TYCA Blog: Mobile Security Landscape in 2012

Posted on 2012-03-07 by abarrett

Welcome to the first installment in the monthly TYCA technology related blog series. This month’s article is provided by one of our SME’s, Steve Overland, who is a Vancouver, Canada based IT security expert.

Mobile Security Landscape in 2012

IBM's 1993 Simon "smart-phone"

1993: IBM "Simon" Smartphone

The state of mobile security – particularly smartphone platforms – is an increasingly common IT security concern.  Several trends contribute to this fact.  The most obvious being that smartphone adoption rates are incredible – providing the economy of scale that most malware creators rely on for their software to be feasible and profitable.

In 2011, more than 400 million smartphones were sold worldwide.  This is more than the number of PCs sold in 2011.  PC sales are expected to grow by approximately 10% in 2012.  Smartphone sales are predicted to increase up to 50%.  Industry analysts expect that by 2016, over one billion smartphones will be sold per year.

Five year history of worldwide smartphone sales (in millions of units):

A smartphone – in the context of this article – is a device with a modern mobile operating system (Android, iOS, etc.) and a cellular connection.  A miniature, portable computer with a broadband modem that works almost anywhere in the world.  This alone would be a tempting target for digital malfeasance.  But smartphones have many other features that sweeten the pot (and serve as other attack vectors).  These include:

  • Cellular/Wifi/Bluetooth communication
    • Man-in-the-middle, Sniffing, Worms
    • Botnet, SPAM relay
  • SMS/MMS messaging
    • Unwanted premium message charges
    • Privacy (message snooping/forwarding)
  • Location awareness through both GPS and cellular tower triangulation
    • Privacy and personal safety
  • Video and voice recording
    • Privacy
  • Stored contact information
    • Privacy and fraud
  • Stored credit card information
    • Fraud
  • E-Commerce abilities
    • Fraud
  • Application installation
    • Increased malware susceptibility
  • Business use
    • Proprietary business information, fraud

Probably the biggest security risk facing smartphones is the same feature that makes them so popular:  Portability.  Lost or stolen devices can be a goldmine of personal information – especially if passwords are saved for popular mobile services such as Gmail, Facebook, Paypal, etc.  In 2011, 35% of Canadian smartphone owners used their devices for online banking.

To combat this a timeout password should always be used on a mobile device.  A keypad lock that shuffles the position of the keys is recommended for touchscreen phones because it eliminates any fingerprint clues.  Facial recognition and other advanced authentication techniques are becoming more common out-of-the-box as manufacturers recognize this risk.

Device locks will only defeat a casual snoop however.  Encryption is the next step to securing your portable personal information dump.  Full device encryption is only starting to come of age in the mobile environment.  But there are numerous piecemeal solutions available as apps for all major platforms.  These apps can protect your text message history, photos, etc. against anyone who doesn’t have unlimited access to a supercomputer.

Smartphones carry not only the owner’s personal information, but also information about dozens or possibly even hundreds of other individuals.  This can include phone numbers, addresses, birthdays, email addresses, employer information and more.  Basically a detailed list of future fraud or identity theft victims.  Imagine all of your friends being spammed to death (best case) after you lose your phone and your contact list gets posted online.  And as SMS spam and fraud become more popular (more on this later), “mobile” contact information becomes more valuable on the black market.

A security risk totally unique to smartphones involves their location awareness capability using GPS or cellular triangulation.  This, combined with an online app, can reveal a person’s meatspace location (knowingly or not) to any number of possible evildoers.  In 2010 a Vancouver man was charged with the sexual assault of a minor after having met the victim using the popular GPS enabled dating app Grindr.

Beyond these physical security risks, smartphones are also susceptible to the usual gamut of malware.  There are mobile rootkits.  There are mobile worms.  There are mobile botnets.  There are mutating malware designed to avoid mobile antivirus detection.  In a few short years, mobile malware writers have covered decades of PC malware history.

Smartphone Malware Timeline:

  • 1993 – First smartphone – IBM Simon (way ahead of its time – it had no physical buttons and featured the ability to fax touchscreen drawings or handwriting!)
  • 2000 – First modern smartphone – Ericsson R380 (Symbian OS)
  • 2004 – First Bluetooth worm – Cabir
  • 2004 – First mobile malware with financial motive (Premium SMS) – Qdial
  • 2005 – First contact harvesting malware (built on Cabir) – Pbstealer
  • 2005 – First MMS worm – Commwarrior-A
  • 2011 – First mutating malware
  • 2011 – First mobile botnet

As security vulnerabilities are discovered in mobile OSs, manufacturers release software updates, much like the desktop OS security model.  But mobile hardware and software has a much shorter shelf life than traditional computers; therefore, many smartphone customers find themselves owning hardware that is perfectly adequate for their personal needs, but can’t be updated to the latest, most secure software because their hardware specifications are not capable of supporting these updates.

Additionally, the above situation is only relevant if the user is savvy enough to actually do the updates.  Another weakness of the smartphone platform is the novice/naïve user base.  That is partially reflected by these findings by Kaspersky Labs in June 2011:

  • 84% of those surveyed protect PCs with antivirus software
  • 10% protect their smartphones with antivirus and only 37% had even considered it

A similar survey by Juniper Networks found 15% of respondents used AV, and 20% of those had found malware on their phones.  Is this lower than the overall average?  Are users who are savvy enough to use AV savvy enough to avoid infection in the first place?  SANS claims the worldwide PC malware infection rate is about 8%.

To achieve such a compact size and long battery cycle, smartphones usually “toe the line” in regard to hardware provisioning, and antivirus software is a notorious memory and processor hog.  Even as a background operation, its use can unbearably impact user experience.  This is precisely why I am one of the 85 – 90% of people who don’t use AV software!  So in trade for a few extra CPU cycles I must be wary of any potential threats and be vigilant with my phone bills.

Show Me The Money!

Long gone are the days when malware was written for fun or as a personal challenge.  Today’s malware is almost always financially motivated.  Consequently, smartphones can be leveraged in several ways unique ways for fraudulent gain.

Premium Text Messages

Smartphone owners can be targeted by both incoming and outgoing “premium” text message scams.

A Google search quickly reveals numerous customers complaining about ongoing trouble with their cellular providers over unwanted incoming text messages carrying a $5 – $10 fee.  The cellular companies’ position is usually that the responsibility for these charges falls on the customer, as they are not able to distinguish between wanted and unwanted messages (some premium text messaging services – daily horoscopes, stock quotes, etc. – are legitimate).

These text messages are sent en masse by computers, so once your number has been compromised, you have little recourse beyond complaining to your cellular provider.  This scam requires no malware or trickery beyond obtaining the victim’s cellphone number.

Smartphone malware has also been discovered sending outgoing premium text messages.  These charges can be legitimate too – charity donations by text message, reality TV voting, etc.  A team from UC Berkeley found that over half the malware they studied (from 2009 to 2011) were engineered to send premium text messages.  iOS has an advantage here over Android and Symbian as it requires manual user authorization before an application can send a text message.

Increasingly, smartphones are being used for e-commerce.  Purchases from mobile platforms totalled over $3 billion in 2010 in the US alone.  There are various ways to pay for items from a mobile – and all of them are targets for fraud.  Application security is recognized as being necessary to protect payment information (usernames, passwords, credit card numbers, etc.) but this is not widely enforced.

Android is particularly vulnerable to rogue apps as there is no restriction (beyond a check box in the OS) to installing apps from any source or developer.  This is seen as a positive feature by many.  But it greatly increases malware risk versus a single distribution source (a la Apple).  Both Google and Apple actively scan all officially hosted apps for malware signatures.   iOS malware typically will only affect “jailbroken” devices – although a security researcher was able to successfully submit malware to the iTunes Store.

These facts are as obvious to an infosec professional as they are to any online fraudster. So we now find ourselves in another malware arms race.  The black hats have most certainly learned their lessons from the PC era…  has anyone else?

Mobile architecture is much more secure than the OSs of old.  Chris DiBona – Open Source Programs Manager at Google, husband, and dad – (in)famously expounded on this topic in November, 2011:

No major cell phone has a ‘virus’ problem in the traditional sense that Windows and some Mac machines have seen… There have been some little things, but they haven’t gotten very far due to the user sandboxing models and the nature of the underlying kernels…

The barriers to spreading such a program from phone to phone are large and difficult enough to traverse when you have legitimate access to the phone, but this isn’t ‘Independence Day’, a virus that might work on one device won’t magically spread to the other…

Antivirus companies are playing on your fears to try to sell you BS protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for Android, RIM or IOS you should be ashamed of yourself.”

Strong words from a credible source.  While Mr. DiBona’s credentials are certainly impressive, it is hard to reconcile his statements with the obviously increasing frequency and severity of mobile malware incidents.

2012 looks to be an interesting year in the mobile technology arena.  Tablets are gaining a lot of momentum both as personal and business devices.  People all of the world are connecting and communicating through their mobile devices (often exclusively) more and more.  New laws pertaining to cellphone and location monitoring are in motion in many countries.

An infosec axiom: there is an inverse relationship between security and convenience.  1234 is a very convenient password.  But not very secure – few online services would even allow such a password these days.  Being connected to your friends, family, job, etc. through your smartphone is also very convenient.  But with that convenience comes risk.  Having made it all the way through this article means you have mitigated one of the biggest risks (also the one most exploited by malware and fraud) – ignorance.  Knowing is half the battle!

_____________________________

Steve Overland is an IT Manager and aspiring Infosec Guru from Vancouver, BC.  He is a CISSP and has a degree in International Relations from The University of British Columbia.  He has been installing drivers since the days of Space Quest.

_______________________________________________________________

References:

This entry was posted in blog and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>