Prepare for Mobile Security Threats
Mobile security threats are a relatively minor annoyance to a handful of users in Europe and Asia. However, conditions are rapidly ripening for these threats to start overwhelming both companies and individual users in North America.
That's the word from Kris Lamb, director of the Xforce team at Internet Security Systems Inc. His organization, which was acquired by IBM last fall, researches new security threats, including mobile ones. He said that part of his job is to monitor activity in what he calls the technology criminal underground.
Experts have long discussed the potential threats to mobile devices. After all, these widely used devices can store and access critical data. They also represent the new edge of the network, an edge that regularly walks out the door and can be stolen or lost in places such as cabs and seats in airport gate areas.
Lamb said that, until now, a number of factors have made it difficult for malicious code writers to get a toehold against mobile devices. However, those factors are changing rapidly, and life is becoming easier for those who would wreak havoc, Lamb said.
"A lot of the barriers to hackers have been shaking out in the last 12 months," Lamb said in an interview. "The crystal ball is getting clearer."
Lamb cited five factors in particular that are changing and what IT managers and individual users can do to mitigate increasing mobile security risks.
The current situation
The trend toward making mission-critical data available to mobile users is just starting and will grow rapidly, Lamb said. Some of the factors contributing to that growth will also benefit hackers, he added.
For instance, mobile devices now have multiple ways of connecting to IP networks, such as third-generation (3G) technologies and Wi-Fi. And virtually all mobile devices now support Bluetooth, which is one of the primary ways that hackers get into mobile devices, he said. Illicit access initiated via Bluetooth include the so-called Bluejacking and Bluesnarfing gambits, in which hackers use Bluetooth to send malicious text or multimedia messages or invite innocent users to partake in unsafe services.
So far, though, these and other threats have been annoying but not serious, involving things such as propagation of the threat using addresses in the device's address book, Lamb said. Or they can result in users inadvertently signing up for bogus programs that are billed to their cellular accounts.
However, even at this early stage, cellular carriers in Europe, where these threats are most common, are working feverishly to improve security, Lamb said.
"It's already a huge carrier problem," he said. "They're starting to get a lot of calls from customers for things like address book spamming. You get a lot of MMS [multimedia messaging service] messages flying around [launched by attacks on phone address books], and it's using a lot of their network capacity. It's annoying for users, and it's hard for carriers."
But these problems are only a prelude to what's to come, Lamb said. The bottom line is that the threats to mobile devices will soon be as dangerous and as common as threats to desktop computers and servers. He outlined the five reasons why this will soon be the case, particularly in North America, which has largely been spared from these threats, so far.
1. New apps and mobile advertising
Multimedia messaging is popular in Europe but hasn't yet caught on in the U.S. When it does -- and it will -- it will provide hackers with far more opportunities.
"MMS provides a fuller suite of what you can deliver," Lamb said. "You can deliver data, audio, video instead of just a flat file payload."
Similarly, while there is virtually no mobile advertising delivered to mobile devices, cellular carriers and advertisers are clamoring to move in that direction. That will open a huge door for hackers, according to Lamb.
"It will be hard to differentiate between [legitimate] mobile ads and what could be phishing or spam attacks," he said. "One reason that e-mail spam is still ubiquitous is that people fall for it because it's hard to differentiate between legitimate and illegitimate messages. If you overlay that on the mobile device and have MMS messaging, well, it would be wrong to think that the criminal underground won't latch on to that."
2. Operating system are coalescing
Most malware and other threats to mobile users have been written for devices based on the Symbian operating system. That's because, for now, it is the dominant mobile platform worldwide, according to numerous market-share studies. However, Symbian has yet to become popular in North America, where Palm Inc. once dominated and Windows Mobile and Research In Motion Ltd.'s BlackBerry are widely used.
In other words, the number of smart mobile devices worldwide is still small, and no one system dominates. That has helped slow mobile security threats, Lamb said.
"If you're a criminal organization and want to leverage mobile devices to do mobile spam, extortion or whatever, you'd have to decide what platform you wanted to focus on," he noted.
However, Lamb pointed out that Microsoft is making rapid progress with Windows Mobile on a worldwide basis and said that most experts expect it to become dominant in the next several years. That means hackers can start turning their attention to that one platform.
"Before, you had to be an expert on all those platforms to write things like viruses and Trojans, but that's not going to be the case anymore," Lamb said. "Things are consolidating. Hackers want the most bang for their buck, and consolidation requires much less expertise for those writing malicious code."
3. Hardware platforms are coalescing
Similarly, until recently, there were a wide variety of hardware used in mobile devices, Lamb noted. That's no longer the case. Now, virtually all mobile devices employ Intel Corp.'s X-Scale chip set architecture and use ARM instruction sets.
As with multiple programs, that coalescing of hardware systems makes hackers' jobs much easier since they no longer have to write different code for each platform. Plus, it's easier to delve into the intricacies of one dominant system, Lamb noted.
"What we're seeing is that a lot of the criminal underground is dissecting how ARM works so they can write code for it to give them control over these endpoint computers," Lamb said.
4. The rise of unified communications
One major theme at the recent Interop networking trade show was unified communications -- the ability to communicate in many different ways using many different applications and devices over disparate networks. Increasingly, individuals and companies will use mobile devices over both cellular data networks and over IP networks for disparate applications such as voice over IP, instant messaging, collaboration tools and accessing key data.
"We're seeing the convergence of communications platforms," Lamb said. "We'll have one seamless set of technologies, and you won't be able to demarcate mobile computing from desktop computing."
In other words, Lamb said, all devices will have multiple access points for hackers.
"That will make mobile devices as important to [malware writers] as desktops are now," Lamb predicted.
5. Better battery life
While many mobile device users still complain about the battery life of their devices, that's one area that has been significantly improving. And that's another reason life is becoming easier for those who want to hack devices.
"Battery life has always been bad for the criminal underground because they couldn't predictably control a device for a long time," Lamb said. "But there have been a lot of advances. Now, it's not unheard of for, say, a BlackBerry to go a week between charges."
This combination of better battery life, fewer hardware and software systems, and more multimedia messaging and other applications, means life is rapidly becoming easier for mobile hackers, Lamb said. Are you ready to deal with this problem?
What to do about it
As with threats against laptops, desktops and servers, all is not lost, Lamb said. The first thing enterprises should do is to create and disseminate a secure-use policy for users of mobile devices that access sensitive data.
"The policy would say what the uses of the device are, who has access, what access to the network they have and what information is allowed on the devices," Lamb said. "It would also define a broad policy and make it known that the policy will be enforced." One important benefit of such a policy is that it will increase end-user awareness of potential threats.
The next step is for IT managers to talk to security experts and vendors to see what mobile security products and services are available, according to Lamb. That includes talking with wireless carriers.
"You need to actively engage with carriers about what they're doing with security, what their security environment is," Lamb said.
He also suggested looking at IP-based mobile networks, such as those using mobile WiMax, when they become available, as opposed to 3G cellular data networks, which are old-style packet-switched networks.
"IP networks allow a lot of technology to be introduced that deals with threats," Lamb said. "They give IT people visibility into the data that that is going to these devices and allows them to be sure that data coming into the devices isn't a threat."
In short, the time has arrived in which IT managers must pay as much attention to mobile security as they do to other security threats, Lamb concluded.
David Haskin is a contributing editor specializing in mobile and wireless issues.