Do wireless providers like Verizon and AT&T crimp mobile security?

Do wireless service giants such as AT&T and Verizon wield their power to effectively stand in the way of mobile-device security?

Lively commentary on that topic came during the RSA Conference here this week as Ed Amoroso, chief security officer at AT&T, Ian Robertson, RIM director security, and Alex Stamos, partner at security firm iSec, shared a discussion panel moderated by Lookout CEO John Hering. There was a candid willingness to acknowledge that the current world, where mobile devices are tightly bound to wireless telecom provider networks, may not be the best in terms of tackling security issues that are expected to accelerate over the years.

SUMMARY: Mobile device makers respond differently to attack info, researcher says

"We're probably at the cusp of a threat that will change dramatically," said AT&T's Amoroso, who compared the current threat situation around mobile to the how the threat to PCs looked in 1988 before the onslaught of viruses and other attacks that followed.

As adoption of smartphones and tablets accelerates, the expectation is they will become a very attractive target. "We've not seen much in terms of direct attacks on mobile phones," said RIM's Robertson. But these devices are being loaded up with personal data that "from an aggressor's viewpoint," makes them "an attractive target," though the infection record today largely relies on "duping users" to open malware, for example.

Amoroso said few people realize how vulnerable the GSM wireless infrastructure is. The GSM standard included a decision "not to authenticate to the tower," said Amoroso, and although the next-generation LTE service addresses that, it remains a standards problem that needs to be fixed, especially as carriers run multiple wireless networks. "The audit community is in a total snooze fest on this topic," he said.

Pushing out security patches "takes months," commented Lookout's Hering, because in the mobile world, "so many people are involved" reviewing and approving it. "The question is, can we get that from seven months to seven weeks to seven days?"

"Patching is a big problem," acknowledged Amoroso. "You shouldn't have to do it in the first place." But in the "over the air stuff," he pointed out, "the carrier will zap you. We call it the nuke option." He acknowledged this is not an optimum situation, "Sooner or later as a group, we'll have to come to an agreement as to what we'll do" in terms of "a community for patching."

"It's a political problem," said iSec's Stamos about the situation where mobile-device makers must gave approval by the carriers to approve these types of updates. He said a lot of this situation is engendered by "the desire by the carriers to control profit streams."

In contrast, Microsoft, in its Windows patching routine, "doesn't have to go to every laptop OEM to get permission from each." Stamos added that Google has set up separate "tiers" for certain devices and customers to be patches. Overall, Stamos advocated that the mobile-device industry make a break with the current situation regarding carrier control, and especially for enterprise users, "please give these people the ability to patch their phones." The iPhone and Android devices are hard to manage in part because of this.

Apps were another topic of discussion. Amoroso said AT&T's policy on Android is that "we restrict apps to the Android market. I thought this community would love that," because it was intended to make malware more difficult to exploit. But, he adds, "the reaction is more like they want mobile to look more like the Internet."

Mobile-device apps may seem silly or whimsical at times, but the reality is that apps are becoming part of the critical infrastructure, Amoroso pointed out. Some businesses are also setting up their own app stores to distribute apps to their end-users.

2011 is the "eye of the storm" in terms of mobile-device security, said Amoroso. One reason is that over the next 12 months, carriers are rolling out their 4G networks, a move that's "unbelievably profound" because it will be "an IP infrastructure for mobility at speeds that will be appealing for hacking." He said he felt the world was not yet fully prepared for this as an event.

The current tight-knit relationship between the carriers and the makers of the smartphone operating systems, including Google, RIM and Apple, among others, effectively leaves a broad swath of the traditional security industry somewhat out in the cold in terms of becoming aware of patching issues and being able to best offer their own analysis and remedies.

"The carriers have the power," acknowledged George Kurtz, worldwide chief technology officer and executive vice president at McAfee, who discussed the issue separately. He said McAfee strives to keep communications open with Google, Apple and others. He notes the anti-malware vendors fighting Windows-based problems have benefited by what's become technical cooperation with Microsoft. But that kind of relationship doesn't exist at this level in the mobile-device world today, he noted.

The current situation leaves a lot of control in the hands of carriers, which admit it can take a long amount of time to get through a patch-approval process.

Read more about anti-malware in Network World's Anti-malware section.

Join the CSO newsletter!

Error: Please check your email address.

Tags consumer electronicsat&tNetworkingsmartphonesPhoneswirelessAndroid

More about AppleAT&TAT&TGoogleMcAfee AustraliaMicrosoftResearch In MotionRSAVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts