IT security: ETSI publishes first standard for secure smartphones

30 years after a German chip card manufacturer supplied the world’s first commercial SIM card to a Finnish telecommunications company, the European Telecommunications Standards Institute (ETSI) published the first standard for secure mobile devices with a global focus. The ETSI TS 103 732 standard contains a protection profile for the consumer segment (Consumer Mobile Device Protection Profile). The aim is to establish security and reliability requirements for smartphones and tablets, to reduce potential attack risks and to improve data protection.

the almost fifty-page specification According to the ETSI, it aims to help manufacturers and service providers around the world to protect important user data such as photos, videos, user location, e-mails, SMS, calls, passwords for web services and personal information such as recordings from fitness trackers from unauthorized access. It covers “a broad spectrum of security features”.

Features such as encryption support, identification and authentication, security management, resistance to physical attacks, secure booting and trustworthy communication channels are included. The use of a special Trusted Platform Module (TPM) is not expressly required.

The subject of the evaluation carried out as part of the standardization is the hardware, the operating system and preinstalled apps with system authorization that are delivered with the consumer device. The ETSI has excluded from the scope of the standard all applications “that are downloaded by a human user” as well as preinstalled apps without system authorization that can be uninstalled. Furthermore, all peripheral devices, including all data on them and all associated services such as memory cards or cloud systems, are left out.

The “Secure Element” security component is also not included. User logon information for mobile communications and electronic identities (eIDs) can be stored in it.

The authors also include secure update options from reliable sources and options for recognizing trustworthy services, for example for sharing screens or for jointly editing documents, among the main security functions. User data should be protected at different security levels. Even with official documents that are classified as confidential, access should only be guaranteed by authorized persons on the “correct device in the correct state”.

Furthermore, it should be ensured that apps can only access user data and provided services “which are essential for their operation” and for which the human user or the operating system has granted authorization. Tracking protection is also part of the specification: App developers and advertisers should be provided with an alias so that they can only collect limited user traces. The user may replace this identifier with another in order to further restrict the creation of a profile.

In addition, ETSI TS 103 732 defines the security requirements on the basis of the protection profile of the Common Criteria and should therefore also be suitable for certification initiatives within the framework of the EU Cybersecurity Act. It also includes a common methodology for assessing the security of mobile devices. The standard is based on the existing one ETSI-Norm EN 303 645 from 2020 for the IT security of devices in the Internet of Things. The institution announced that it would adopt and issue further specifications relating to the cybersecurity of digital consumer devices on this basis in the next 12 to 18 months.


To home page