Building Security In At The Chip Level
By Mike Masnick, Tue Jun 29 22:45:00 GMT 2004

A little harmless virus and suddenly everyone is working to lock down mobile phones. Will it go too far?

The Cabir "not-quite-a-virus" from two weeks ago certainly got a lot of attention, even if it was unlikely to cause any real problems. Everyone admits that a more serious phone-based virus is sure to be on its way before long. With that in mind, it certainly makes sense to put in place some preventative measures.

TI and ARM have kicked off that process by announcing plans to bury security into the hardware to make it much more difficult for hackers to crack. That's a valid goal, and Intel and others have been working on similar plans for computers for years.

The risk, however, in burying the security is that the always lurking technology law of unintended consequences is bound to show up sooner, rather than later. Things that may make sense for security right now may not make much sense five years from now, when situations have changed and attackers have figured out ways to use old security issues to their own benefit (something the article points out has already been done with existing mobile phone security systems). By placing the security at the hardware level, not only is it more difficult for hackers to get at it, but it's also more difficult for those who have a legitimate reason to change the security settings. This doesn't mean we shouldn't take preventative actions to stop security attacks -- but security problems are not static. Security measure need flexibility and burying security at the hardware level is likely to make that flexibility much more difficult.