Smart Phone Attacks: Here and Now

CSO Senior Editor Bill Brenner warns that the ubiquitous nature of BlackBerry, iPhone and other smart phones means once-theoretical threats are now a clear and present danger.

By , Senior Editor

March 24, 2010CSO

When security vendors used to pitch articles on smart phone malware, my blood ran cold.

The first such story I wrote, in 2004, was about a proof-of-concept virus that could infect smart phones used by a super minority of people. Each year on, I did the occasional interview about smart phone threats and the message was usually the same: Attacks targeting phones was still a way off, but security pros need to start thinking about countermeasures. (See Mikko Hypponen's predictions from late 2008 as another example.)

Funny thing about threats that are a couple years away: Nobody really wants to think about what they'd do about it because they have plenty of clear and present dangers to deal with on desktops, laptops and all the other elements that encompass a traditional enterprise network. The thought of new defenses comes only after the once-theoretical attack has hit the proverbial fan and landed right on top of some poor IT shop that's caught unprepared.

Even when the iPhone came out a couple years ago, the conventional wisdom was that attacks remained in the distant future, because there were still too few users for the bad guys to waste their time.

That was then. Today's a different story.

Just about everyone has a smart phone now. Most have a BlackBerry or an iPhone. More have purchased the Android and a few other types. Users now visit all the same dangerous Internet destinations they visit on their home computers and laptops. They trade files and open e-mail attachments that may be infected. They can be scammed out of their sensitive information, like credit-card and Social Security numbers.

With all this happening, the bad guys now have reason to shift their attention and create new flavors of mobile malware. With so many of these devices hooked to company networks for access to e-mail and other programs, attacks on the phones can now be used to penetrate larger company systems.

In other words, it's time for IT security practitioners to start paying attention and making plans.

There's already plenty of evidence that trouble is afoot.

At the ShmooCon security conference in Washington D.C. a couple months ago, Trevor Hawthorn, founder and managing principal at Stratum Security, ran attendees through a series of specific weaknesses that could be used against iPhone users. He discussed security holes (since fixed) found in AT&T's network, which Apple's iPhone uses, and how an epidemic of "jailbreaking" is disabling critical security controls on the device. Jailbreaking is a process iPhone and iPod Touch users can exploit to run whatever code they want on the device, whether it's authorized by Apple or not. Jailbreaking the phone allows you to download a variety of apps you couldn't get in the Apple App Store.

RESOURCE CENTER