Ask the Expert

Has proof-of-concept mobile device malware led to real attacks?

Has proof-of-concept malware for mobile devices translated into any meaningful attacks? Should we expect real attacks at any time?

    Requires Free Membership to View

    Login

If we assume that "mobile devices" equate to popular gadgets like the iPhone, then indeed we should expect real attacks. The hard part is knowing when an attack on mobile devices will take place. In September 2007, we saw the first shellcode that could turn the iPhone into a portable hacking platform.

With increasingly powerful mobile devices selling in large numbers and software development kits readily available, the mobile device scene has all the hallmarks of a classic malware environment. Kids who hack smartphones for fun and fame will be joined by those who abuse these devices for profit. Perhaps the biggest difference from historic malware scenarios today is the existence of a readily accessible market of stolen data and compromised hosts -- and yes, mobile devices are hosts.

We can expect mobile device attacks that target the following:

1. Confidential data stored on the device.
2. Confidential data transmitted to and from the device.
3. Services enabled by the device.

As an enterprise security rule, we can assume that the smarter the device, the more complex, valuable and voluminous the data stored on it is; likewise the data sent to and from the handheld. Another rule of thumb tells us that newer devices prove to be less secure than more mature devices. Put the two rules together, and you have ample reason to think that mobile attacks will be heavily focused on the stored data sent to and from the device.

The wild card may be point three, the services enabled by smartphones. Historically, phone companies have had the most complete and sophisticated network traffic-monitoring and control systems. They may be able to prevent the abuse of connectivity better than the loose-knit patchwork of ISPs who formed the basis of the Internet. If mature technology is not used, you can expect to see some serious and widespread attempts to turn high-speed, always-on mobile devices into botnets.

At the moment, the biggest threats posed by "smart" devices are probably the simplest and oldest: the handhelds get easily lost and stolen, along with the data they contain; people talk too loudly on them, with too little awareness of who might be listening or "shoulder surfing"; people check email with the devices insecurely, exposing passwords and content. There will definitely be sophisticated threats in the future, and the future may be sooner than we expect.

More information:

  • Security experts have been warning of growing mobile phone malware attacks for more than three years. See if you should believe the hype.
  • Mike Chapple explains how today's popular non-corporate smartphones and other gadgets can still fit into an organization's network security plan.

    • This was first published in June 2008

    Join the conversationComment

    Share
    Comments

      Results

      Contribute to the conversation

      All fields are required. Comments will appear at the bottom of the article.
      Back to top