• silicon.com
• Technology
• Mobile

By Joris Evers, 28 September 2005 11:00

NEWS As mobile phones become digital do-it-alls, handsets need better protection from hackers and from unauthorised access when they're lost or stolen, says an industry group proposing new, hardware-based security standards for the devices.

The Trusted Computing Group (TCG) - backed by big names such as Intel, Motorola, Nokia, Samsung, VeriSign and Vodafone - is set to unveil its plan on Tuesday at a conference sponsored by the Cellular Telecommunications & Internet Association. The TCG has already developed similar specifications for PCs and servers.

In addition to voice calls, mobile phones are increasingly used for taking pictures, keeping a calendar and sending text messages and email. In the future they could replace wallets, say industry pundits, with consumers whipping out a specially equipped phone instead of a credit card to pay for a purchase. That would make securing the gadgets even more important.

Janne Uusilehto, senior technology manager at Nokia and chairman of the TCG's Mobile Phone Working Group, said: "Without proper security, mobile phones may become a target for hackers and malicious software. The benefit of hardware-based security is that users can rely on their phone and [know] that private data is protected."

The proposed standard doesn't just protect user data. The security hardware also enables copyright protection, according to the TCG, a feature demanded by the entertainment industry. This so-called digital rights management (DRM) technology could mean access to more exclusive content on mobile phones but it could also limit the content that will play on devices.

Additionally, says the TCG, mobile phone operators could use the technology to get more control over the devices they sell. Operators would get a better way to lock devices to their networks and tighten control over which services and software can run on the gadgets. But user-rights advocates complain that such things limit consumers' choice and freedom.

The TCG's plans call for mobile handset hardware to support features similar to those of the Trusted Platform Module (TPM): a security chip designed for PCs and servers that enables a variety of security features, including authentication, protected storage and secure email. The TPM technology will need to be adapted because mobile phones are much smaller than PCs.

At the CTIA wireless event, the TCG will introduce its plans by sharing "use cases" for hardware-based security in mobile phones. The group plans to release a blueprint designed to make it possible to include security technology in mobile handsets in the first half of 2006, according to TCG representatives.

Adding hardware-based security to mobile phones can enable services such as electronic ticketing and mobile payments, according to the TCG. It can also provide for secure storage of personal information such as an address book, text messages, email and pictures. And, in the future, payment data such as credit card numbers will be added to the mix, the group said.

Thomas Hardjono, a principal scientist at VeriSign and member of the TCG Mobile Phone Working Group, said: "Nowadays my Treo 650 has some files from my corporation. It would be nice to have the phone rendered unusable if it gets lost." The Palm Treo 650 is a phone with features such as email, a calendar and a camera.

As handsets get smarter and used for more than just voice calls, the threat of hacker attacks and mobile phone viruses rises, Nokia's Uusilehto said. The new security features can protect the devices against such threats, he said.

He added: "Mobile phones are becoming full of security-demanding services. Attacks are not a major problem today, and that makes the timing pretty good for us. We have time to do security properly, where we are not in a firefighting mode."

In addition to enabling new services and protecting user data, the TCG's proposals can also be used to secure copyright-protected data on mobile phones. That use of the new security features is critical to content services, said VeriSign's Hardjono. VeriSign is a significant player in the mobile content business with its Jamba and Jamster! services.

Hardjono said: "We want to sell content but the folks in Hollywood don't want to sign the paperwork because they want guarantees that the devices have got proper security. No DRM, no content."

But DRM is one way the proposed security technology could restrict mobile phone users, say some user-rights advocates. Operators would also get a better way to lock phones to their networks and close control of the services and applications that can run on devices.

Seth Schoen, staff technologist at the Electronic Frontier Foundation, said: "A lot of carriers have a model of trying to tax everything that goes into a phone, which we think is unfortunate. The TPM is just another tool to let them do these things."

Nokia's Uusilehto said hardware-based security is not new to the mobile phone space but manufacturers have so far each gone their own way. The TCG aims to provide a standard, which should reduce costs for handset makers and let component suppliers standardise.

Uusilehto said: "Today we're wasting a lot of resources and inventing the wheel again here and there, instead of doing it together in this open approach."

Joris Evers writes for CNET News.com