When security vendors used to pitch articles on smart phone malware, my blood ran cold.
The first such story I wrote, in 2004, was about a proof-of-concept virus that could infect smart phones used by a super minority of people. Each year on, I did the occasional interview about smart phone threats and the message was usually the same: Attacks targeting phones was still a way off, but security pros need to start thinking about countermeasures. (See Mikko Hypponen's predictions from late 2008 as another example.)
Funny thing about threats that are a couple years away: Nobody really wants to think about what they'd do about it because they have plenty of clear and present dangers to deal with on desktops, laptops and all the other elements that encompass a traditional enterprise network. The thought of new defenses comes only after the once-theoretical attack has hit the proverbial fan and landed right on top of some poor IT shop that's caught unprepared.
Even when the iPhone came out a couple years ago, the conventional wisdom was that attacks remained in the distant future, because there were still too few users for the bad guys to waste their time.
That was then. Today's a different story.
Just about everyone has a smart phone now. Most have a BlackBerry or an iPhone. More have purchased the Android and a few other types. Users now visit all the same dangerous Internet destinations they visit on their home computers and laptops. They trade files and open e-mail attachments that may be infected. They can be scammed out of their sensitive information, like credit-card and Social Security numbers.
With all this happening, the bad guys now have reason to shift their attention and create new flavors of mobile malware. With so many of these devices hooked to company networks for access to e-mail and other programs, attacks on the phones can now be used to penetrate larger company systems.
In other words, it's time for IT security practitioners to start paying attention and making plans.
There's already plenty of evidence that trouble is afoot.
At the ShmooCon security conference in Washington D.C. a couple months ago, Trevor Hawthorn, founder and managing principal at Stratum Security, ran attendees through a series of specific weaknesses that could be used against iPhone users. He discussed security holes (since fixed) found in AT&T's network, which Apple's iPhone uses, and how an epidemic of "jailbreaking" is disabling critical security controls on the device. Jailbreaking is a process iPhone and iPod Touch users can exploit to run whatever code they want on the device, whether it's authorized by Apple or not. Jailbreaking the phone allows you to download a variety of apps you couldn't get in the Apple App Store.
For those who hate Apple's heavy hand and welcome any method to thumb a nose at the company's decrees, jailbreaking is very attractive. But there's a problem, Hawthorn said. A big one. "Jailbreaking wipes away 80 percent of the iPhone's security controls," he said. "Since nearly 7 percent of all iPhones are jailbroken," the bad guys have plenty of targets to choose from."
And target they have. Exhibit A is the iKee worm. According to an earlier analysis from security vendor Sophos, Apple iPhone owners in Australia were infected by a worm that changed their wallpaper to an image of 1980s pop crooner Rick Astley. "The worm, which could have spread to other countries although we have no confirmed reports outside Australia, is capable of breaking into jailbroken iPhones if their owners have not changed the default password after installing SSH," Sophos Senior security Consultant Graham Cluley wrote. "Once in place, the worm appears to attempt to find other iPhones on the mobile phone network that are similarly vulnerable, and installs itself again On each installation, the worm - written by a hacker calling themselves "ikex" - changes the lock background wallpaper to an image of Rick Astley with the message: 'iKee is never going to give you up.'"
Also worrisome is that the bad guys can use the advanced map and GPS software on these devices to see exactly where a person is and where they are going. From there, the cyber threat becomes a physical one. One way the bad guys can target the phone user is through a game called "Underworld: SweetDeal," a free location-based iPhone multi-player online game about trading controlled substances in the real world. Hawthorn noted how players can use Google Maps to locate where other players are physically. He found players in some interesting places through the course of his research. He was able to track one player to a parking lot outside the headquarters of NSA. Another player was tracked to a parking lot outside CIA headquarters. "You can check a person's movements because the game checks in on your device's location regularly," he said.
Google's head of Android security also acknowledged in an interview with colleague Robert McMillan that phone attacks are upon us.
"The smartphone OS will become a major security target," Android Security Leader Rich Cannings said. Attackers can already hit millions of victims with a smartphone attack, and soon that number will be even larger. "Personally I think this will become an epiphany to malware authors," he said.
Then there's the article my colleague Joan Goodchild recently wrote on all the apps people download onto their phones (There's an Insecure App for That). In that article, security experts noted that mobile phones now have an application for almost everything, and that those apps leave the same basic security holes wide open.
There's plenty of common-sense guidance for users on how to keep their phones secure. Joan's story lists five such tips
- Tip 1: Don't forget basic security practices when it comes to mobile applications
- Tip 2: Consider the unique risks of mobile devices
- Tip 3: Don't allow sharing of authentication information between sites
- Tip 4: Don't expose line of business applications to your mobile workforce without the proper security in place.
- Tip 5: Take advantage of the security features that are available in each device when writing native apps
In the final analysis, the path to smart phone security is about the same as the security we've gotten used to on the larger computing systems.
We simply must realize it's something we can no longer ignore.