Smart phones sales exploding worldwide. Gartner research has shown that smart phone sales in 2010 Q3 accounted for nearly 20% of all mobile device sales, with a growth of nearly 100% since the same quarter the previous year. This number is sure to rise. With the rapid rate of release-to-market and quick adoption, it seems to come as no surprise that hackers are looking into these platforms as well. What are the latest threats on the smart phone front?
Mobile Threats – Moving Up the Stack
When considering smart phone attacks and threats, we can look at the first generation of these, which are mainly concerned with vulnerabilities in the mobile platform itself. For example, just a few months ago security researchers have developed a proof of concept for abusing Android authentication mechanisms demonstrated using the Angry Birds game.
Yet, we’re already witnessing next generation threats, rising up the stack, which we can categorize as:
1. Loss of mobile devices containing sensitive enterprise data— The fact that smart phones are quickly becoming part of the enterprise network and a business operation platform has opened a big, new door for hackers. An Apple device nowadays can hold up to 32G of memory. For some context, a million records containing names, addresses and social security numbers consumes about 0.5G of memory. And downloading sensitive data from the enterprise network using a spreadsheet application has never been so easy. While everyone is so concerned with laptop loss or theft, these newly introduced mobile devices pose a major threat in terms of data leakage. It is much easier to lose your iPhone than your laptop.
2. Security holes in mobile applications— These are becoming more and more sophisticated and at the same time vulnerabilities that commonly affect “standard” desktop applications are starting to appear on mobile applications. The media highlights stories about service providers struggling to fix vulnerabilities in the mobile applications they’ve provided to their users. However, these vulnerabilities are not platform dependent. Well known web related attacks are starting to show up in their mobile form (e.g. malicious sites forcing outbound calls on iPhones) and popular botnets are making steps into the mobile platform. Recently, security researchers have found an Android-based Trojan with similar bot-like capabilities. The implication of this latest development is not only broadening the outreach of hackers, but also challenging some of the state-of-the-art authentication and authorization techniques that relies on a separate browsing channel and mobile channel. Take, for example, applications that use a one-time password (OTP) for validation of sensitive transactions; where the OTP is delivered through SMS to a phone number provided by the user. If the user is employing a smart mobile device for accessing the application, and that device is infected by a Trojan, then that Trojan is able to access the OTP delivered through SMS.
3. Security holes in server side applications— In a rush to accommodate mobile support to existing web applications developers are introducing vulnerabilities into already stable applications. From the classic SQL injection and Cross Site Scripting vulnerabilities to ones that are more mobile specific. One common type of mistake is relying on message content, automatically introduced by the mobile device, for authentication and identification, while in reality such information can be easily forged.
Security Must Catch Up
Sadly for now it seems the black hats are winning. The black hats are in the fast lane not because of technical superiority – they are not detecting more Android or iPhone vulnerabilities than researchers. Rather, hackers have been faster to recognize the potential mobile platforms provide for profit and mayhem. When researching into hacker forums to see trends in mobile attacks, a search on the keywords “android” “iPhone” and “nokia” showed that hacker’s interest in mobile has increased significantly during this year. In the last half of the year there were 2383 keywords related thread in the forum compared to only 264 on the previous half – almost a 10 fold increase.
Security professionals are constantly chasing zero-day vulnerabilities in the OS rather than looking at the overall effect. We need to consider two factors:
• Organizations – The first step is simply recognizing the presence of mobile devices and understanding the implications of these devices to the organization. This means securing the devices and their interaction with the enterprise networks. Tools and procedures need to be put into place, such as anti-malware, encryption, and authentication. Special monitoring requirements should be set for access of these devices to enterprise resources (databases, files, intranets).
• Application providers – Mobile device security must become a business problem and not a consumer problem. Application providers need to get their act together with respect to serving these devices, including vulnerability mitigation, reevaluation of trust, and incorporation of new authentication/authorization channels.
Coming up Next…
The upcoming years are not too optimistic in regards to mobile device security. In fact, I believe that we’ll see exponential growth in the number of incidents related to mobile devices in the next few years. From theft or compromise of information in these devices, through massive infection campaigns, and up to frequent exploit of the vulnerabilities introduced into the server side. As hackers continue to gain profit from this medium, they will exploit it thoroughly. And talking about cyber-criminal trends, we are already witnessing shifts and trends in this industry. So stay tuned as I talk about the shifts in the cyber-underground business models as hackers begin to feel the heat.
Related: Mobile & Smart Device Security Survey – Concern Grows as Vulnerable Devices Proliferate
Technical Reading: Designing Security for Newly Networked Devices