With the development of digital twins, more and more businesses and services are being digitized. COVID-19 has further accelerated the process of the digitization. The number of digital services both for personal and work use (e.g. mobile banking, shopping, entertainment, electronic identity, digital keys) enabled by devices such as smart phones and tablets continues to expand rapidly. Mobile devices also store a large amount of personal data, such as photos, SMS messages, and call records, with security and privacy protection of smartphone data critical to users.
As mobile devices carry more and more valuable assets, there are more attacks on mobile devices. A total of 9,599,519 malware, adware and riskware attacks on mobile devices were prevented in Q3/2021 according to Kaspersky Security Network, and 676,190 malicious installation packages were detected, of which 12,097 packages were related to mobile banking Trojans, 6,157 packages were mobile ransomware Trojans. Security attacks on mobile devices may lead not only to privacy leakage, but also financial loss.
To address such security threats to mobile devices and protect the security and privacy of consumers’ digital assets, ETSI TC CYBER has developed a world class standard ETSI TS 103 732, called Consumer Mobile Device Protection Profile. This is the second in a series of consumer related security standards.
The standard identifies key user data to be protected, including but not limited to photos, videos, user location, emails, contact list, SMS, calls, passwords, and fitness related data. The standard also identifies the most relevant security threats to mobile devices, such as tampering with the operating system by malware or supply chain, unauthorized access to, modification, and collection of user data by applications, eavesdropping or tampering of user communication content, and exploiting system or other software vulnerabilities.
To address the preceding security threats, ETSI TS 103 732 defines a comprehensive set of security function requirements to ensure that user data is not easily accessed by attackers and that users can enjoy the convenience brought by digitalization in a secure way. For example, the standard requires; that mobile devices perform an integrity check during startup to prevent the operating system and configuration information from being tampered with; enforces user control over what personal data can be accessed by which applications; and provides aliasing of device identifier(s) to avoid tracking by application developers and advertisers. The standard also requires classification of user data based on the potential harm caused by data leakage and provides different encryption protections for different classes of data, ensuring data security while maintaining a good user experience. In addition, mobile devices also need to support secure communication protocols to prevent user data from being intercepted or tampered with during transmission.
Security is a risk based moving target, with attack methods and security technologies evolving rapidly to address new attacks and encourage security innovation. Therefore the ETSI standard does not define specific implementations for security requirements, enabling manufacturers to develop appropriate security mechanism to keep pace with evolving security attacks.
The standard also defines security assurance requirements based on Common Criteria and it is therefore also suitable for certification initiatives being developed under the European Cybersecurity Act. Should a device vendor want to certify a device, device security needs to be evaluated by an independent third-party security testing lab to ensure all security features the meet the security requirements defined in the standard. The certification will provide security assurance and confidence in devices for market surveillance authorities, regulators and consumers.
The standard is a result of excellent cooperation among stakeholders including national security authorities, device vendors, security test labs, consumer organizations and security experts. A wide adoption of the standard will raise the security of mobile devices to a new level, protect consumers from various security risks, and enable secure support of digitalization and digital twins.
Alex Leadbeater is a seasoned engineer in telecommunications and has been working for British Telecoms for over 20 years in various roles. He is currently working in the capacity of Head of Global Obligations (Future & Standards) at BT. He's involved in various standardization groups in 3GPP and ETSI and is currently the Chair of the ETSI NFV Security group, the Chair of the ETSI SAI ISG, the Chair of the ETSI TC CYBER and the Chair of 3GPP SA3-LI.