The myths and realities of mobile device security

Sales of mobile devices are skyrocketing, and so is their appeal to cyber criminals, partly due to sheer numbers and partly due to expanded use of the devices for wireless business communications. Add to this the well-known security vulnerabilities of mobile phones and wireless communications in general, and the phenomenon amounts to an open invitation for exploitation.

Today's mobile phones, whether standalone or in converged (smart) devices, are serving many, and potentially all, of the same functions as desktop PCs and workstations. In addition to running software that performs many of the same functions as PC software, mobile phones are being used to access enterprise intranets to send or download sensitive business information. Users may also access personal bank accounts, make online purchases with credit card information stored on the phone, subscribe to various services such as music and video download sites, and send and download data to/from enterprise intranets. Sensitive personal and business information may be stored in databases, personal notes, and contact lists.

The Trusted Computing Group (TCG) believes it's imperative that an open standard for security for mobile devices be developed, and soon. To that end, a Mobile Phone Working Group is developing a specification for release in the first half of 2006.

Myth: serious mobile security threats don't exist
Early in 2005, Mark Kelly, editor of SecurityFocus, Symantec's online magazine, stated in a column "the real threat from viruses just doesn't exist today. My prediction is that mobile phones won't experience any major security issues for several years." IT research firm Gartner's June 2005 report stated "The conditions required for a real virus or worm to spread quickly among the mass of mobile devices will not converge until the end of 2007," a remark that's been widely quoted in the media.

Because early mobile phone trojans and worms seldom do more than cause the phone to stop working or launch denial-of-service attacks of limited scope, the damage—and therefore the threat—is considered slight by security firms. However, while the damage may be slight, the attacks are succeeding, and they inconvenience the end user. In addition to the threat from malware, in many handsets, the security codes are so easy to crack that mobile phone theft tops all other street crimes in many cities around the world, as cracking these codes gives access to sensitive information stored on the phone.

It's also important to note that each new edition of malware is more sophisticated and successful than the last. The virus writers are learning their medium and evolving more complex and intrusive malware. SymbOS/Cardtrap.A appeared in the latter part of 2005, planting two Windows worms on the phone's memory card that attempts to infect a PC when the card is inserted in the computer's memory card slot. Early invaders such as Cabir and Commwarrior were arguably just for practice while malware authors learned their craft.

Reality: serious mobile security threats exist
According to McAfee Avert Labs, mobile malware has grown almost 10 times faster than PC malware over a one-year period, and McAfee expects to see a significant rise in the number of global mobile threats in 2006, in part because of the increased connectivity of smartphones.

McAfee predicts that the damage caused by new mobile threats is likely to be far more extensive than that caused by today's PC threats. They estimate that a mobile threat targeting several operating systems could infect up to 200 million connected smartphones simultaneously, as the majority of these devices don't have mobile security protection installed. This fact alone points to the need for device-level embedded security.

A mobile phone is seldom a discrete device anymore, but may incorporate a camera, music, and/or video player, PDA, and trimmed-down versions of standard desktop software applications. Market analysts reports that as of Q2 2005, shipments of converged or smart mobile devices were up 186% over the year ending Q2 2004. Over 12 million such devices were shipped compared to slightly less than 6 million the prior year.

As of December 2005, the number of mobile malware exceeded 100, according to F-Secure.

Desktop PCs don't get lost
In addition to the threats common to desktop PCs, mobile phones have several additional vulnerability areas:

• Because they're small and often carried on the user or in a purse, mobile handsets are more likely to be lost or stolen, making any information stored on the phone, as well as access to services, and banking and credit card information, available to the thief.
• Using the phone in a public place is a risk the desktop user needn't be concerned with. Sensitive information may be communicated by voice, text message, or wireless email in close proximity to other phone users or cybercriminals equipped with special electronic spying equipment.
• When an person makes a call or transmits data with a mobile phone, the phone transmits information to identify itself. This information includes the phone's electronic serial number (ESN), the mobile identification number (MIN), and other electronic ID signals, all of which aren't encrypted in analog systems and can be captured by a cybercriminal using an ESN reader, which is readily available. Once captured, this information is used to clone the victim phone by implanting the ID codes in another phone. The cloned phones can be used for up to 30 days before the fraudulent charges are discovered.

These factors mean that mobile handsets are now more attractive targets for cybercriminals than they've been in the past.

Making security a priority
In mobile devices, OS, platform, and application level functions—including the Subscriber Identity Module (SIM), Universal SIM (USIM), and Universal Integrated Circuit Card (UICC)—must interact in a secure, trusted manner across various platforms. An open standard will be a major factor in bringing interoperability between different systems.

This is especially important to enterprise IT departments that need to provide access privileges remotely as well as in house. The use of smartphones by employees and clients alike to access company data and services has given rise to perplexing security issues that to date, haven't been resolved to a level of trust that encourages enterprises to support the use of such devices without reservation. Of course, this has economic implications for mobile device makers and service providers. To manage remote access, robust identity protection and user/device authentication is essential. Enterprises will spend the necessary dollars on mobile smartphones if those devices are embedded with security based on a robust standard.