By: Shay Zalalichin, CISSP
CTO, Comsec Consulting
With the Mobile World Congress taking place this week, and the unveiling of a new generation of mobile phones that are becoming more advanced and technologically complex, there are two clear trends that can be identified as potential security threats. The threats that arise from using these advanced phones, which are in essence small computers--and the data that is accessed through them--namely social networking sites, and by default, is stored within these phones.
There are constantly new platforms and OS’ introduced, from Android and Web OS through the new Samsung Bada, Symbian, BlackBerry, and the new Meego Nokia/Intel collaboration, which are all part of a what can only be likened to a “gold rush” of opportunity, and many of the companies involved do not take the time to properly integrate security measures into their development lifecycle, in order to not miss the profitable boat.
The diversity of operating systems and platforms posed something of an obstacle for evildoers until recently, as attackers didn’t quite know in which direction to target their attacks and at which specific platform, whereas Windows is the leading operating system for desktop and laptop users, there wasn’t any clear-cut target amongst Smartphones until the iPhone. The iPhone has presented a whole ‘nother ball game. According to Tech Crunchies, iPhone sales have reached a record-breaking 42.5 million handsets across the globe, and another 11 million are expected to be sold by 2011. The iPhone’s success was quickly identified by software developers to create any imaginable mobile application – from banking applications to silly games, and in turn, as a victim of their own success, has become a target for many attackers looking to gain profit from this phone’s popularity.
Until 2009 the mobile world had been much more limited in its capabilities, however 2009 was the year of the Smartphone, with devices enabling much more advanced Web access features and integration options, media capabilities, and providing millions of applications that provide access nearly limitless data, while their users have not yet learned to adapt their perceptions to these highly-advanced devices.
If in the past Smartphones, such as the BlackBerry were designed and built specifically to respond to business and enterprise needs for email use on the go, and as such security for these more limited capabilities had been taken into account from the onset. The iPhone, on the other hand, was targeted at consumers, and security measures were only implemented almost as an afterthought, while in the meantime, due to its popularity and ease-of-use many enterprises adopted this phone in their organizations without properly considering the threats involved.
Apple targeted a younger population looking to be more socially in-sync – providing applications for Facebook and Twitter, Gmail, and myriad games. Thus with its initial release, the iPhone did not provide any encryption capabilities. With the purpose of becoming more enterprise-friendly, Apply quickly understood the need to include additional security measures in the iPhone. As such, Apple released encryption fixes with the latest iPhone model in 2009; which unfortunately was still not enough to prevent the spreading of two well-known iPhone viruses, the most popular being the less harmful the Rick Astley virus and the second being a virus that used the same method as the Rick Astley virus - but was more cybercrime oriented and attempted to steal information from these devices much like Phishing.
These were mostly due to a lack of awareness and jailbreaking of handsets by consumers that were not cognizant of the threats involved with performing such actions on their phones - namely exposing their handsets to remote access over the Internet by installing the SSH service. That said, at the recent Black Hat convention in early February potential vulnerabilities in the latest iPhone encryption were indicated due to a design flaw.
A large part of the problem lies in the consumer’s mindset. Although consumers are still accessing the same websites that could have the same potentially threatening content and malware, according to a survey by Trend Micro, many Smartphone users don’t even enable the built-in security options, and are sure that surfing the Web via these devices is safe or at least as safe as surfing from a PC or laptop, despite the fact that there is no virus or malware protection at all.
Another added threat to this already threat-laden landscape is the social networking threat. With Facebook registering 350 million users in over 180 countries by the end of 2009 and being one of the most popular mobile applications to date, and Twitter rising to 75 million registered users by the end of 2009, in addition to the daily launching of new social platforms, such as Google Buzz, all of which need to be accessed in real time, many developers are running ahead to meet tight launch deadlines without properly considering all security angles. Within three days of the Google Buzz launch, a security breach was already discovered. This combined with the use of the less-protected Smartphone, and the inordinate number of social network users, presents potential threats and risks of a formerly unknown caliber and potential fallout. With data access from Smartphones expected to reach 30% by 2013, the best advice we can offer to the different parties involved is:
Be sure to integrate security throughout your development lifecycle and take the time to perform proper threat modeling to identify all of the potential threat factors. While the business need to release software as quickly as possible is understood, the number of victims that can be harmed by insufficient data security is too large to even fathom, and common breaches such as Cross Site Scripting, cryptographic flaws, and SQL Injection could constitute a veritable disaster.
Be aware that your employees are walking around with mini-computers that contain and store sensitive data, from corporate data in emails, to pictures, and documents. In addition, due to the fact these are small computers, these phones can be accessed quite like any other disk or flash drive, data can be extracted, and viruses spread into corporate LANs. Enterprises need to start taking this into consideration, and need to establish proper policies and procedures for the employee use of these devices, and to institute the proper security measures required to cope with these threats.
If, until now, a phone was just a phone – with some messaging and a camera capabilities – these smartphones now contain much more sensitive and potentially endangering data. In addition, while the perception is the exact opposite, users should be well-aware that these devices are by far less secure than a desktop or laptop computer, and as such one should function accordingly. Be aware of the security threats involved, that have the potential of compromising your privacy, when sensitive data is accessed via phone applications, and software installed from unknown and unsigned vendors. Much like your home computer, there are plenty of viruses, and malware out there that can cause much damage. With a device that stores all of your personal contact information, with potentially exposing pictures, and private passwords to your email and other accounts, identity theft could not be an easier feat.