“The certification has been awarded to the platform’s Secure Processing Unit, which validates a minimum security standard for the chipset.”
Qualcomm has announced that it has received certification for the Secure Processing Unit (SPU), which was first introduced with the Snapdragon 845 and is now an integral part of the Snapdragon 855 processing platform. The certification has been awarded under Common Criteria (CC) for Information Technology Security Evaluation, which rates a product’s security credentials under Evaluation Assurance Levels (EALs) from 1 through 7, and the Qualcomm SPU has been certified at 4+.
The newly received certification actually has greater implications than usual, since it actually states that Qualcomm’s own SPU is now certified to meet a minimum level of security assurance, and is thereby better tuned to store sensitive information. As stated by Qualcomm, the certification clears the Snapdragon 855 as the first mobile chipset “to attain smart card levels of security assurance”. For reference, while the EAL certification goes up to a scale of 7, level 4 is what is mostly attained by embedded security chipsets and smart cards that store sensitive data. It is also described by the CC as the benchmark certification level “at which it is likely to be economically feasible to retrofit to an existing product line.”
On this note, the new EAL4+ certification will apply to all smartphones that use the latest Snapdragon 855 SoC inside, which will allow OEMs to introduce new features that may require a higher grade of security certification, without needing to install an upgraded or dedicated security chipset. The latter is, in fact, one of the areas that OEMs are scheduled to benefit from in the long run — players like Google and Samsung typically install a dedicated security chipset alongside their SoCs in order to introduce higher grade features such as one-tap transactions, etc. HTC, too, uses a dedicated chip in its blockchain smartphone.
However, with the Qualcomm SPU receiving EAL4+ certification, these OEMs in future can make use of Qualcomm’s own platform to introduce features such as trusted platform module (TPM) functions, electronic identity verification and local storage, single ID-locked transit passes, cryptocurrency wallets, and so on. This, in turn, means that OEMs can actually save significantly on the Bill of Materials (BoM) cost of devices while incorporating features such as Dapps (decentralised apps) or a local crypto wallet into phones since they would no longer need to use a dedicated security chipset for these features. Such services may also be enabled by flagship smartphones that use the latest Snapdragon chipset inside.
Furthermore, the SPU has been developed by Qualcomm alongside the Snapdragon 855 platform, which is based on TSMC’s 7nm fabrication architecture. This would also have power consumption benefits over other security chipsets while strengthening the overall safety scale of biometric authentication such as fingerprints or iris. This is a potentially big move for Qualcomm, which may have a greater impact on the safety scale of Android devices and how safely can they store sensitive data such as government ID cards.
It will be interesting to see if and how OEMs take advantage of the Qualcomm Snapdragon 855’s EAL4+-certified SPU. With increasing interest in blockchain technology, it remains to be seen if mainstream smartphones can introduce the safer ecosystem of Dapps while retaining the public app ecosystem as well.