Skip Links

Trade group objects to proposed NIST mobile security guidelines

TIA trade group says NIST preference for hardware-based security might mean vendors either make drastic changes or leave federal market altogether

By , Network World
December 17, 2012 12:33 PM ET
iPhone 5

Network World - A mobile security technology proposal drafted by the National Institute of Standards and Technology (NIST) is being soundly rejected by one of the main trade groups representing a broad cross-section of industry.

NIST's "Guidelines on Hardware-Rooted Security in Mobile Devices," issued in draft form in October and out for public comment until last Friday, has drawn sharp criticism from the Telecommunications Industry Association, which labeled NIST's proposal as "over-prescriptive" because it "suggests that security in mobile devices can only be realized using a specific architectural implementation of secure or trustworthy environment, namely the Trusted Platform Module (TPM) architecture specified by the Trusted Computing Group (TCG).

BACKGROUND: Smartphone, tablet security and management guidelines on tap from NIST

TPM is "one way to implement security in mobile devices but it's isn't the only way," said Brian Scarpelli, senior manager of government affairs at Arlington, Va.-based TIA, adding that software-based security can also be relied on. He indicated the TIA membership of carriers and software vendors would prefer not to have to adhere to a specific implementation to meet new federal guidelines for mobile devices, and TIA is reaching out to NIST to voice its objections. TIA industry membership includes carriers such as Verizon Communications and Sprint Nextel, as well as Apple, Dell and VMware.

The TPM specification from the TCG is a hardware-based cryptographic-processing technology that can be used for several security purposes, primarily device integrity. TPM is used in desktops and servers but not mobile devices at present. The National Security Agency, for example, which influences technology decisions made at the U.S. Department of Defense, has been an enthusiastic proponent of TPM.

TPM exists in much internal computer hardware today, though it appears to suffer from lack of widespread deployment in part due to lack of applications making it easy to deploy.

NIST argues for TPM by saying that "many mobile devices are not capable of providing strong security assurances to end users and organizations. Current mobile devices lack the hardware-based roots of trust that are increasingly built into laptops and other types of hosts."

NIST says it wants to "accelerate industry efforts" to use hardware-rooted trust technologies, and specifically TPM, in mobile devices such as smartphones and tablets that the federal government would acquire. NIST criticizes today's mobile devices, saying they are "vulnerable to 'jailbreaking' and 'rooting,' which provide device owners with greater flexibility and control over the devices, but also bypass important security features which may introduce vulnerabilities."

NIST asserts in its guidelines proposal that TPM and hardware-based root of trust is the model the federal government would like to see for use in assuring device integrity and verification, and that this would also help the government in adopting a bring-your-own-device approach where government employees could use their personally owned devices for work as well.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News