Mobile chips face lockdown to prevent hacks

Chipmakers are adding more security layers to protect mobile device users from malicious attacks and code injection

Chipmakers want to make hardware the first layer of defense against data breaches and other attacks on tablets and smartphones.

Mobile devices are becoming increasingly vulnerable, with more personal information, banking data, passwords and contacts residing on devices without any protection, said presenters at the Hot Chips conference in Cupertino, California.

The NSA revelations and a mounting pile of data breaches have reminded hardware makers that well-designed chips for PCs, servers and mobile devices, can minimize, if not prevent, attacks, said Leendert VanDoorn, corporate fellow at Advanced Micro Devices.

"You can't open a newspaper without reading about a security attack," VanDoorn said.

Most attacks today exploit software bugs, but it's possible for hackers to isolate keyboards, voice, sensors and even screens, snoop for information and send data back to rogue servers, said Vikas Chandra, principal engineer at ARM's research and development division.

A well-designed system can provide multiple layers to prevent malicious attacks and injection of rogue code, said Chandra, adding that the hardware, security subsystem and software on mobile hardware need to work together.

Besides ARM, chip makers like Intel and AMD are working to bring more security features so mobile devices are shielded from attacks. The companies are knitting together hardware and software to work more cohesively in a system, and also establishing hypervisors, secure boot layers, and segmented areas - much like sandboxes - in which code could be executed without compromising a system.

Most mobile device users are not tech savvy, and haven't secured devices with passwords or pins. Few devices have security software to prevent malware, and trojans running on social networking apps could collect personal information and send it back to rogue servers, he said.

ARM is improving its security layer called TrustZone to prevent such attacks, Chandra said. The layer establishes a trusted execution environment in which code can be safely executed without affecting the entire system.

The company also wants to eliminate users from having to use multifactor authentication and entering multiple passwords, Chandra said, adding that there are more secure ways to log-in to websites.

He gave the example of the FIDO authenticator, in which users can login through fingerprint scanning or face recognition. The log-in generates a private key that is encrypted, sent to a FIDO server, which then decrypts the key. That emerging technology works within TrustZone, which protects private keys.

The form of authentication is being promoted by the FIDO Alliance, which was established early last year and boasts members such as ARM, Google, Microsoft, Bank of America, MasterCard, PayPal, Samsung, Visa, Lenovo and others.

It's also important to make sure servers are ready to deal with different security layers in mobile devices and the new authentication techniques, said Ruby Lee, professor of electrical engineering at Princeton University.

"Security is not only a top to bottom issue. It's also an end to end issue," Lee said.

It's easy to account for one device, but not the other, Lee said.

"There's no use if your cloud servers are secure, but those smartphones that act as a cloud are completely insecure," Lee said.

ARM's TrustZone has put the stake in the ground for mobile platform integrity, including how to set up wireless transmissions, authentication techniques and others, Lee said.

Engineers from Intel, AMD and ARM also talked about security enhancements at the hardware layers in PCs and servers. A lot of hardware security implementations are around secure execution layers, trusted domains and securing DRAM so private keys and cryptographic data can't be stolen in transit. Intel is bringing the ability to identify rootkits and polymorphic viruses at the hardware layer to its upcoming chips so malicious attacks can be identified before they wreak havoc on a system.

Not all hardware security features in PCs and servers will come to smartphones, which have limited processing capabilities due to power constraints, Lee said.

But system design is important, and the security features need to be chosen wisely.

"It's not easy to come up with a hardware patch, so you have to think ahead," Lee said.

Agam Shah covers PCs, tablets, servers, chips and semiconductors for IDG News Service. Follow Agam on Twitter at @agamsh. Agam's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags ArmFIDO AlliancesecurityAdvanced Micro Deviceshardware systems

More about AdvancedAdvanced Micro Devices Far EastAMDARMBank of AmericaIDGLenovoNSAPayPalSamsungVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Agam Shah

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place