omtp tr1 tr1

OMTP Security Recommendations and the Advanced Trusted Environment: OMTP TR1

© OMTP All rights reserved Slide 1

TR1

David Rogers, Director of External [email protected] ETSI Security Workshop 13 - 14 January 2009 - ETSI, Sophia Antipolis, France

OMTP – Who are we?

Sponsor members

Office

Tim Raby


Operator members

Advisor members

Tim Raby– Chief Executive Officer

Nick Allott– Chief Technical Officer

Tim Haysom– Chief Marketing Officer

David Rogers – Director of External Relations

Geoff Preston – Consultant

Barbara Giunchi-Burr- Office Manager

Stefan Engel-Flechsig- Legal Manager

OMTP Mission

Increasing use of mobile applicationsand data services


Making life easier, less complicated and less confusing for customers

Championing consistency to simplifycross platform application development

Basic & Advanced Device Management

•Recommended Practices for Connected Applications•Browser•VOIP Management•Anti-Virus Client Requirements•Signing Schemes Requirements•Incident Handling

Operator

Displays

Cameras

+331234567

Dial number:

VOIP Caller

Contacts:

BarryBasilCatherineCorinne

Scanning....

Virus found!

Anti-Virus

Local Bluetooth Connectivity

OMTP Published Recommendations


Local Connectivity: Wired Analogue Audio

Positioning Enablers

Requirements for OMA DRMv2 Enabled Terminals

• Local Connectivity: Charging & Data• Data Transfer

•Incident Handling

•Codecs•Basic & Advanced Trusted Environment

•Application Security Framework•Application Framework•Legacy Support for IM & Presence•IMS

AED

85BCEF

F019

UICC

Vendors

PRODUCT PROFILE

• Self certified statement of

Requirements

Product Profile


• Self certified statement of compliance

• Economies of scales• once for all operators

• Clear indication of requirement fill

• Marketing – logo rights, public visibility

• Available to non membersOperators

To consistently and securely open up access

New Mobile Web Initiative


open up accessto device and

network resident capabilitiese.g. contacts, location, presence, voice calls, messaging

http://www.omtp.org/bondi

Security and Trust within OMTP


Security and Trust within OMTP

Lifecycle of Handset Security

Protection

Application Security Framework

BONDI Security

Trusted Environment

Advanced Trusted Environment

Signing Schemes


DetectionReaction

Advanced Device Management

Incident Handling

Threats to Embedded Consumer Devices


If ignorant both of your enemy and yourself, you are certain to be in peril.Sun Tzu

Analysing Threats• Threat Classification

• What threats are relevant?– Have they changed in nature due to

technology etc.

• What does the attack do to the device?

• How difficult is it?


• How difficult is it?– To repeat– To distribute– Expertise

• Current situation for hackers:

The real embedded ‘hacking’ is extremely difficult! However, if you can create a tool that you control and that can be used by many....

== reward (££££)!

== motivation!

Attack Methods – Some Examples• Applicable to nearly all embedded consumer devices!

• Probing the PCB

• J-TAG debugging and monitoring – extract flash device data and software build

– Relatively easy (used to be hard due to cost of technology)

• Exploitation of software flaws– Requires extensive debugging and manipulation by the hacker


– Requires extensive debugging and manipulation by the hacker

• Exploiting hardware glitches or mistakes– Often induced by the hacker

• Monitoring busses to capture or inject data

• Decapping of devices using Nitric Acid– Probing inside devices – Focused Ion Beam attack– can manipulate data within the devices on the phone– Very difficult!

This process takes months of development and cumulated years of research:

the financial end justifies the means

This process takes months of development and cumulated years of research:

the financial end justifies the means

• OMTP assesses and references many different standards

• Avoids duplication

• Reduces fragmentation in the market

• Ensure good recommendations and requirements

Industry Initiatives and Standards


• Some other organisations involved in mobile security:

Handset Embedded Security Evolution

EICTA / GSMA 9 Principles

OMTP Trusted Environment: OMTP TR0

OMTP Advanced Trusted Environment: OMTP TR1

TCG MPWG Specification

Fragmented Security


2002 2003 2004 2005 2006 2007 2008 2009 2010

GSMA Pay-Buy-Mobile

Fragmented Security

Advanced Trusted Environment (TR1)

The art of war teaches us to rely not on the likelihood of the enemy's not


The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.Sun Tzu

Overview to TR1

• Enhances the Basic Trusted Environment

• New and expanded threat model

• Protects the Application Security Framework on a device

• Different profiles for different levels of security in the handset

• Enables high security platforms and devices


• Enables high security platforms and devices

• The grounding for future high security services on mobile phones

TR1 EnablersCore Enablers

Extended EnablersTrusted Execution

EnvironmentSecure Storage


Implementation Examples

• M-Commerce, Broadcast, Device Management

• Any high security service that could be deployed on a device!

