Original URL: https://www.theregister.com/2012/08/04/apple_buys_authentec/

AuthenTec sells out to Apple to the sound of 1,000 lawsuits

Directors hounded for not hawking the business to Samsung

By Faultline

Posted in Security, 4th August 2012 11:03 GMT

The $356m purchase of AuthenTec by Apple has not been universally welcomed. Not only are analysts and potential rivals trying to piece together the logic of the deal, but investors and, more importantly, class actions lawyers, are trying to work out if the 60 per cent trading premium that the deal is set at, was sufficiently high.

There is a thought out there that since AuthenTec had just concluded a deal with Samsung, its directors had the fiduciary duty when approached by Apple to at least ask Samsung if it wanted to counter-bid. We cannot go along with that thinking. When a board is approached with an outstanding offer compared with its current share value, it has every right to take the money and commit the company to a merger. However what these complaints might make possible is the extension of the time period over which the deal will move to completion, and that MAY give AuthenTec time to at least talk to Samsung.

Of course the whole point of agreeing cancellation fees (there are two way cancellation fees in here valued at $20m from Apple and $10.95m the other way) is so that the target company cannot go and talk to someone else and ramp the price, and so that the buyer cannot walk away, having shown an acceptable bid valuation to the world.

Since AuthenTec is a company that only has $18m in the bank, it had better have a very good reason to change its mind and fail to sell to Apple, and lose that cash. And anyway it has a customary "no-shop" restriction placed on its ability to solicit alternative proposals from third parties or to enter any kind of discussion. This has to be subject to some exceptions, such as when another company approaches it, it must have something to say.

But we expect that whatever comes of these legal moves, the deal is more or less done and Apple will get the spoils, even if anyone gets shareholders a little more cash. So why does it want AuthenTec? Most analysts in this area cannot see the wood for the trees. The first thing they do is look up what this company does. The bulk of its revenues comes from fingerprint recognition systems and it has genuine IPR here. It is a decent market leader in this nascent field, and most people assume that Apple will use this technology for one of two things, to secure iOS devices on a fingerprint, for either enterprise apps or to introduce it for mobile payments.

The myth of fingerprints

We tend to think this is pie in the sky. You cannot dominate the global banking community and introduce authentication technology which they have yet to approve of, no matter how ground breaking. Apple already has patents on accessing devices using unique gestures and these have already all been copied by rivals.

On the enterprise front there may be applications where this could be used, but to put this in perspective, right now AuthenTec has only quarterly revenues just over $10m in fingerprint recognition. These revenues are going down, or are at best flat, and the company has recently reduced its R&D in this area marginally. So what else could Apple be after?

Well there are two other security businesses that AuthenTec is present in, using software protection for DRM systems, so that you can have an (arguably) secure downloadable DRM, and a silicon based embedded execution area for encryption – a set of cores that can be used to securely process decryption on-chip, which any security software layer could benefit from. Samsung has recently taken this to underpin a VPN, but it might just as easily be used to underpin a DRM system for video delivery.

HD video on tablet

Now one of the debates that has been raging around the most recently launched iPad is the ability of its screen to handle HD video content. Hollywood has vacillated between banning premium HD video from portable devices and allowing it. The best solution has seemed to be to downgrade the resolution on this video for tablets. Many content owners allow video which is premium paid video, such as pay TV, to be delivered over IP in parallel with its TV delivery, to tablets, but at a lower resolution, while some ban it altogether.

But blocking HD content to a tablet is a lottery – your rival may get many more viewers by NOT banning it, because tablets of all types are taking off. The problem has been the software only nature of the security and only two solutions have emerged which really offer any comfort at all, one from Arxan, which AuthenTec uses, and one from Irdeto called Active Cloak for Media, and both use a form of white box encryption, as well as object code obfuscation and multiple frequent authentications between system components.

These two systems are dominant but slightly different, and regardless what both companies say about how secure they are, they are not secure enough to entrust Premium paid HD content to, where it has not yet been widely pirated. One security analyst told us that if smart cards were a 9 out of 10 in security terms, these software only systems were a two and a half.

The most secure approach is putting a secure set of decryption processing cores – complete with a hardware enforced firewall and separate processing elements for decrypting keys, on the processing chip. The problem here is that although AuthenTec offers its DRM Fusion product as a secure software only, downloadable DRM, the underlying security technology belongs to Arxan, and so it has no real IPR to offer Apple, which is what leads us to believe that this is not the reason for Apple‘s interest.

AuthenTec has made a number of strides here and signed some new customers recently, but while many of the App Store video apps are based on either the Arxan or AuthenTec implementations, Apple should have been buying Arxan if it wanted to control this process. This brings us to AuthenTec‘s third security business, based on its SafeXcel IP chip cores. AuthenTec acquired this technology from SafeNet two years ago along with its DRM Fusion product and since it did so it has been investing more R&D in this than any other part of its product portfolio, doubling it each year so far.

Luring in the devs

This included some 23 patents as well as hardware products, and when it bought them, these were seen as simply decryption accelerators for many forms of security processing. AuthenTec has spent time extending the crypto hardware into a full trusted island inside silicon called SafeZone, a secure execution environment for handsets and tablets. This can be dropped into the Apple A6 and successor chips designed by Apple which drive its core iOS product lines, making them secure overnight.

