Apple has excited fans of its products by unveiling its watch, due to go on sale the US firm says in early 2015. What of the implications and possible security uses of – to coin a phrase – wearable technology?
Briefly, Apple made three unveilings. Apple Watch — what the company called its most personal device ever. The latest models of its iPhone, the iPhone 6 and iPhone 6 Plus. And Apple announced Apple Pay, for mobile payments that’ll work with iPhone 6 and iPhone 6 Plus through NFC, a chip called the Secure Element, and a biometric – the user fingerprint, called Touch ID.
To run through some of the promised features of the watch. You can (in Apple’s words) let loved ones know you’re thinking of them with a tap (not the sort water comes out of) on the wrist. Could that become a form of lone worker or guard check call? It has a built-in speaker and microphone – a walkie-talkie for patrollers? It offers – stressing the security – payment by credit or debit card. Your actual card number won’t be transmitted with the payment; instead, the watch will create a ‘device account number’ for each card’. That number processes your payment with a one-off security code. You pay by holding your wrist to a reader, in a shop for instance. It’ll require an iPhone 5 or later model. Also promised is an iPhone 6, that will take video besides photos, in 1080p high definition at 60 frames per second. You can access it with what the makers call ‘the perfect password’, your fingerprint, and use that biometric to buy music, books and apps without entering a password. Software developers will be able to integrate what Apple calls ‘Touch ID’ into apps. Likewise the iPhone 6 will let you use the phone to pay, using NFC (near field communication) when you hold the phone near a reader. A vibration and beep tells you that you’ve paid.
Comment
Tim Erlin, director of IT risk and security strategy, Tripwire, said: “Apple has wisely let other vendors, like Google and PayPal, wade into the mobile payments market first, but there can be little doubt that the behemoth’s entrance into the arena will greatly speed adoption of the technology, and the attention it gets from potential attackers. Near Field Communication, or NFC, isn’t as well tested from a security perspective as the more common wireless technologies. If the Apple Watch takes off in the market, it will quickly become an interesting target for attackers. We may see the rise of the modern day pickpocket. After all, attackers follow the money, so if Apple puts your money ‘on’ a watch [as an attack vector], it suddenly becomes a very interesting target.”
And Ken Westin, security analyst at Tripwire on Apple Watch, said: “In the same way the original iPhone became an immediate target for hackers, so too will any new device Apple releases. There will be a race to hack the Apple Watch. The device connects to iPhones and other iDevices, so that connection may be a potential attack vector. Even though Apple’s security team will have vetted the product, whenever a new product is available to security researchers and hackers alike, weaknesses are discovered.
“Given the latest privacy debacle with iCloud, both security and privacy will be on the forefront of consumers, analysts and share holders minds with the release of the Apple Watch. How this device collects and stores data and how access is secured are key questions Apple needs to address to help allay consumer fears. With Apple’s launch of a new mobile payment system, they will need to outline how they plan to secure the transactions and data stored on the device.”
The new NFC and Apply Pay features of the iPhone6 could spark changes in access control, a market research company suggested. Blake Kozak, senior analyst for Security and Building Technologies at IHS Inc, said: “For more than four years now, one of the most talked about trends has been near field communication (NFC). NFC was supposed to change the face of the access control industry by eliminating the need for cards, subsequently reducing the administrative burden on organisations of all sizes all while increasing security. However this has not yet come to pass, with suppliers offering little more than pilot projects, with limited real-world installations.
“NFC isn’t a new concept. In 2006, Nokia released the first NFC phone, followed by Samsung in 2010 which released the first Android NFC phone. In 2011, Samsung announced its Secu-NFC technology. According to Samsung, the Secu-NFC chip combines a NFC controller and a secure element storing personal information and security keys with advanced encryption technologies. In 2013, Samsung and Visa announced a major partnership for mobile payments. The list of NFC enabled phones today is extensive. Examples include Alcatel, Asus, BlackBerry, Nexus, HTC, Kyocera and LG among many others.
“Historically, most NFC installations were instigated by partnerships between handset manufacturers and financial institutions, producing closed systems with limited opportunity for developers to expand the concept to uses beyond mobile payment. IHS believes this has been one of the main barriers for implementing NFC in the access control industry.
