by Robert Earls
With mobile devices becoming increasingly popular and cost
effective, there is a significant risk to both business and individual security. You can read more about the issue in this month's mobile security feature, but we also wanted to speak to some of the experts to find out whether the threat is real or perceived, and how users and
companies can protect themselves.
Ollie Whitehouse is a member of Symantec Security Response’s Advanced Threat Research team, specialising in mobile and wireless technologies. He is a frequently published author of research on the security of mobile telecommunication networks, mobile devices, and Bluetooth. In addition, he has discovered numerous security vulnerabilities in a wide range of desktop and server applications.
Laurent Gondicart is Director of Business Development EMEA at Trend Micro, where he was worked for over eight years. Laurent is responsible for promoting Trend Micro’s emerging products and technologies.There's a perception that mobile security is becoming more of an issue. Can you give our readers some idea of the scale of the problem?
Ollie Whitehouse: The problem today from remote attacks is very small, but it does exist and we do expect it to grow in the future. However today it is still primarily the domain of the research lab. The biggest issues facing mobile users today really centre around: Privacy when accessing the internet via a WiFi connection; Data Protection and what happens when a device is lost or stolen; SMS spam, which is a growing problem to users.
Laurent Gondicart: Compared to security issues on Wintel PCs, mobile threats are only just emerging both in overall number of infections and code complexity.
We have seen a dramatic rise in infections driven by "web threats", targeted and regionalised attack on PCs and still the perception of the user is that there are fewer viruses than before. The main reason behind this is that the hackers and malware writers no longer seek massive worldwide spread of their malicious code to establish their reputation (mass mailer type of viruses like "I Love You" or "Melissa"). What motivates a hacker or a malware writer nowadays is to make a fraudulent profit, and to achieve this they avoid "publicity" in the Media whenever possible. So the number of infected computers in the world by bots, spywares, webthreats, or huge amounts of spam is at very high levels. Yet, still users feel safer just because they do not see those massive virus outbreaks in the Media anymore.
Mobile devices running open operating systems have a high potential for digital mischief and mobile security is becoming a concern particularly for enterprises as the power of mobile devices increases. Canalys, an industry consultancy recently indicated mobile device shipment figures of 64M devices for 2006. With increasing data speeds from 3G networking, more computing power and increased number of devices on the street, these sorts of devices are becoming an attractive target for hackers and other malcontents. This is very similar to the developments we have seen with PCs over the years.
Mobile security is increasingly moving towards similar means used to protect PCs, for example anti-malware and firewall solutions.
Which Smartphone operating systems are by default more secure than others and which ones are less secure?
OW: First it's probably useful to list the SmartPhone operating systems available at the moment, which are:
Of operating systems listed above, Linux is a very specific handset manufacturer in terms of security and is primarily seen in Asia. BlackBerry's O/S is extremely secure on the handset, but is only available on RIM's proprietary hardware. With regards to the leading mobile SmartPhone OS's, it is between Symbian and Windows Mobile, but the clear winner is Symbian 9. Symbian made a concerted effort to build security in to their platform at version 9, and whilst it is not perfect it does go a long way compared to both previous versions and its competitors. However some argue that by Symbian taking this very aggressive approach to security they've made it difficult to develop for. So we can see from this that it is a real balancing act.
LG: Our experience is that all mobile device
operating systems have vulnerabilities, but it is the popular operating systems that get those weaknesses exploited. Think of the Windows PC
compared to Mac OS or Linux. Windows is a popular operating system with the "bad guy" community because there is such a large target population of machines. The same holds true with mobile
devices. The dominant smartphone operating system is Symbian, and we have seen the most mobile malware activity on Symbian.
Note that the "open" operating systems where users can install applications without restriction and can connect to the internet are most likely targets. The bulk of devices in the marketplace today are feature phones where one cannot install OS-level applications. But smartphones running Symbian (Nokia, Sony Ericsson) and Windows Mobile are the fastest growing segment of the mobile device population today.
Which is the biggest threat to security on a smart phone? Bluetooth, email attachments, WiFi? Or is it from installing unsigned and untrusted software?
OW: Today the biggest threat is someone loosing a device with a 1GB mini-SD card installed in it with sensitive corporate data which wasn't encrypted. Yes there were a flurry of Bluetooth vulnerabilities around 2003/2004 but most of these have been ironed out. While there exists one which still works today, to launch the attack requires the attacker to perform quite an invasive operation and the user to perform re-pairing in a public place.
The next real threat is as previously mentioned privacy when accessing the Internet via WiFi - this is no different from SmartPhones or a Windows based laptop. Users need to take common sense steps in ensuring sensitive actions occur over encrypted channels (i.e. SSL encrypted), while enterprises should ensure all their users use industry accepted VPN solutions when accessing corporate assets remotely.
LG: My crystal ball is a bit cloudy and hackers are not predictable. Our experience is that the attack vector will probably be the one through which hackers can achieve most financial gain in the shortest span of time. This is very similar to the PC world where spam and spyware are widespread.
It probably will not be email attachments since users seldom download such attachments to their mobile today. We have seen much of the activity to date be Trojans that are downloaded to the mobile.
On desktop computers, companies have the ability to restrict the access that a user has, to install new software or change settings. Which smartphone manufacturers if any, allow companies to implement their current enterprise security policies on mobile devices?
OW: RIM on their BlackBerry devices provide this functionality out of the box. Hence it's a huge hit with enterprises and governments looking to have central administration. For the other devices Windows Mobile in a Microsoft Exchange environment has the ability to role out certain basic policies. However there exist a number of third party solutions which provide a more in-depth policy deployment and management for Windows Mobile devices. Out of the box Symbian doesn't provide anything which directly offers this, however Nokia do provide some of this functionality through their Advanced Device Management tools available for certain handsets.
It seems like installing a mobile security product is becoming more vital, but what measures can a user do today, to ensure the safety of the data held within their smartphones?
OW: It really comes down to users employing
the same basic security practices they become accustomed to on the desktop to their mobile lives. For enterprises it's finding ways to deploy,
enforce and audit corporate policies on their devices. For users it's not opening MMS attachment, reply to SMSs or visiting links in SMS/MMS/E-Mail messages from senders they don't recognise or trust.
Windows Mobile 6 users should ensure they leverage the in-built ability to encrypt data stored on removable media. But they should also understand the impact of doing this - i.e. the data becomes
inaccessible when the card is removed from the mobile device and installed in a new machine. Users should also ensure they utilise the security features available in the SmartPhone, such as setting
device and SIM PINs and Passwords.
LG: We encourage our customers to start applying the same common sense they use with their PC to their smartphone. Avoid websites that you may not necessarily trust, don't install applications from mistrusted sources, do not open "strange" MMS even from people you know, keep your Bluetooth connection hidden at all times, and of course install a security solution that provides anti-virus and firewall functionalities.
Send a comment about this article to editor@itwales.com.