Regardless of your favorite or most hated device
due to security concerns, the technologists behind them and the software they
use, should share a key concern: “Security by design (and by default)”.
While a strong line of prose, Security by Design – as driven by the Consumer
Trust Alliance (CTA) in the US and now popularized in the European Union by the
huge corpus of the GDPR text – is much more than good copy.
Privacy and security by design applies far beyond
mandated data and privacy practices, processes and provisions that GDPR demands.
It also gives notice, to the hardware and software providers to tighten up
security. For us here at WeLiveSecurity, incidents like Meltdown and Spectre shifted our usual focus away from malware
and software exploits, forcing us instead to refresh our understanding of what
hardware suppliers are doing to make our digital world safer too.
Regulation vs. Good Faith?
While some might see these incidents as an
inevitable consequence of our reliance on technology, like the pollution
produced by fossil fuels, many businesses and consumers have expressed outrage,
leading to the organizing of a class action lawsuit. What does this say about
the scrutiny older technologies will face in the future?
Lawsuits aside, considering how communications and
data sharing have become central in today’s world, we should not only ask
whether hardware suppliers have done due diligence, but whether users are ready
to educate themselves and limit investment into products/services in the face
of serious vulnerabilities.
“The mobile environment, as
dynamic as it is, faces a paradox”
While, few in hardware or cybersecurity R&D
could have anticipated digitization’s impact on business or society in 1995, at
this point all users have a role in solving this challenge as industry simply
tries to meet the market’s expectations as regards rapidly balancing access and
security in the digital transformation.
Growth in IT over the last twenty plus years has
generally followed on the heels of promised improvements in productivity,
collaboration or connectivity, but not always security. However, the last five
years, has seen a marked shift, with nearly every web service becoming HTTPS,
encryption featured in nearly every third-party communications app and most
software on auto updates. The last two years have also seen intense discussion
within governments wanting to stop encryption or have back doors.
These developments show that security technology is
now keeping up, or outpacing other technological and regulatory developments.
Thus, while users’ wants often continue to trump their appreciation of risk,
the industry has responded and in many cases gotten ahead of popular demand.
And despite 2018 kicking off with Meltdown and Spectre, significant light fell on improvements
to the tools we use to secure software, hardware and the internet. Is
blockchain technology that silver bullet?
Is Blockchain the game changing tool?
Perhaps that’s because with the threat landscape as
diverse as it is, there is strong evidence that covering basic aspects of
security more broadly can deliver better results across the wider online
ecosystem. But certainly blockchain, while not new tech, is the vanguard of something
broader, the Encryption of
Things (EoT). Those things (devices) of course, exist without their
software guts, and in many cases security can be engineered into their bones.
But what about that smartphone interface?
Well, let’s try to find some extra secure devices!
Aside from military-grade devices and specialized enterprise grade
communications devices, and encrypted satellite phones, options are thin. This is
primarily due to the costs of using software/App-based (here is an interesting
example, BitVault)
implementations of two-factor authentication and encryption being considerably
lower -and still falling- than that of dedicated devices. Ironically, dedicated
devices still rely on software upgrades and updates.
Pushing on
“The last two years have
also seen intense discussion within governments wanting to stop encryption or
have back doors”
A few Google searches later you’ll find the Solarin smartphone by
Sirin Labs. This first product, priced at roughly US$14,000 in 2016, introduced
a blockchain-based secure smartphone to market. That first device got off to a glacial start,
now a new incarnation of the phone has been shown. The Finney Phone
(named after Hal Finney – bitcoin pioneer) is priced to hit shelves at a more
realistic 1,000 USD. Prices aside, a Blockchained-hardened OS would still face
challenges. Notorious for the
power consumption needed to process cryptocurrency transactions,
imagine the power demands of a few billion Blockchain-hardened phones. Is that
scalable?
The anticipated FINNEY devices are marketed on Sirin’s website as “the first cyber-protected,
blockchain-enabled mobile phone and PCs”, and mean that the devices –
which also include a desktop PC- “–will form an independent blockchain network,
with a dedicated distributed ledger both scalable and lightweight”.
SIRIN’s Finney phone boasts a host of security
measures, some familiar to cybersecurity vendors. Take behavior-based intrusion
prevention system or multifactor authentication for example. The departure
begins with the physical security switch (wallet protection), Secured
Communicationss (VoIP, text, email) and its core feature –the A step too far?
tamper-proof blockchain-based Android OS.
I’ve already mentioned scalability, but while the
product aims to live up to the true spirit of security by design, is this level
of security necessary or even practical?
The mobile environment, as dynamic as it is, faces a
paradox. It can only be as secure as public awareness and good practice allow,
since human factors are core to security. For example, if people don’t carry RFID shielded wallets, how
much utility can there be in cryptocurrency? Closer to home, if users leave
default settings on ISP provided home routers, why invest in super secure
devices?
The intent of the hardened device is clear, distributed
encryption equals significantly improved security. With Blockchain Hardened handsets, a business case
born in 2017?
Sirin’s ICO reaching completion December 26, 2017,
production looks to have gotten a green light.
Features are one thing, but predicting which
factors will enable the cyber-hardened Finney phone to find market success is
anyone’s guess. Another barrier may be the acceptance of services like Apple
Pay and other secure Mobile Payment platforms as a kind of cryptocurrency, e.g.
no cash ever trades hands and card details are never transmitted. This payment
approach also has stability and the backing of the world’s banks and
governments. It’s practical security that average users are unlikely to
undermine through poor practice.
Now with ongoing attacks on cryptocurrency
infrastructure, Mobile malware and zombie IoT devices upping the ante, anxiety
is running high. It’s no wonder that just prior to Christmas, the price and
interest in bitcoin (and blockchain) exploded. Lucky for Sirin Labs, and their
competitors, the last 12 months have seen a market materialize around them.
What the threat landscape brings in 2018 and whether more vendors will follow
now seems more likely. Let’s see what develops at the booths of hardware providers
at Mobile World
Congress in a few weeks’ time.