“On September 9, Apple announced NFC would be a feature of the new iPhone 6. While Apple Pay is primarily a mechanism for secure mobile payments, there appears to be plenty of opportunity for other applications, since iOS 8 will also have an Apple Pay application programming interface (API) available for developers. Already, many retailers and restaurants have implemented Apple Pay into their own applications, allowing patrons to skip lines and pay-order directly from a mobile device. According to Apple, the mobile payment transaction occurs by assigning a unique device account number, which is encrypted and securely stored in the secure element, a dedicated chip in the iPhone. When a purchase is made, the device account number alongside a transaction-specific dynamic security code is used to process the payment. So the actual credit or debit card numbers are never shared with merchants or transmitted with payment.
“The true benefit of this announcement for the access control industry is the potential use of the open API for developers. Although Samsung Galaxy has an embedded SE and countless other devices offer subscriber identification module (SIM)-based SE, there has been limited traction for access control.
“So what exactly is the secure element?
“There are many forms of secure element, including the universal integrated circuit card (UICC) – NFC SIM, embedded SE, external (sticker or sleeve) and microSD. The most used formats are UICC and embedded, with the new iPhone 6 featuring an embedded SE. According to the 2014 IHS report on NFC, globally 18.2 percent of cellular handsets shipped in 2013 were NFC-enabled (up from about 8 per cent in 2012). IHS forecasts the number of phones that are NFC-enabled to reach about 1.17 billion by 2018. The report also estimates that about 70pc of NFC secure element implementations into cellular handsets were embedded and 27pc were on the SIM card in 2013.
“What does this mean for the access control industry? The announcement by Apple addresses one of the barriers the access control industry has faced with regards to NFC; loading an identifier onto the secure element. With the API mentioned by Apple, it is possible that access control manufacturers – among others in the supply chain – could load and command an identifier directly onto the secure element. Currently, most providers of NFC-based access control are using encryption methods which are located in the ‘sand box’ (host operating system) of the handset only, not the SE. By using host card emulation (HCE), providers are able to offer NFC outside of the SE. Although this isn’t deemed a ‘best practice’ the only other means to provide mobile access control through NFC would be to partner with all the cellular carriers and providers, which can be an incredibly arduous process. By partnering, the access supplier is allowed access to the SE, which is typically either embedded or in the SIM card. One example of such a partnership is HID and Oberthur Technologies. In 2013, HID announced a partnership with Oberthur Technologies to carry Seos Digital Keys on NFC SIM Cards. As mentioned above, the Apple announcement could make it easier for access control suppliers to provide mobile credentials with the true security provided by the secure element.
“Beyond the buzz, the market opportunity for access control remains unclear and only time will tell if Apple providing mobile payment will jump-start NFC usage for access control. Some access control manufacturers speculate that the use of the secure element may not always be necessary and that the encryption provided for access control data on the handset is sufficient for most end-users.
“So how quickly could this announcement impact access control? Today, data suggests that less than 3 percent of retailers, or 220,000 out of about nine million, will be using the mobile payments at the start. One of the main reasons for low adoption is the lack of infrastructure in stores. However, every credit card in the US will be required to have EMV chip-and-pin by October 2015. As a result, merchants could decide to move forward with NFC capabilities since they will need to upgrade their system anyway.
“Interestingly enough, Apple is only launching in the US, which has the lowest penetration rate of mobile payments compared with all other regions. There is tremendous upside though. Access control end-users already have the infrastructure in place to support NFC, eg the smart card reader (13.56 MHz). While some pieces of the system may need upgraded such as incompatible hardware and software, the system is mostly ready. So unlike the retail space which has to replace millions of terminals and retrain employees, access control is already primed for the transition.
“Overall, Apple could instigate change for the access control industry; however, adoption will remain low due to the other barriers which have not been addressed, such as mobile phone issuance to colleagues and identifying which department in an organisation will manage the mobile credentials, since in most cases, the phone would be managed by IT and the security credential would be managed by the security department. New policies and procedures will have to be created and many end-users will still be issued badges for identification purposes. Lastly, Bluetooth is becoming a viable alternative to NFC. Security suppliers have been working for the past several years to work with NFC and implement it beyond pilot projects to little avail. As a result, many are turning to Bluetooth, which is deemed by many to be a more robust option for security purposes such as access control since the read range can be modified, among other reasons. Additionally, Bluetooth has a longer history than NFC with smartphones, with Bluetooth being introduced in 2000, NFC in 2006. So while the Apple announcement gets the ball rolling for NFC in the physical security space by providing more outlets for app developers to create a unique user experience, other barriers still need to be overcome prior to reaching critical mass.”
