Regardless of your favorite or most hated device due to security concerns, the technologists behind them and the software they use should share a key concern: “Security by design (and by default)”. While a strong line of prose, Security by Design – as driven by the Consumer Trust Alliance (CTA) in the US and now popularized in the European Union by the huge corpus of the GDPR text – is much more than good copy.
Privacy and security by design apply far beyond mandated data and privacy practices, processes and provisions that GDPR demands. It also gives notice to the hardware and software providers to tighten up security. For us here at WeLiveSecurity, incidents like Meltdown and Spectre shifted our usual focus away from malware and software exploits, forcing us instead to refresh our understanding of what hardware suppliers are doing to make our digital world safer too.
Regulation vs. Good Faith?
While some might see these incidents as an inevitable consequence of our reliance on technology, like the pollution produced by fossil fuels, many businesses and consumers have expressed outrage, leading to the organizing of a class action lawsuit. What does this say about the scrutiny older technologies will face in the future?
Lawsuits aside, considering how communications and data sharing have become central in today’s world, we should not only ask whether hardware suppliers have done due diligence, but whether users are ready to educate themselves and limit investment into products/services in the face of serious vulnerabilities.
"The mobile environment, as dynamic as it is, faces a paradox"
While few in hardware or cybersecurity R&D could have anticipated digitization’s impact on business or society in 1995, at this point all users have a role in solving this challenge as industry simply tries to meet the market’s expectations as regards rapidly balancing access and security in the digital transformation.
Growth in IT over the last twenty plus years has generally followed on the heels of promised improvements in productivity, collaboration or connectivity, but not always security. The last five years, however, have seen a marked shift, with nearly every web service becoming HTTPS, encryption featured in nearly every third-party communications app and most software on autoupdates. The last two years have also seen intense discussion within governments wanting to stop encryption or to have back doors in encryption algorithms.
These developments show that security technology is now keeping up, or outpacing other technological and regulatory developments. Thus, while users’ wants often continue to trump their appreciation of risk, the industry has responded and in many cases gotten ahead of popular demand. And despite 2018 kicking off with Meltdown and Spectre, significant light fell on improvements to the tools we use to secure software, hardware and the internet. Is blockchain technology that silver bullet?
Is Blockchain the game changing tool?
Joining the lineup alongside two-factor authentication and encryption is blockchain - as popularized by its most popular offshoot cryptocurrency. While WeLiveSecurity has written extensively on security aspects of cryptocurrencies - the good, the bad and the ugly - we have done less so on blockchain itself.
Perhaps that’s because with the threat landscape as diverse as it is, there is strong evidence that covering basic aspects of security more broadly can deliver better results across the wider online ecosystem. But certainly blockchain, while not new tech, is the vanguard of something broader, the Encryption of Things (EoT). Those things (devices), of course, exist without their software guts, and in many cases security can be engineered into their bones. But what about that smartphone interface?
Well, let’s try to find some extra secure devices! Aside from military-grade devices and specialized enterprise grade communications devices, and encrypted satellite phones, options are thin. This is primarily due to the costs of using software/App-based (here is an interesting example, BitVault) implementations of two-factor authentication and encryption being considerably lower - and still falling - than that of dedicated devices. Ironically, dedicated devices still rely on software upgrades and updates.
Pushing on
"The last two years have also seen intense discussion within governments wanting to stop encryption or have back doors"
A few Google searches later you’ll find the Solarin smartphone by Sirin Labs. This first product, priced at roughly US$14,000 in 2016, introduced a blockchain-based secure smartphone to market. That first device got off to a glacial start; now a new incarnation of the phone has been shown. The Finney Phone (named after Hal Finney – bitcoin pioneer) is priced to hit shelves at a more realistic 1,000 USD. Prices aside, a blockchained-hardened OS would still face challenges. Notorious for the power consumption needed to process cryptocurrency transactions, imagine the power demands of a few billion blockchain-hardened phones. Is that scalable?
The anticipated FINNEY devices are marketed on Sirin’s website as “the first cyber-protected, blockchain-enabled mobile phone and PCs”, and mean that the devices – which also include a desktop PC – “will form an independent blockchain network, with a dedicated distributed ledger both scalable and lightweight”.
SIRIN’s Finney phone boasts a host of security measures, some familiar to cybersecurity vendors. Take behavior-based intrusion prevention system or multifactor authentication for example. The departure begins with the physical security switch (wallet protection), Secured Communications (VoIP, text, email) and its core feature – the tamper-proof blockchain-based Android OS.
A step too far?
I’ve already mentioned scalability, but while the product aims to live up to the true spirit of security by design, is this level of security necessary or even practical?
The mobile environment, as dynamic as it is, faces a paradox. It can only be as secure as public awareness and good practice allow, since human factors are core to security. For example, if people don’t carry RFID shielded wallets, how much utility can there be in cryptocurrency? Closer to home, if users leave default settings on ISP-provided home routers, why invest in super secure devices?
Blockchain Hardened handsets, a business case born in 2017?
The intent of the hardened device is clear: distributed encryption equals significantly improved security. With Sirin’s ICO reaching completion December 26, 2017, production looks to have gotten a green light.
Features are one thing, but predicting which factors will enable the cyber-hardened Finney phone to find market success is anyone’s guess. Another barrier may be the acceptance of services like Apple Pay and other secure mobile payment platforms as a kind of cryptocurrency, e.g. no cash ever trades hands and card details are never transmitted. This payment approach also has stability and the backing of the world’s banks and governments. It’s practical security that average users are unlikely to undermine through poor practice.
All that said, security by design and the Finney phone may have found their moment. 2017 showed us the Cost(s) of our connected world via a diversity of threats to everything from critical infrastructure in Ukraine, to business via the devastating global WannaCryptor.D outbreak and DiskCoder.C data-destroying pandemics.
Now with ongoing attacks on cryptocurrency infrastructure, mobile malware and zombie IoT devices upping the ante, anxiety is running high. It’s no wonder that just prior to Christmas, the price and interest in bitcoin (and blockchain) exploded. Lucky for Sirin Labs, and their competitors, the last 12 months have seen a market materialize around them. What the threat landscape brings in 2018 and whether more vendors will follow now seems more likely. Let’s see what develops at the booths of hardware providers at Mobile World Congress in a few weeks’ time.