Smart Phone Attacks: Here and Now

Attackers can already hit millions of victims with a smartphone attack, and soon that number will be even larger

When security vendors used to pitch articles on smart phone malware, my blood ran cold.

The first such story I wrote, in 2004, was about a proof-of-concept virus that could infect smart phones used by a super minority of people. Each year on, I did the occasional interview about smart phone threats and the message was usually the same: Attacks targeting phones was still a way off, but security pros need to start thinking about countermeasures. (See Mikko Hypponen's predictions from late 2008 as another example.)

Funny thing about threats that are a couple years away: Nobody really wants to think about what they'd do about it because they have plenty of clear and present dangers to deal with on desktops, laptops and all the other elements that encompass a traditional enterprise network. The thought of new defenses comes only after the once-theoretical attack has hit the proverbial fan and landed right on top of some poor IT shop that's caught unprepared.

Even when the iPhone came out a couple years ago, the conventional wisdom was that attacks remained in the distant future, because there were still too few users for the bad guys to waste their time.

That was then. Today's a different story.

Just about everyone has a smart phone now. Most have a BlackBerry or an iPhone. More have purchased the Android and a few other types. Users now visit all the same dangerous Internet destinations they visit on their home computers and laptops. They trade files and open e-mail attachments that may be infected. They can be scammed out of their sensitive information, like credit-card and Social Security numbers.

With all this happening, the bad guys now have reason to shift their attention and create new flavors of mobile malware. With so many of these devices hooked to company networks for access to e-mail and other programs, attacks on the phones can now be used to penetrate larger company systems.

In other words, it's time for IT security practitioners to start paying attention and making plans.

There's already plenty of evidence that trouble is afoot.

At the ShmooCon security conference in Washington D.C. a couple months ago, Trevor Hawthorn, founder and managing principal at Stratum Security, ran attendees through a series of specific weaknesses that could be used against iPhone users. He discussed security holes (since fixed) found in AT&T's network, which Apple's iPhone uses, and how an epidemic of "jailbreaking" is disabling critical security controls on the device. Jailbreaking is a process iPhone and iPod Touch users can exploit to run whatever code they want on the device, whether it's authorized by Apple or not. Jailbreaking the phone allows you to download a variety of apps you couldn't get in the Apple App Store.

For those who hate Apple's heavy hand and welcome any method to thumb a nose at the company's decrees, jailbreaking is very attractive. But there's a problem, Hawthorn said. A big one. "Jailbreaking wipes away 80 percent of the iPhone's security controls," he said. "Since nearly 7 percent of all iPhones are jailbroken," the bad guys have plenty of targets to choose from."

And target they have. Exhibit A is the iKee worm. According to an earlier analysis from security vendor Sophos, Apple iPhone owners in Australia were infected by a worm that changed their wallpaper to an image of 1980s pop crooner Rick Astley. "The worm, which could have spread to other countries although we have no confirmed reports outside Australia, is capable of breaking into jailbroken iPhones if their owners have not changed the default password after installing SSH," Sophos Senior security Consultant Graham Cluley wrote. "Once in place, the worm appears to attempt to find other iPhones on the mobile phone network that are similarly vulnerable, and installs itself again On each installation, the worm - written by a hacker calling themselves "ikex" - changes the lock background wallpaper to an image of Rick Astley with the message: 'iKee is never going to give you up.'"

Also worrisome is that the bad guys can use the advanced map and GPS software on these devices to see exactly where a person is and where they are going. From there, the cyber threat becomes a physical one. One way the bad guys can target the phone user is through a game called "Underworld: SweetDeal," a free location-based iPhone multi-player online game about trading controlled substances in the real world. Hawthorn noted how players can use Google Maps to locate where other players are physically. He found players in some interesting places through the course of his research. He was able to track one player to a parking lot outside the headquarters of NSA. Another player was tracked to a parking lot outside CIA headquarters. "You can check a person's movements because the game checks in on your device's location regularly," he said.

Google's head of Android security also acknowledged in an interview with colleague Robert McMillan that phone attacks are upon us.

"The smartphone OS will become a major security target," Android Security Leader Rich Cannings said. Attackers can already hit millions of victims with a smartphone attack, and soon that number will be even larger. "Personally I think this will become an epiphany to malware authors," he said.

Then there's the article my colleague Joan Goodchild recently wrote on all the apps people download onto their phones (There's an Insecure App for That). In that article, security experts noted that mobile phones now have an application for almost everything, and that those apps leave the same basic security holes wide open.

There's plenty of common-sense guidance for users on how to keep their phones secure. Joan's story lists five such tips

  • Tip 1: Don't forget basic security practices when it comes to mobile applications
  • Tip 2: Consider the unique risks of mobile devices
  • Tip 3: Don't allow sharing of authentication information between sites
  • Tip 4: Don't expose line of business applications to your mobile workforce without the proper security in place.
  • Tip 5: Take advantage of the security features that are available in each device when writing native apps

Good advice.

In the final analysis, the path to smart phone security is about the same as the security we've gotten used to on the larger computing systems.

We simply must realize it's something we can no longer ignore.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitymobile securitysmartphones

More about AppleBlackBerryetworkGoogleLeaderLeaderNSASophosSSHWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bill Brenner

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts