Hacks are becoming more sophisticated and are affecting more users daily, despite the fact that 800 million devices could be secured if only we took advantage of a security feature built into them.
Recently, millions of IOTA tokens were subject to theft because the creation of secret seed keys was exposed. The creation and management of secret keys is hard for users. It has been hard since the beginning of the digital age. Users will notice if their device is missing, but they generally won't notice if their password or key has been stolen until something bad happens.
The rise of cryptocurrencies and utility blockchain tokens requires a new model for consumers.
Security needs to be built-in by design - not added on as an afterthought.
Security is ultimately a consumer interface experience. Every user expects a simple and safe experience, one that is easy to operate and simple to learn. Computers are good at following rules, but have had a hard time protecting secrets. Trusted computing provides a way to protect secrets and create messages on every new computing device.
On most mobile devices, there is a small part of the processor chip called the Trusted Execution Environment, or TEE. It's an isolated environment that runs parallel with your device's operating system, providing deeper security than user-facing operating systems. The TEE essentially acts as a hardware wallet built into your device, and it's on anything that has a chip built by ARM in it.
The TEE is a hybrid approach that uses both hardware and software to protect data. It offers security that gives applications access to a device's main processor and memory, where hardware isolation protects the applications from running in the main operating system. Because it's isolated from the operating system, it's immune to traditional software hacks and malware. The TEE is based on a number of industry standards, and only processes code from known developers.
While the TEE exists on about half a billion handsets and hundreds of millions of computers, services and developers have been slow to enable applications to use it. The TEE can protect secrets and messages and provide users with a safer and simpler experience. Why isn't the industry taking advantage of this? How can we take better control of device security by leveraging the TEE?
It's important to understand that the TEE can communicate with the blockchain by creating trusted, accurate, and secure instructions. This includes trusted display, input, execution, and verification that a device's internal capabilities are operating as expected. The TEE ensures that things happened as intended, while the blockchain ensures that those operations are recorded immutably.
These days, we're giving our devices more autonomy than ever. We allow our devices to pay bills for us, to turn on lights for us. We're allowing them to start our cars and even drive for us. This has huge security implications.
You don't want to store the keys to your car in something as insecure as a mobile app. You want those keys in a vault - and that's the Trusted Execution Environment. It's the 'Sleeping Beauty' of security, just waiting to be woken.
As we've given our devices more autonomy, they've becoming tied to our identities. Your phone, for instance, is tied to your identity in many ways. That's both good and bad - if it's just the phone number that's tied to you, someone can easily gain access to it through social hacking and pretend to be you.
But if your identity were tied to the device itself - as it can be through the TEE - then someone would have to have physical possession of your phone in order to pretend to be you.
If your phone is lost or stolen, you realize it right away and can shut down your device remotely. When it comes down to it, however, your identity is tied not to a single device, but rather to many. Your phone, your tablet, your computer, your wearables, for starters, and maybe also to your spouse's or children's devices.
With chips and cloud computing, your identity connects to your collection of devices - ranging from your phone to your wearables to your computer or even your car. With most of these, we rely on basic password protections instead of built-in security. That needs to change to ensure our trust in our devices is well-placed, as we rely on them more and more heavily.
Moving our culture from the world of passwords to a world of secure devices has tremendous benefits, but won't come without challenges. Consumers are resistant to change. Services are resistant to friction. Manufacturers avoid costs wherever possible. SMS two-factor authentication (2FA) has proven to be flawed and easily hacked. Software authenticators are a great start, but pose significant risks.
A strong built-in and provable solution leveraging the TEE will enable the next evolution of use by providing better security with less hassle.
At Rivetz, our goal is to provide simple applications that show off the value of TEE and lay a foundation for every application developer to explore security by design.
Simple applications such as strong multi-factor authentication are designed to fully use device security. Rivetz is working with many developers to deliver a new model to consumers: One that is easy to operate and easy to understand and keeps secrets safe.
While we have a long way to go before security by design is the new norm, it's more important than ever to adopt new, higher standards.
About the author:
Steven Sprague, CEO of Rivetz Corp. and former president and CEO of Wave Systems Corp. for 14 years, is one of the principal industry evangelists for the application of trusted computing technology. Steven has a strong technical foundation in principles, capabilities and business models of incorporating trusted hardware into everyday computing, making him a popular speaker on cybersecurity and trusted computing.