for enterprises. Let’s say a company has its own proprietary Rivetz-enabled app that employees use for work on their personal devices. If an employee is terminated or leaves, the company has the ability to revoke access to that app on the former employee’s personal device with Dual Roots of Trust.
As our mobile devices have become more important to our everyday lives and contain so much of our personal and private data, we need better ways to protect ourselves. The solution lies in the roots of trust that already exist on millions of mobile platforms: the SIM and the TEE are two of the most common secure enclaves. Dual Roots of Trust is the next step in ensuring our assets stay safe.
*Please note: this is a commercial profile