As we move forward and continue to integrate mobile devices and computer systems into our
lives, we're more and more often using them to control our lives in different ways, to
take actions in the world to cause things to happen.
And as we do that, we want to make sure that it's really us doing it and it's not some
hacker somewhere doing it on our behalf.
There's a bunch of sensitive data that we receive that should be secure.
Our credit card information, our bank information, blood tests, doctor's results.
Mobile devices are a little harder to trust than sort of our classic computer systems.
We always use it for everything in our lives.
We're always downloading apps without even reading what they do or what the terms of
service are.
So who knows what software is actually getting downloaded to the phone.
So you have this dual problem of people being very open with their phones in terms of what
they download and put on, but also just leaving it everywhere, which is obviously a problem
if there's someone bad lurking about.
One example of that is you're doing some banking and you're transferring $200 to your
friends to cover some theater tickets or some concert you went to.
Well what if there's malware on there that can change a couple digits here and there
and now you're transferring $20,000 to the hacker.
That's very hard for a bank to detect.
So how can you be sure you can trust a mobile device?
Well the way a mobile route of trust works is that it forms the basis of an argument
you make to someone.
And then based on that evidence, we can create a chain of arguments that the software is
running in a good state as well.
The core of a mobile route of trust is usually just something that tells you what you booted
when the mobile phone started.
So your mobile phone powers on what did it do next and usually that tells you what is
the operating system that's running and how is the very early configuration of it done.
So a route of trust provides that just that very small little kernel of trust for the
very start of the system.
And then from that kernel, we make arguments from there.
So we start with the mobile route of trust that says this is the right operating system
that booted.
And then the operating system can tell us more about stuff that it's loading and that
that stuff can tell you more about the stuff that it's loading and so on and so forth.
So mobile routes of trust aren't being used right now because for the most part they don't
exist.
And they don't exist because of this interesting chicken and egg problem that we're at.
No one is willing to invest in technology until there are applications that use that
technology.
Of course, no one writes to write an application for a technology that doesn't exist.
Our goal with all this work is to stimulate investment on both sides of this question.
So we've been doing some work both on the how do we create mobile routes of trust and
put them on phones that are on the market now, as well as the how do we develop applications
that use routes of trust that provide some compelling features.
Mobile routes of trust bring benefit in any place where you want to prove that you are
you or that your phone is in a good state.
So that could be medical records and getting into your house, getting into your car, anywhere
where you want to make sure that only you could perform a certain action.
So the future for all this work is a future where any app can prove that it's running
correctly no matter what.
And what that does is alleviate a lot of security concerns.
There's a lot of technology futures that we see in science fiction or television where
that we go.
It's cool, but of course if an attacker did that, then that would be bad.
Mobile routes of trust allows us to start moving towards that future without having to worry
about the attacker getting in the middle.
