In a past blog, Whitebox Attacks… on Hardware?, we touched upon the topic of secure hardware, but let’s take a deeper look. Exactly what is secure hardware? Let’s dive in!
Secure hardware refers to:
- Trusted platform modules (TPMs): Dedicated chips for handling cryptographic keys and operations; and
- Trusted execution environments (TEEs): secure elements in the main processor
Irdeto’s view on its necessity can be summed up as follows: secure hardware is great – use it when you can, but we don’t recommend relying on it exclusively.
Of course, this raises an obvious question. Exactly how often can you rely on TPMs or TEEs for your security needs? How commonplace are they in desktop devices, mobile devices, smart home devices, etc.? The short answer: a lot less common than you might think.
The gap between sales of security hardware and overall sales of devices is startlingly and persistently large. In 2019, there were 1.7 billion mobile device sales in total and under 600 million shipments of TEEs for mobile devices. 99% of wearables sold last year lacked either a TEE or TPM. Even connected cars in the vast majority of cases still lack TPMs or TEEs.
While uptake of TPMs and TEEs is increasing (in part due to pressure from companies such as Microsoft and Apple who mandate their use in Windows and iOS respectively), it’s progressing slowly. Our analysis using ABI Research Digital Authentication and Embedded Security Market Data 1Q2020 and Omdia Mobile Handset Forecast: Sales, Installed Base, ASP, and Revenue, 2019–24, suggests that there will still be over three billion mobile devices on the market without a TEE or similar in 2024.
It’s astonishing that the manufacturer of a US$50,000 car would refuse to pay for a TPM, which is not a very expensive component. Unfortunately, that’s the reality of operating in an ultra-tight margin business. Every dollar counts, and a dollar spent on security is largely invisible to the consumer – at least until something goes wrong. Now consider the choice faced by the manufacturer of a US$100 smartphone in an emerging market. Suddenly, the cost of a TEE begins to look exorbitantly expensive.
While this may make perfect sense for device manufacturers, it creates big problems for anyone trying to develop applications for those devices. For instance, if you want to create a secure financial or medical app, you simply cannot rely on having access to secure hardware on all of your users’ devices.
Thankfully, there is another option that allows you to securely support the vast swaths of the market whose devices lack the necessary hardware. Software protection techniques such as Whitebox Cryptography and code transformation can be coupled with the diversity and renewability options that software facilitates, to give a practical alternative to secure hardware.
Click here to get in touch with Irdeto’s Cloakware team to learn more about our security solution for mobile apps!
Authors: Phil Eisen and Liam Deane