If Apple then offered these hooks to its development community, HD video could be as safe as on a TV, or safer. Apple could offer this to any number of processes, DRM for video delivery, VPN for enterprise security, and potentially it could go beyond this to replacing the heart of security in financial transactions and in identity management (so SIMs). Other areas it has been focused on are as a secure OS boot to avoid OS roll-back attacks, a secure real time clock for date and time enforcement, random number generator and a safe asset store. The Cores can process AES, triple DES and ARC4 decryption with acceleration logic, all in a low power, small, silicon footprint.

It can be included in any Application Processor SoC and used like most hardware security systems, such as a conditional access smart card, to underpin both a DRM and a VPN. These cores only talk only through an email gateway to each other and to other application processor cores. It has already been sold into a number of LG Android devices and is used in Motorola Droids and in NEC devices in Japan.

AutheTec bought 23 patents from SafeNet to apply to security core designs. The core was implemented on SoCs built in 90 and 65 nanometer geometry and when we last looked was being worked on for both 45 nm and 40 nm chips, although the design of course is independent of any silicon process.

We made quite a fuss in Faultline when a similar, perhaps even more sophisticated, design was put into the major set top chips at Broadcom and ST Micro last year, but this was one designed by Cryptography Research which it called its CryptoFirewall. That company told us at the time that discussions were continuing with other set top chip makers and reluctantly confirmed that it was in advanced discussions with providers or Applications Processors for tablets and smartphones.

We thought at the time it meant Qualcomm, Nvidia and Marvel, who are thinking about licensing the core, and always felt Apple was unlikely to do so. We argued that as tablets come to handle HD video content, Hollywood is going to insist on content protection having a hardware base, and not simply use code Obfuscation and authentication seen in software hardened, downloadable DRMs. Another fact which drives the adoption by Apple of some form of security, capable of securing HD video from professional pirates, is the fact that the new shipping release of the latest Apple MAC OS, code named Mountain Lion, finally offers AirPlay Mirroring for both HD video and games, working in conjunction with the Apple TV product.

Keeping an eye on ARM

If you can openly mirror HD streams from the iPad to the TV, the Mac to the TV and an iPhone to a TV, and these are 1080p streams, then you‘d better be sure the latest movies on any of these devices cannot be pirated, otherwise Hollywood will get might upset and take video capability away from you. It could be that there is a happy coincidence here of Apple getting a bunch of technologies that it wants for a number of projects, all at once?

But would it pay substantially more than it paid for PA Semi-conductor, which designs its A6 chips ($278m) to provide it merely with an access technology (fingerprint sensor). We don‘t think so and think that the real play here is to differentiate and retain control of hardware security on its devices, in direct response to ARM working a deal with Gemalto and Giesecke & Devrient, to bring a genuine security system onto the cores which all ARM licensees can adopt. That deal was announced in April and it will take about a year before a security core will emerge from it, and by buying AuthenTec, Apple leapfrogs this move.

Apple’s new Mac OS can now stream HD content using AirPlay Mirroring It is the embedded devices division at AuthenTec, which includes both the SafeZone project and the software only DRM, and it is this division which has had all the revenue increases lately, and what has brought the company to the attention of Apple.

One thing announced in the deal which supports this is that Apple says that it has also entered an Intellectual Property and Technology Agreement which provides Apple with the right to acquire non-exclusive licenses "with respect to hardware technology, software technology and patents" of the company. That would not apply if the company is successfully sold, since Apple could sign any deal it likes with a company it owns 100 per cent. So this is more about protecting the rights to a key Apple launch, with an licence agreement in case anything goes wrong with the acquisition. It pays $20m for the privilege, and has 270 days at its sole discretion, to buy that licence for which it will pay $115m.

The mention of hardware we think refers to the SafeZone core, but may equally refer to fingerprinting hardware. It can‘t however refer to the software-only DRM download. Apple is also paying $7.5m for some product development, so it looks like Apple is in a hurry to build something, probably to come out in one of its next launches. As we say it could conceivably refer to an implementation of the fingerprinting technology, perhaps on a touchscreen, but our bet is that the SafeZone core will appear inside an Apple device quite soon. New intellectual property resulting from this work will be owned, it says, by Apple.

Meanwhile on the back of this we saw at least four separate legal moves begun within days of the deal being announced, to prevent it and insist that the board of directors hawk the property around to more potential buyers. Samsung is clearly the other company that investors want to see bidding on this property because last month it too took a license to AuthenTec‘s VPN QuickSec Mobile VPN Client for Android, deemed to be for enterprise phone use.

The class action legal eagles think that this contract would mean that Samsung would counterbid if there was permission for AuthenTec to reach out to it. We don‘t think it would and anyway we think the Apple deal is watertight, complete with the "no shop" restriction. Suits or investigations have been filed by Rigrodsky & Long of New York; Ryan & Maniskas of Pennsylvania; Faruqi & Faruqi of New York and Levi & Korsinsky of New York and Washington, to name but a few.

Copyright © 2012, Faultline

Faultline is published by Rethink Research, a London-based publishing and consulting firm. This weekly newsletter is an assessment of the impact of the week's events in the world of digital media. Faultline is where media meets technology. Subscription details here.