Security alert: Why smartphones are a disaster waiting to happen

The fate of your enterprise’s network security is literally resting in the palm of your hand. We tend to take our mobile phones for granted because they’re the one device we won’t leave home without. But as the devices get smarter, we seem to forget what a threat they could pose to unauthorized access to sensitive and private data. Last year Credant Technologies, a Dallas-based data security provider, surveyed IT professionals and discovered 94% think mobiles are a bigger risk than mobile storage devices (88%) or laptops (79%). Even more worrying, says Jan Volzke, security vendor McAfee Inc’s head of global marketing, most of us just aren’t aware of the threat posed. “It is human nature, you just don’t go around thinking something bad is going to happen,” he says. For those who live, eat and breathe security, like Volzke, the false sense of security around mobiles is a disaster waiting to happen. “It’s a matter of time,” he says. “It just hasn’t happened yet.” A coordinated global attack targeting mobile phones either via a virus, worm or Trojan has yet to happen, he says, but with browser capable smartphones predicted to rocket to 530 million units worldwide by 2013 from the current 130 million, it’s a tempting target for malicious hack-for-profit criminal enterprises. Aside from a couple of examples, such as CommWarrior and Cabir, a Bluetooth virus deployed in 2004 which targeted Nokia’s Symbian operating system, there hasn’t been anything yet – but that doesn’t mean there won’t be, says Volzke. A 2007 survey of global-500 CIOs by Coleman Parkes for Mformation Technologies Inc, a mobile device managed services provider, found 68% thought there is “a considerable risk” mobiles will allow unauthorized access to corporate networks while 55% feared mobile devices will increasingly be responsible for lost corporate data in the next five years. McAfee has been talking with handset and software makers and cell phone carriers for years about the issue, but Volzke says there’s no definitive agreement on who bears responsibility for security. IT managers in the dark IT managers, understandably, are frustrated. They don’t control the networks over which their users access their servers and while there are anti-virus and firewall programs for mobiles, the handset itself remains a “black box.” “You can’t look inside or read the source code,” says Volzke, adding that so far only Research In Motion’s (RIM’s) category-creating BlackBerry has consistently proven itself robust enough for enterprise level security, though others are following with standard features like remote management for updates and data wipes in the event the phone is stolen or lost. Volzke is particularly disdainful of the current darling iPhone from Apple Corp, which he says has several inherent security flaws: “Just for example, that cool interface where the application zooms in and out when you touch the screen? It’s actually a screen shot of the last time you used that application. So if you were doing some mobile banking, there’s a picture of your account and statement sitting on your phone.” The biggest reason why there has not been a malicious attack via mobiles is the fragmentation of the handset operating systems, he adds. In addition to Nokia-backed Symbian with a 50% market share and RIM with about 20% globally there’s also Windows Mobile with 12%, Apple’s iPhone at nearly 11%, followed by Linux (just under 9%) and the Palm OS. Google Inc’s Android is the newest kid on the block but it has yet to register a global share. With such fragmentation, it’s hardly rich pickings for cyber-gangs like the notorious Russian Business Network (RBN) based in St. Petersburg which was reputed to be earning $150 million a year by stealing log-in credentials from 300,000 bank accounts. It’s a similar situation to Apple, he says. When Apple held a 2% market share, they were too small in a world dominated by Microsoft Corp to be targeted by hackers. But now with a 7-8% share and growing, a Macintosh attack would be devastating because Mac users wouldn’t expect it. Bad behaviour is the biggest risk In the meantime, the biggest threats to security are the mobile users themselves, says Khoi Nguyen, group product manager, mobile security group at Symantec Corp. Lost or stolen phones still account for the biggest issue with mobile devices. Smartphones contain all kinds of information which could infringe on privacy laws or contain proprietary information about mergers and acquisitions, patents or other pending deals which could be considered insider knowledge and used for gain in the stock market or sold to a competitor. In 2005, security provider PointSec Mobile Technologies (acquired by Check Point Software Technologies Ltd in late 2006) looked at nine countries: Australia, Denmark, Finland, France, Germany, Norway, Sweden, UK, and the US, and estimated that some 85,619 mobile phones, 21,460 PDAs/Pocket PCs, and 4,425 laptops were left in cabs during a six-month period. More than 63,000 mobile phones and 5,800 PDAs and smartphones were also left in London taxis during the same six-month period. The issue is that mobile phones, like computers, are being built with larger memories while SD memory cards are also going north of four or eight Gb. Even 80Mb could hold 6,000 Microsoft Word documents, 720,000 e-mails or 360,000 contact details. And that, say Nguyen and Volzke, opens the door to all kinds of potential threats since the chances are that the device is not password protected, and the data are not encrypted. Indeed, a 2007 study by the National Cyber Security Alliance with 700 mobile workers in the US, UK, Germany, China, India, South Korea, and Singapore found 73% aren't aware of security threats and best practices and that 30% “hardly ever” consider security risks and proper preventative behavior. With mobile generally following the same trend as established with PCs it’s only a matter of time before the cyber-Mafia comes callings, says Nguyen. And with the once dubbed “third screen” – after the desktop and laptop – fast becoming the first screen of choice, because it doesn’t require boot up time and has an always on, always connected configuration, more mobile users are adapting their work habits and dependencies on mobile smartphones. Mobile applications broaden the threat surface Part of the uptake is also due to an evolving understanding of what a smartphone can do and can’t do. After voice, the early killer application was clearly e-mail. With improved operating systems and browser capacity, however, there was an expectation that killer business applications would also start hitting the market. That hasn’t happened, Microsoft CEO Steve Balmer noted recently. Why? Because there is such a fragmented market, and for developers to reach a mass audience they must recode several times to cover off the bases, which makes it harder to achieve profitability. While consumers have tens of thousands of choices in applications, business users are trending to the web to access the Enterprise Resource Planning (ERP) and Customer Relationship Management (CRM) applications they use with their desktops or laptops. Developers too have started to create interface apps which can pull down data. They are working hard to bring in truncated, prioritized versions of applications to better fit the smaller screen and navigation tools. Add in the trend to Software-as-a-Service (SaaS) and cloud computing, the reliance on mobiles is expected to continue to grow. The result is more mobile users on their browsers, which creates its own unique security challenges. In the PC world there’s an established history of hackers creating look-alike sites in an effort to capture personal data, or to offload a Trojan which will search for data on a device as a way to embed itself into the network.

Security alert: Why smartphones are a disaster waiting to happen

News | 05/14/2009 2:00 pm EDT

To keep reading, get a free trial.

Already a Subscriber?

Reuse & Permissions

Inside The Wire Report

Information

Hill Times Publishing

Get in Touch With Us