Generic Bootstrapping Architecture

Run-time Integrity Checking

Secure User Input / Output

Secure Interaction of

UICC and Mobile

Flexible Secure Boot

Summary• TR1 gives an increase in the underlying security and trust in mobile

terminals for at least the next few years

• Deployment of high security services on mobile phones will be possible and updateable

• A common agreement on the correct way forward for mobile security and trusted environments

– Chipset vendors


– Chipset vendors– Manufacturers– Middleware platform providers– Operators– OS vendors– Silicon platform providers

• OMTP Advanced Trusted Environment: TR1 is now published and a further version due in 2009

Reduction in hacking attempts? – No

Reduction in successful hacks? – Yes

Additional Information


Additional Information

Secure Storage

• What is it?– A set of recommendations for securely storing sensitive objects on a

terminal whilst maintaining integrity and confidentiality properties

• What does it protect?– Data and Keys requiring secure storage


• How does it work?– A facility on the device, that could be used with the Trusted Execution

Environment– Manages the storage and retrieval of secure data– Protects data when being transferred between memories

Trusted Execution Environment

• What is it?– A set of recommendations for providing the secure hardware and

software facilities to support secure execution of applications.

• What does it protect?– Anything that needs to securely execute! For that:

� memory , execution and application management� communications between execution environments


� communications between execution environments � APIs and Instruction Set Architecture

– all at a very low level in the device

• How does it work?– is isolated from normal execution environment(s) (EEs)– Small size – higher level of integrity checking– Can service the user or other EEs

Run-time Integrity Checking

• What is it?– a mechanism for ensuring that the device is doing what it should be doing

and that the integrity of critical data stored on the handset is ok.

• What does it protect?– Data stored on the handset that may be tampered with such as:

� IMEI, SIMlock state etc...


• How does it work?– Effectively ‘Polices’ the handset– Monitors data on the device for modification– Looks at suspicious events such as unexpected change– Logs event data– Escalates issues for action

Secure User Input / Output

• What is it?– A set of requirements to ensure that anything that is presented to the

user via an interface, for example a transaction amount displayed on a screen is authentic and not from another (rogue) application.

• What does it protect?– Primarily: the user


– Primarily: the user– Any input:– Microphone, keypad entry (eg: PIN), biometrics– Any output:– decoded protected DRM content, displayed information (e.g. prompts)

• How does it work?– Ensures that asset security properties are valid– Protects drivers and codecs on the device from being abused– Prevents attacks such as driver hooking, keylogging etc.

Generic Bootstrapping Architecture

• What is it?– a method of using the existing security relationship between the USIM of

the user and the network for application layer purposes.

• What does it protect?– Already used to protect MBMS (Multimedia Broadcast)– It is not ‘protection’ but a facility that could be used for other applications


– It is not ‘protection’ but a facility that could be used for other applications such as IMS services (e.g. presence)

– Could provide keying material for the secure UICC / ME link

• How does it work?– Primary aim is to establish keys for application security– The handset goes through the bootstrapping procedure– Secure application layer communications enabled

Flexible Secure Boot

• What is it?– the process of ensuring the integrity of the software code base on the

phone at boot-time and allowing new code to be updated on the device securely over-the-air or via cable – an extremely security sensitive operation.

• What does it protect?


• What does it protect?– The initial state of the handset – the root of trust– Ensures the phone has not been modified while it was ‘off’– Ensures that the manufacturer can update the core software of the phone

securely

• How does it work?– Verifies the integrity of the code base on the device

at boot-time– Checks authenticity and integrity of updates– Acts as a ‘gatekeeper’ for code on the device

Secure Interaction of UICC and Mobile

• What is it?– A mechanism for ensuring that data transmitted between the handset and

UICC is secure and has not been tampered with or changed.

• What does it protect?– Allows the UICC to ratify the trustworthiness of the device– Future applications such as:


– Future applications such as:� Mobile ticketing� Broadcast� SIM-based DRM

• How does it work?– Handset and UICC are authenticated– Handset applications can securely access the facilities of UICC– Allows exchange of sensitive information between the handset and UICC– Enables use cases and facilitates other parts of TR1:

� Secure User Input / Output� M-Commerce

Contact Details and Links:David RogersDirector of External [email protected]

OMTP BONDI:http://www.omtp.org/bondi

OMTP Published Security Related Recommendations:Advanced Trusted Environment: OMTP TR1http://www.omtp.org/Publications/Display.aspx?Id=24ad518b-6dba-4155-ad51-3143bd43a234

Security Threats on Embedded Consumer Deviceshttp://www.omtp.org/Publications/Display.aspx?Id=c5a1758c-84fe-4ee1-a88d-dff9d6044175

UICC/(U)SIM


UICC/(U)SIMhttp://www.omtp.org/Publications/Display.aspx?Id=4f9ec3d3-c0a7-4875-9458-0156cb9df3c9#

Application Security Frameworkhttp://www.omtp.org/Publications/Display.aspx?Id=c4ee46b6-36ae-46ae-95e2-cfb164b758b5

Signing Schemes Requirementshttp://www.omtp.org/Publications/Display.aspx?Id=f1db6eac-0cbc-4aea-9452-5da24076b198

Trusted Environment: OMTP TR0http://www.omtp.org/Publications/Display.aspx?Id=03f37406-be24-424b-b177-dd0cb9dbc719

Other OMTP Recommendations:http://www.omtp.org/Publications.aspx

OMTP Security Whitepaper:Mobile Handset Security: Securing Open Devices and Enabling Trust http://www.omtp.org/pdf/presentations_whitepapers/OMTP%20Security%20Whitepaper.pdf

omtp tr1 tr1

Documents