Mobile Security Fails the History Lesson

Mobile users from all walks of life, from the average citizen to business bigwigs to movie stars and politicians, are getting their phones and voicemail hacked these days. Most of the perpetrators aren't even skilled hackers; they're regular Joes, spurned suitors, or even -- hold your nose -- reporters.

End-users certainly deserve part of the blame here, but phone vendors and mobile carriers alike could be doing more. It's not as if attacks targeting phones are especially new. It's a strange paradox: We know what we need to do to stop hacking. We have two decades of experience in putting down malware and hackers in the PC-based, network world. But we seem to be ignoring all those lessons as we move our CPUs and storage to new form factors. Am I the only one who thinks we're destined to live out every PC-based malware symptom in our smartphone world?

First off, every phone today offers users the ability to require a password, a PIN, or a finger swipe to gain access. Most users forgo these features unless forced. But it's not as though those security mechanisms provide much protection anyway -- they don't require any complexity. PINs tend to be four numbers long. Swipes can be as uninteresting as possible: Most people I know who use the swipe method just go in a straight line from top to bottom, as if no uber-hacker will try that swipe combination.

I understand the need for providing easy access. Asking someone to type in a nine-digit PIN to pick up a random phone call is a bit much. Many, if not most, end-users will do anything to get rid of every "annoying" security feature. I get that.

But cellphone makers, networks, and carriers can do more to deter malicious hacking. For starters, how about enabling phones to track failed logon attempts, leading to a temporary lockout -- or at least slower responses to each additional bad logon attempt? I can't wait for accurate facial recognition or fingerprint swipes to become a standard option.

Phone makers need to step up. I personally believe that cellphone code has more exploit vectors per line than today's normal computer code and fewer built-in default protections. It seems as if every popular cell model has a sneaky way around the PIN logon page. Usually it involves hitting the emergency dial button, choosing Contacts, and punching a few other keys. When was the last time your PC allowed you to bypass the password logon screen? There are plenty of other holes. In general, cellphone code isn't as secure as other code.

I haven't discussed the gorilla in the room: the ease of creating malware for mobile platforms. It's exceedingly simple. Most phones allow an installed program to access the user's contact list and to initiate messages. It's been a problem for over a decade. The first major cellphone SMS attack, the DoCoMo worm that impacted Japan in a big way, struck 10 years ago. The world has had plenty of warning, and strangely, most cellphone vendors still don't stop these types of attacks. Cellphone platform vendors should threat model their environments, perform secure code reviews, and implement defenses.

But carriers can do more, such as by requiring voicemail passwords to be stronger than four characters. How much of the recent tabloid hacking could have been stopped by slightly longer passwords and account lockouts? I'm thinking most of it.

I don't want to say that all vendors are getting it wrong, but in general, most vendors have at least a few weak areas that could stand improvement. It would be nice if we could expend the effort to try to minimize how many duplicate lessons we all have to live through.

This story, "Mobile security fails the history lesson," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Subscribe to the Security Watch Newsletter

Comments