OnQ

Q&A: Cristiano Amon on developing cybersecurity technologies

2017年8月15日

Qualcomm products mentioned within this post are offered by Qualcomm Technologies, Inc. and/or its subsidiaries.

As more “things” become connected, the amount of personal data (health, financial, and identification information) at our fingertips is increasing exponentially. With 5G in our near future, the number of connected devices will only continue to grow, as will those trying to gain access to them. This is why mobile cybersecurity is more essential than ever.

We sat down with the Executive Vice President of Qualcomm Technologies, Inc. and President of Qualcomm CDMA Technologies, Cristiano Amon, to discuss the growing importance of mobile device security:

Why is there a growing concern about mobile cybersecurity?

Simply put: it’s about the numbers. The smartphone and its mobile ecosystem are the largest technology platform ever built — way bigger than PCs. In the next four years, more than 8.5 billion smartphones are projected to ship, according to Gartner. That’s an extraordinary figure.

The mobile ecosystem now touches almost every industry, from banking to healthcare to gaming and beyond. And it’s not just our devices, which house our most personal information. It’s the services built on top of them. Securing this content and these services is essential.

So it’s not just about securing the smartphone?

Correct. It’s not about one device or one system. Rather, security practices and design need to be woven through a system, from device to the operator’s network, and finally to the service provider in the cloud. That said, securing the device is essential to securing the overall system.

And how would we go about securing the overall system?

I’m a true believer that passwords have long been ineffective. They’re fairly easy to hack, and they’re easy to forget. To ensure robust authentication, the first step would be to eliminate them, or at least minimize the use of them. From there, devices can use a combination of more reliable forms of verification that establish comprehensive device security.

You mention “robust authentication.” Is that how we support device security?

Yes, and Qualcomm Technologies is engineering the technology that can do this. Our Qualcomm Mobile Security platform is designed to provide three layers of security at the chip, device, and system levels. It’s engineered to use hardware protections to more securely authenticate the user, validate a device’s location, and confirm that the device isn’t compromised. With this foundation, effective cybersecurity is achievable.

Would you give us some more details about the three steps in authentication?

The first step is authenticating the user. To do this, the device can use biometric technology, such as Qualcomm Fingerprint Sensors, to determine the ridges of a finger precisely and in the future, even map a finger’s sweat pores and blood vessels. And remember, we need to ensure that the authenticator software is running the hardware-protected region on the Snapdragon, and that the user’s “fingerprint template” data is then stored in a part of the storage system designed such that a malware application on the main operating system couldn’t access it. Even in authenticating a user, there are multiple hardware-protected features to enforce the security and privacy of the user.

Other key trends in authentication are iris and facial recognition that works with a device’s front-facing camera, and voiceprint technology, which uses the device’s microphone. These are starting to appear in more consumer devices, but I expect that in the near future, a user will come to expect and rely on multi-factor authentication that utilizes all of these technologies. For example, accessing your banking application would require your fingerprint, but transferring funds would require an iris or face scan. And if you’re transferring a large amount, the smartphone’s microphone would also ask you to verbally authenticate with a simple, “transfer approved.” In the future, we expect to see smartphones that advance to this level of security.

Next, a key consideration is validating the device’s location and doing so directly from the hardware from the secure mode of the device. Qualcomm Technologies’ positioning technology uses GPS, Wi-Fi, Bluetooth, and cellular connections to help support the integrity of the position. The signal processing and position calculation occur in the Qualcomm Snapdragon modem mobile platform, to help protect the information against tampering or fabrication.

To help confirm that the device hasn’t been compromised, one needs hardware-based device attestation, which is just a way to say ‘device authentication.’ This establishes both the actual hardware-based device ID as well as the “health” of the device. As an example, the cloud would check the device ID, the software versions installed, its location and time, and the integrity of its applications and operating system. This information would then be compared to the information stored in the mobile platform, to prove that the device’s software hasn’t been endangered.

It’s not enough to secure the cloud, the network, or the device individually. For comprehensive authentication, it’s critical to secure all of these endpoints.

What role does machine learning play in device security?

By using machine intelligence, a device can be trained to identify malicious behavior and take appropriate actions against possible threats — all on its own. With machine learning, devices can analyze user software usage in the past and scan for viruses in the software in real-time.

Take the Gooligan attack that happened late last year. The Android malware compromised over one million Google accounts — the result of infected apps downloaded from third-party app stores or phishing scams. The malware was able to get ahold of a lot of consumer data, not just the user’s credit card information. Like I said before, multiple industries touch upon the mobile sphere, and if malware is installed, the user is essentially inviting the vampire into his or her home.

To help prevent this kind of breach, Qualcomm Technologies has placed the mobile platform at the device’s center, where security information, such as data on the user’s fingerprint or GPS location, is removed from the operating system and saved in a security-rich mode of the hardware. Machine learning technologies, such as those found in our Qualcomm Mobile Security product, can then access this information, recognize any changes in usage patterns, and report any potential threats. This is designed to allow products from security app companies to then notify the user and neutralize the threat.

What are the differences and similarities in security solutions for mobile devices and IoT?

Security solutions for mobile devices and IoT devices are more alike than you’d think. For both, cloud-based user- and device-level authentications play integral roles, to help ensure that the device is protected against attacks and false user authentications. Our hardware-based security solutions are also applicable to mobile devices and IoT devices that are powered by Snapdragon as well as other IoT chipsets.

The real difference between mobile and IoT security is scale. The IoT covers a variety of, well, things. Protecting these IoT devices requires a larger array of solutions compared to those for mobile devices. To address this device and cost diversity, we offer a large portfolio of IoT chipsets that are designed to help safeguard personal data and devices, from a simple light bulb to a complex alarm system, to our ubiquitous smartphone.

What’s the biggest challenge for device security in the future?

As the device ecosystem expands, we’ll need to get creative with our security solutions. We’re anticipating more than 23 billion permanently connected “things” by 2021. We won’t only be protecting our smartphones — we’ll be helping to secure body sensors, city infrastructures, and home automation, among other technologies developed for our bodies, homes, and cities. It’s imperative that the information these devices collect is secure and that their security is continually updated. And it all starts with the chip.

To learn more, visit the Qualcomm Mobile Security page, the Qualcomm Product Security team, and read Cristiano’s CTIA presentation on mobile device security.

Qualcomm Snapdragon is a product of Qualcomm Technologies, Inc.