mobile security

I just found this article (I’ve been out of the loop for most of February) and couldn’t help but write something. If the claims in here are to be believed, we are in the middle of a mobile virus pandemic. There are some very interesting statistics:

The Situation Today
The purpose of the study was to discover to what extent mobile operators are affected by mobile threats. The findings revealed that:

* 83 percent of mobile operators questioned have been hit by mobile device infections
* The number of reported security incidents in 2006 was more than five times as high as in 2005
* The number of mobile operators in Europe and APAC reporting incidents affecting more than 1,000 devices more than doubled in 2006
* 100 percent more operators spent over $200,000 on mobile security in 2006 compared to 2005
* The number of mobile operators estimating that the cost of dealing with mobile threats is more than 1000 hours increased by 700 percent

Good grief! This all looks like pretty hairy stuff. And there’s more…

Nearly one-third (29 percent) of operators stated that subscriber satisfaction had suffered more than any other factor including revenue. The second most serious impact from mobile malware infections was on network performance.

Revenue? Network performance? Switch to DEFCON 1. Get me the president!

Whilst I will agree that mobile devices are becoming more of a target, it doesn’t mean history is going to necessarily repeat itself (with respect to Windows), although that’s not to say MS mobile platforms couldn’t do without a patch or two.

And perhaps McAfee could update their mobile site. Are they really are the only company in the world to have deployed a mobile suite? I think not.

UPDATE: It seems someone at McAfee took heed and their mobile site has been updated.  Original web page text from here.

Powered by Gregarious (41)

I’ve noticed a few people have been in search of bluetooth security tips so I felt compelled to write a quick guide on ways in which you can minimise your exposure to mobile malware. Of course the best way to secure your bluetooth device is to just disable bluetooth itself, but in cases where this not possible I recommend you follow these simple steps:

1. Set Bluetooth Name To Hidden. From your bluetooth preferences, switch your bluetooth visibility to ‘hidden’. In most common cases this stops your phone from being discovered when scans for bluetooth devices are made. The downside of this is you need to enable discoverable mode when someone legitimately wants to send you something then disable discoverable mode once you’ve finished.

2. Secure Paring. When paring any bluetooth device, it should be carried out in a secure area (think top floor of a deserted parking lot at 2am!) Paring in public areas should be avoided. This is because when paring takes place, the two devices generate a shared key which then used for all subsequant communication. If somone can sniff that shared key, it is possible they too could pair with your deivce.

3. Choose a strong PIN. PIN lengths should be a minumum of 16 characters. In order to further strengthen the PIN, upper and lower case characters should be used (if possible) and also numbers. If it is not possible to use alphabetic characters and you are stuck to using numbers only, you should never use less than 12 digits – and that is an absolute minimum!

4. Unsolicited Connection Requests. Under no circimstances should you accept unsolicited connection requests. Mobile malware that propogates over bluetooth exhibits itself by making persistent repeated prompts until the person accepts the connection request. In some cases, the phone is unusable until such times as a) the infecting phone has moved out of BT range or b) the owner of the recieving phone has accepted the connection request and subsequantly accepted all the installation prompts. The problem with the latter is that even if you accept all and install all, once the malware is installed, your phone will still be prompted as common malware broadcasts to all devices that are in range.

Attackers almost always go for the weakest link. Following these steps will help them focus their attention on other people’s devices and not yours.

Closing thought: Like malware on PC’s, what is it with humans that makes the yes button so much more attractive than the no button?

Powered by Gregarious (41)

I’ve been up to my eyeballs these past few weeks both at work and at home so no time to post. Anyway, I wanted to write a taunt post about Windows Mobile 6 which was announced recently at 3GSM in Barcelona. According to their press release, WM6 contains a host of new security features.

Security options. The platform offers a variety of security options, giving IT departments ways to help secure a device, including new Exchange Server policies and certificate options, storage card encryption, and continued support for remote and local device wipe.

Old habits die hard, so what I want to know is will the old exploits still work (scroll down for descriptions). Or is this a new code base? Sadly, I doubt it. However, besides that, features I do like are remote lock and remote wipe and also built in encryption (bitlocker/EFS technology?) So good on Microsoft for that. Innovate features, too. I guess you could say its Microsoft way of putting consumers back into control of their PC’s (I just love this video!)

Powered by Gregarious (41)

Windows Mobile/PPC is again back in the news. This time, Colin Muilliner demonstrates how to crash a Windows Mobile device by flooding it with MMS messages.

Basically, the phone can be DoS’d by flooding it with over-sized MMS messages. Colin has posted the exploit code here. This is great for attackers since Windows Mobile accepts all notifications sent via WLAN broadcast addresses. So next time you’re in a cafe and your inbox starts filling up in a mucho-rapido fashion, you’ll know what’s up.

Powered by Gregarious (41)

Whilst analysts in Gartner and McAfee are busy looking into their crystal balls to find where attacks will focus in the following year, I noticed two very interesting articles (here and here) on the Symi Weblog. In my opinion they raise some very interesting questions that have not been commented on, and are ones which I think are highly valid.Ollie Whitehouse has pointed out on a number of occasions that Microsoft’s sharing of code between traditional desktop Windows and it’s mobile counterparts is a risky business, and one that could set the software giant up for a continuation of it’s Patch Tuesdays and Zero Day Wednesdays.

His argument is based around the fact that whilst Microsoft are continuously patching the desktop incarnations of Window’s, the mobile side which is using a lot of the same code is going un-patched.

This leaves open a lot of unanswered questions.

Whilst Windows Mobile is not the most popular Smartphone OS, it is increasing in popularity. And as smartphone’s proliferate, so will the attention level of hackers and malicious code writers interest in a given OS.

So is Windows Mobile/BC/Pocket PC edition following in the footsteps of it’s predecessors? With regards mobile threats, are we at the stage today with the mobile devices like we were in the early nineties with Windows 3.0/3.1? Is this code reuse and lack of patching going to cause problems further down the line?

Could this be a case of those who do not learn from history are doomed to repeat it.

And whilst in recent years Microsoft has started to take security a lot more seriously, is there enough focus on the mobile side?

Powered by Gregarious (41)