After years of pretending to be hip and useful, the latest generation of cellular phones really are cool. The big color screens, games, ring tones, integrated digital cameras, connectivity – they will continue to gain user mind share at the expense of desktops. While I have traditionally dismissed mobile security tools as a solution chasing a problem, I think the day is coming where serious damage can be done to smart phones en masse....
I think if we step back and look at the big picture of how PC desktops became a security nightmare, we can see cell trending the same way.
Features breed complexity. The old saw that "complexity breeds insecurity" is certainly true, but we need to ask ourselves, what breeds complexity? When PCs made the jump from single tasking DOS to multi-tasking Windows, they became more complex. Word processors gained enormous features, idiot-proof networking was added, games multiplied and blue screens of death became more common. Handsets are getting more and more features that are actually interesting, and they are being used. According to a study by Nokia, teenagers use non-voice features within phones at twice the rate as the older generations. As features garner more interest, hackers find more problems. It becomes a problem that feeds upon itself.
Standards-based networking. As PCs became increasingly transformed from standalone devices to nodes on standard TCP/IP networks, they became introduced to high speed means of transmitting malicious code. Cell phones, traditionally being used for one-to-one private voice conversations, have resembled standalone devices more often than network nodes. However, this has changed, and most advanced phones are TCP/IP nodes. From a carrier perspective, the cell providers are generally not TCP/IP security experts, and many have implemented fairly generic IP stacks. Many authentication and encryption techniques are weak and breakable, and there are vulnerabilities in routing and roaming algorithms, which can lead to many interesting types of attacks. In some respects, the carriers' approach to security has resembled the early days of the Internet: there was implied trust for many reasons – cost barriers to being a host on the network, knowing all of the other points, etc. Meanwhile, costs have come down, and a "malicious carrier" could create havoc with the cell networks.
Lack of due care in product development. Engineering phones has not been about security, just as Microsoft got religion about PC security only recently. In some cases it has been the rush to market. Lack of computational and physical resources – RAM, ROM, weight considerations -- has caused some of the lightweight OS development to provide lightweight security as well. But I think the biggest issue is simply the lack of vision, of understanding how these devices can be used and exploited and why it is so important to secure these devices and their networks.
Many types of attacks are possible and probable with our smart phones. Distributed denial-of-service attacks seem likely with compromised "zombie" phones. Crashing phones is not difficult. Several advanced handsets have such faulty programming that it is possible to make them inoperable by merely sending a malformed graphics file. And I don't mean forcing you to reboot; I mean a phone so crippled by software that you literally have to throw it in the garbage. For phones within a close proximity, some Bluetooth implementations are weak enough to allow people close by to either take control of the phone or tie it up. And many hackers have theorized about feasibility of controlling how the networks route traffic and how to force roaming to wherever you want the phone to go – they think it's doable.
Some security vendors have this market opportunity on their roadmap. That's good for them and hopefully good for us. However, the cellular industry, from handset builders to the network providers, has the toughest tasks ahead to build in the security that is missing. As for me, I am waiting for a smart phone TV commercial that pitches security as a "must have" feature.
About the author
Jim Reavis is the editor of CSOinformer, a monthly research newsletter focused on emerging information security trends and a service of Reavis Consulting Group. An industry leader in information security research, Reavis Consulting Group provides research and analysis services to solution providers, investor groups and end users.