RealSecurity

Security in the mobility space is not all that new. We’ve seen our fair share of worms, spam, and attacks against cell phones, PDA’s, and smart phones. Over the years various products and solutions have surfaced in an attempt to address these challenges with varying degrees of success. Nevertheless, as cell phones become more and more sophisticated gaps in security are becoming alarmingly huge.

First, let’s take a quick look at the evolution of mobile devices. Once just a phone has now become more than a computer. When one looks at the explosion of social networking, today’s phone is a personal social management system. It tells our friends where we are and provides an intimate interface with Facebook, Myspace, Twitter, Flickr, Google, and a vast array of other applications to keep us connected. Our mobile devices are where we store our data, pictures, personal notes, music, and other things we use daily. We sync information with personal and business systems to help us be more effective on the road.

I hear people compare these seemingly simple devices to computers, and that understandable given the growth in capability and power. However, I submit this is a bad analogy. These devices are far more ingrained into the human elements and the basis for social interaction. Yes – computers can do this too, but are far less attached to the “mind and body” of the individual.

But this is only the beginning of the massive differences between computers and mobile devices. For example, there is a great deal of diversity in platforms and hardware that has never really been seen before in the technology sector. Adding to this diversity is the rate of advancements and changes in the technology. It is not uncommon for a person to get a new phone a few times a year. This has been especially interesting to watch after the launch of the iPhone. Seemingly every vendor produced a new spin-off of the iPhone within months and everyone started buying them.

To add to the malyse, many devices are “attached” to the provider and the vendor. This is most obvious with the iPhone, but exists with RIM’s BlackBerry and others as well. Of course this can be changed with the vast number of jailbreaking tools out there.

Then, of course, we have the massive amount of apps that are made available to users that can do anything from on-line banking and balancing your checkbook to helping you quit smoking or tell you if someone you’re sexually compatible with is near you. There is implied trust in these applications because they are “signed” and approved by the provider or vendor, but this is not always the case. Using Easter eggs to by-pass Apple’s notoriously inconsistent iPhone App Store approval mechanisms has become commonplace.

Based on this quick analysis we essentially have an enormously dynamic environment comprised of a highly diverse collection of very powerful, yet easy to use devices that are intimately intertwined with people and society.

From a security perspective this is mayhem and covers the entire gambit of security concerns including everything from terrorists using for IED’s to mobile botnets. There is a great deal of corporate data coursing out of the environment to these devices that may be lost, stolen, or hacked – not to mention people are more than likely sync’ing everything on their phone to their personal home computer, which is probably p0wned already.

So, a couple recent examples. How about the Symbian sexy space worm (aka Transmitter.C) that not only pumps out hundreds of text messages to annoy and spread, but can then form a cell phone botnet. Moreover, it’s interesting to note that this was approved and signed by the Symbian foundation that controls (or thinks it does) the validity of apps.

Look at the finger pointing between RIM and etisalat, a service provider for the United Arab Emirates, concerning who is responsible for an app (aka spyware) that copies all text and e-mail messages to a remote server. In this case, the software was actually pushed out to all subscribers using the BlackBerry by etisalat, who claimed it was an upgrade from RIM infecting more than 140,000 users of BlackBerry. RIM has denied such involvement and has even issued an official "update" removal program to users.

This reminds me of Sony’s venture into malware and the blatant implementation of software without the user’s knowledge, or worse giving them the impression it is something else of importance. Even Apple isn’t immune to these activities. From a security perspective – again – this is complete madness. Companies you trust are installing what they want, which may not be in your best interest, app controls can be easily by-passed allowing virtually anything to be “approved” and published, hackers are building mobile botnets using not all that sophisticated malware, and there are virtually no controls available to your common user to stop it. It is completely reactive. But, who cares, you’re getting a new phone this weekend, right?

We haven’t even touched on the topic of the actual network. Denial of service attacks, cloning, eavesdropping, call redirection, or even messing with the signaling and protocols is not all that complicated. Cell networks were not designed with security in mind (sound familiar), so like the Internet we have to start layering other controls.

Not only am I a little concerned about people, but also companies. Even with technologies such as DLP, data can get out of your company in so many ways it’s difficult to fully comprehend, much less effective and consistently control. Even the recent article on iPhone’s 3GS encryption and “business ready” capabilities has been shown to be deeply flawed.

There are a number of utilities to companies to reduce the loss of data. Most common is remote data destruction or disabling the phone. Unfortunately, except for BlackBerry, most have to connect to the network to get the “kill signal” and any half-witted hacker knows to remove the SIM card before turning on a newly appropriated phone.

I think what I’m trying to convey is that this is not only a problem today, but it’s going to get much, much worse in the future. There are a lot of really smart people working these problems out there and new products surfacing every day. Nevertheless, it is the bonding between the device and the user, and its role in their personal lives that make this such a deeply rooted concern.