IBM Touts Chip-Level SecurityBy Matt Hines | Posted 2006-04-11 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
The IT giant says a breakthrough in processor design technology will allow it to build mainframe-caliber data encryption security into mobile devices such as cell phones and PDAs.
IBM is touting a new technology that it claims will greatly increase chip makers' ability to build embedded security features into processors used in mobile handsets, PDAs and other devices.
Tabbed with the code-name "Secure Blue," IBM said that the technology, which it labels as a security architecture, can be built into a microprocessor chip to provide defense features previously unseen in such embedded components and more common in mainframe computers.
The company contends that the chip encryption process allows for increased security for both the processors on which it is added, and the entire devices the chips are used in.
At the heart of the chip design process that allows for Secure Blue is a set of new cryptographic algorithms created by IBM researchers.
Use of the algorithms allows for all the memory on a processor to be completely encrypted, said Guerney Hunt, senior manager of the Distributed Infrastructures group within IBM Research.
"In today's world, everything must be encrypted from the network to the devices, and the open link that's still out there is in the mobile devices," said Hunt.
"What Secure Blue does is make other security technologies more effective because on what a user does with their device, this allows you to have a level of encryption where it's virtually impossible to extract certain types of data."
To that end, one of the benefits to the chip security design is that it makes lost or stolen devices much harder to break into, IBM claims. Because the approach is based on secure hardware rather than software technology, Hunt said that it prevents reverse-engineering and tampering.
"With enough time and effort, we know that someone can break into just about anything, but this is the sort of roadblock that will truly discourage anyone trying to get data out of a device that has it inside," he said.
IBM said it plans to license Secure Blue to various types of device makers, while it has yet to decide on an application for the technology in-house.
In addition to mobile phones and PDAs, IBM said that chips bearing the Secure Blue features would also end up in machines used in vertical applications for the health care and government sectors, and in digital media players.
Hunt said that one major device maker already has a product using Secure Blue on the market, but it declined to name which vendor or device uses the security feature.
The company said that engineers from its Technology Collaboration Solutions division will work directly with chip manufacturers to customize, design and adapt Secure Blue to their own specifications. The technology will be used in both microprocessor and system-on-a-chip configurations.
With each chip maker creating their own variation of the design, no two applications of Secure Blue will be exactly alike, IBM said, adding another level of security into devices bearing the tools, the company claims.
At least one security expert said that if Secure Blue proves to be as effective as IBM contends it is, the chip security tools could be adopted by a number of device manufacturers.
Neil Strother, analyst with NPD Group, Port Washington, N.Y., said that such embedded security controls might appeal to business customers as well, particularly those using smart phones.
"Device level security is something that you'd have to think might appeal to enterprises pretty strongly; if IBM can push [Secure Blue] into enough chip sets, I think that manufacturers could react pretty strongly," said Strother.
"As mobile devices become more PC-like and carry more data, the risk over losing the economic and corporate information on those handhelds will become even more significant."
In addition to mobile phones and PDAs, IBM said that chips bearing the Secure Blue features would also end up in machines used in vertical applications for the health care industry, and in digital media players.
Some experts have labeled the threat of attacks on mobile devices as already over-hyped, with many software vendors having begun to warn their customers to begin installing anti-malware programs aimed specifically at protecting wireless handsets and PDAs.
Anti-virus market leader Symantec recently released a study that found that 60 percent of the businesses it interviewed were delaying wireless tools based on security fears.
"The mobile threat may be a little hyped at this point, as there haven't been any big attacks, but it's not for all the wrong reasons like selling software," said Strother.
"Sooner or later when something does happen, these vendors phones will start ringing off the hook, it's a big market opportunity, and they want to be able to say that if you listened to them it could have been prevented, and that may just be the case."
Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.