mobile security

I just found this article (I’ve been out of the loop for most of February) and couldn’t help but write something. If the claims in here are to be believed, we are in the middle of a mobile virus pandemic. There are some very interesting statistics:

The Situation Today
The purpose of the study was to discover to what extent mobile operators are affected by mobile threats. The findings revealed that:

* 83 percent of mobile operators questioned have been hit by mobile device infections
* The number of reported security incidents in 2006 was more than five times as high as in 2005
* The number of mobile operators in Europe and APAC reporting incidents affecting more than 1,000 devices more than doubled in 2006
* 100 percent more operators spent over $200,000 on mobile security in 2006 compared to 2005
* The number of mobile operators estimating that the cost of dealing with mobile threats is more than 1000 hours increased by 700 percent

Good grief! This all looks like pretty hairy stuff. And there’s more…

Nearly one-third (29 percent) of operators stated that subscriber satisfaction had suffered more than any other factor including revenue. The second most serious impact from mobile malware infections was on network performance.

Revenue? Network performance? Switch to DEFCON 1. Get me the president!

Whilst I will agree that mobile devices are becoming more of a target, it doesn’t mean history is going to necessarily repeat itself (with respect to Windows), although that’s not to say MS mobile platforms couldn’t do without a patch or two.

And perhaps McAfee could update their mobile site. Are they really are the only company in the world to have deployed a mobile suite? I think not.

UPDATE: It seems someone at McAfee took heed and their mobile site has been updated.  Original web page text from here.

Powered by Gregarious (41)

I’ve been up to my eyeballs these past few weeks both at work and at home so no time to post. Anyway, I wanted to write a taunt post about Windows Mobile 6 which was announced recently at 3GSM in Barcelona. According to their press release, WM6 contains a host of new security features.

Security options. The platform offers a variety of security options, giving IT departments ways to help secure a device, including new Exchange Server policies and certificate options, storage card encryption, and continued support for remote and local device wipe.

Old habits die hard, so what I want to know is will the old exploits still work (scroll down for descriptions). Or is this a new code base? Sadly, I doubt it. However, besides that, features I do like are remote lock and remote wipe and also built in encryption (bitlocker/EFS technology?) So good on Microsoft for that. Innovate features, too. I guess you could say its Microsoft way of putting consumers back into control of their PC’s (I just love this video!)

Powered by Gregarious (41)

Windows Mobile/PPC is again back in the news. This time, Colin Muilliner demonstrates how to crash a Windows Mobile device by flooding it with MMS messages.

Basically, the phone can be DoS’d by flooding it with over-sized MMS messages. Colin has posted the exploit code here. This is great for attackers since Windows Mobile accepts all notifications sent via WLAN broadcast addresses. So next time you’re in a cafe and your inbox starts filling up in a mucho-rapido fashion, you’ll know what’s up.

Powered by Gregarious (41)

Whilst analysts in Gartner and McAfee are busy looking into their crystal balls to find where attacks will focus in the following year, I noticed two very interesting articles (here and here) on the Symi Weblog. In my opinion they raise some very interesting questions that have not been commented on, and are ones which I think are highly valid.Ollie Whitehouse has pointed out on a number of occasions that Microsoft’s sharing of code between traditional desktop Windows and it’s mobile counterparts is a risky business, and one that could set the software giant up for a continuation of it’s Patch Tuesdays and Zero Day Wednesdays.

His argument is based around the fact that whilst Microsoft are continuously patching the desktop incarnations of Window’s, the mobile side which is using a lot of the same code is going un-patched.

This leaves open a lot of unanswered questions.

Whilst Windows Mobile is not the most popular Smartphone OS, it is increasing in popularity. And as smartphone’s proliferate, so will the attention level of hackers and malicious code writers interest in a given OS.

So is Windows Mobile/BC/Pocket PC edition following in the footsteps of it’s predecessors? With regards mobile threats, are we at the stage today with the mobile devices like we were in the early nineties with Windows 3.0/3.1? Is this code reuse and lack of patching going to cause problems further down the line?

Could this be a case of those who do not learn from history are doomed to repeat it.

And whilst in recent years Microsoft has started to take security a lot more seriously, is there enough focus on the mobile side?

Powered by Gregarious (41)

An article posted in the The Register last week just caught my attention. It was quoting Paul Miller, head of Symantec’s Mobile and Wireless Security Group. In this article were a lot of statements which I disgree with. On this blog I try as best as I can to remain impartial and not promote or bash any one vendor more or less than any other, but in this case I can’t help but feel that what I read amounts to little more than a modifed version of what I read one year ago in a Gartner Report.

This same Gartner report is quoting the same threats will increase which is exactly the same thing that it said last year. Whilst I don’t want to quote Paul Miller out of context, I find statements such as this highly controversial:

“Plus, operating systems on mobile phones lag those on PCs by six years - and hackers attack the weakest link. “

Six years? Weakest link? What mobile device does he use? And from which vendor? I don’t think he could be further from the truth. For example, I would say that Microsoft could learn a lot from Nokia with regards the security features in the new S60 3rd Edition operating system. Where are the patch Tuesdays and Zero Day Wednesday’s for Symbian? After all, the article went on to say:

Mobile phones will out-ship PCs by five to one this year, and are far more likely to be lost or stolen, according to statistics quoted by Symantec.

Miller continues:

But any computer attached to a network needs AV, and a smartphone is a computer and that IT staff need to target perhaps the top 5% of their users for additional defensive software such as firewalls and encryption, because they will be the senior execs and salespeople who keep critical business data on their phones.

This statement on the other hand is absolutely justified, and 5% might even be a little conservative. The threat of Flexispy as a tool for industrial espionage is very real, but statistically, you have a higher chance of misplacing or even loosing your phone so I would put mobile encryption higher in the ‘must have’ list.

So is the picture as bad as mobile AV and PF vendors would have you believe? I don’t think so. They love to focus on Flexispy as it is perhaps the best example of any application that has emerged this year that can justify why a mobile AV&PF should be installed onto your smartphone. However, one critical factor has been overlooked in all of this: User education. With smart phones the only way to get infected is if the user clicks ‘yes’ to install something e.g. over bluetooth (yes, there are other ways to install software), but in general it’s down to the user. And we are starting to see implementation of content signed software. When this becomes more mainstream, how far will bluetooth propagating crimeware really get people if the application is unable to talk to the network?

So lets see where we are at the end of 2007 with regards mobile security trends. More of the same? I know where I’ll put my money…

Powered by Gregarious (41)