Look at the last three years and it's easy to see why IT administrators have trouble believing all the vendor hype they hear about growing mobile threats.
This time last year, McAfee Inc. was raising eyebrows for claiming that 83% of more than 200 mobile operators surveyed had experienced mobile phone infections. Later in the year, security experts were warning that the iPhone's release would spark more mobile attacks.
Last month, security vendor Sophos released a report warning of growing threats to mobile phone users. The wider use of new mobile technologies and Wi-Fi enabled devices like the iPhone may be opening up new attack vectors, the report says, adding that as personal Wi-Fi devices grow in popularity something ugly is bound to happen sooner or later.
The trouble for some IT pros is that security experts have been warning of growing mobile phone attacks for more than three years and the big event has yet to materialize.
Does this mean the mobile phone threat has been overblown all this time, over-hyped by security vendors generating FUD to sell new products? Not exactly.
True, enterprises continue to experience little by way of mobile phone attacks. But that's only because companies are still limiting the functionality of such devices among employees. Just about everyone uses cell phones with Internet capabilities these days. But in the working world, use of the devices are still limited to making phone calls and checking email.
"I don't know if we really want people using smart phones for anything overly sophisticated," said Jason Smith, applications administrator for Salt Lake City-based Parsons, Behle & Latimer, a law firm with 250 employees. Smith's concerns about mobile security revolve mostly around the use of laptops, which lawyers routinely use to trade sensitive documents. BlackBerry devices are used by a lot of employees, but IT shops have a lot more control over the BlackBerry and can administer necessary security controls from the server side. "With BlackBerry we can lock the device and have control. But I don't want people using iPhones or other smart phones to trade sensitive documents because that kind of control isn't there."
Though most enterprises have yet to feel the sting of a mobile phone-based attack, Sophos Senior Technology Consultant Graham Cluley and F-Secure Corp. Antivirus Research Director Mikko Hypponen warn against complacency. It's only a matter of time before file sharing on smart phones becomes routine in the corporate world, and when that happens the trouble will really begin, they say.
Phone-based computing still limited in the enterprise
Today, the last thing Smith worries about is an attack against employees using smart phones and other hand-held computing devices. He realizes there's the potential for someone to target the BlackBerries with malware, but that knowledge is offset by the fact that the BlackBerry is easy to secure. "We can do almost anything from a BlackBerry server in terms of security management," he said.
Instead, his mobile concerns are centered on the growing laptop use in his company. About 20 laptops are currently in the field and employees use them regularly to exchange .pdf and Word documents. The risk there is that confidential legal documents and emails could end up in the wrong hands if an attacker were able to infect the machine with a Trojan horse or other malware.
He also worries about laptops with sensitive data getting lost or stolen. Five years ago, he notes, several company laptops went missing. At least one was left on an airplane and one was stolen from an employee's home. There's no evidence sensitive data on those machines were ever used for fraudulent purposes, but today the firm is taking no chances. Remote users must log in via a Citrix gateway using multi-factor authentication. For authentication the firm uses software from BioPassword.
That doesn't secure the mobile phones employees use, but it doesn't matter. Smith sees a significant increase in laptop use in the next two years, but not in smart phone use for anything beyond the current functionality. If lawyers want to trade sensitive documents with colleagues, clients and partners, he said, they're not going to be doing it on smart phones anytime in the foreseeable future.
"Those devices are mainly email-oriented at this point," he said. "If that's how a company wants to use hand-held devices, my suggestion is to go with BlackBerry because it's the easiest to support at this point."
Why IT should care
Cluley acknowledges it's difficult to get IT professionals like Smith to lose sleep over smart phone threats. As he puts it, the mobile malware problem is currently a "raindrop in a thunderstorm" compared to the threats that Windows PCs are exposed to every day. On the PC side, he said financially-motivated gangs have adopted a conveyor-belt philosophy to churning out new malware, slightly altered each time to keep security tools off balance. Sophos has yet to see such a shift in the mobile malware arena.
But that's going to change, he insists.
"As it becomes more common for people to use a Wi-Fi enabled device which carries personal information, the greater the temptation for hackers to take advantage with malware in the future," Cluley said.
The iPhone is a perfect example of what's ahead, he said, noting that flaws have been found in the mobile email program and Safari browser installed on such devices. At the moment uptake remains limited and cyber criminals seeking larger returns are unlikely to attack these systems on a large scale in the near future. But proof-of-concept exploits against the iPhone Web browser have already gone public, he said, and as more third-party applications are written for these devices, further abuse is only a matter of time.
Hypponen in particular is convinced that the iPhone's popularity and use of Google Android will lead to more complex attacks that will ultimately affect enterprise users.
"I do believe that the iPhone and Google Android will be the interesting platforms to watch in the near future regarding mobile malware," he said. "Android is interesting. Will an open standard for mobile phones make mobile malware more or less of a problem? The key issue here is whether Android will go for totally open systems or whether they will adopt a system for signing approved applications such as Symbian."
If unsigned and unknown applications written by anyone have full access to phone features, he is convinced trouble is ahead.
"On the iPhone I smell trouble already," he said. "A locked environment has created so lively a hacking culture on this side that it's more and more likely that somebody will write something really nasty for it."