Users have long believed that their mobile devices were free from the threat of Trojans or botnets, but new research from the Georgia Institute of Technology warns that this could soon change. In fact, the first wave of mobile security threats is already here.
"We're trying to be forward looking in this report," said Patrick Traynor, assistant professor at Georgia Tech's School of Computer Science and a co-author of the report, entitled "Emerging Cyber Threats Report for 2009." Although the threat is not quite imminent, Traynor said, a proactive stance by both industry and government could mitigate the danger going forward.
Already two of the newest mobile platforms, Apple's iPhone and Google's Android, have exposed flaws, both of which resemble some of the most popular desktop attacks. They are both browser-based exploits, which Traynor said leaves both corporate and personal users vulnerable.
"The browser has been the way to take control of the desktop," he said. As platforms consolidate and become more standardized, and as phone browsers become more complex, that same avenue will have a greater reach and greater reward for malicious hackers focused on mobile devices. Already, he estimated, there are 100,000 mobile virus incidents a day. Many viruses hop on Bluetooth or wireless data connections to propagate and, in contrast with computers, users generally turn to their service provider first when looking for a fix.
Although there is little hope of stopping an epidemic of mobile viruses and exploits, Traynor said, there are positive signs for long-term remedies if telecoms, enterprises, manufacturers and end users can work together. And the fast refresh cycle for most mobile devices will offer the industry an advantage never enjoyed by the PC industry.
"One of the exciting pieces of this world is that the average lifetime of a PC is 10 years, but people replace their phones every two to three years," he said. "If solutions don't work, we can try something different … we can try to be revolutionary in this space."
Some of the key challenges the report identified include:
Low device battery life spans mean users invariably must choose between running antivirus and a few more hours of device usage. Traynor said the latter camp generally wins, and always-on antivirus is unlikely to be a good solution for most companies, although mobile antivirus products from companies like F-Secure do exist.
Increasingly sophisticated applications mean more valuable data on devices, both corporate and personal. In the Georgia Tech report, Tom Cross, an X-Force Researcher with IBM, wrote: "Financial motivation and increased adoption will increase attacks to smartphones in the years to come. As more payment infrastructure gets placed on these devices, they will become a more attractive target." Cross said he was surprised that more attacks had not already been made on devices like the iPhone.
Mobile Denial of Service (DoS) attacks could potentially take down whole cells of network coverage if a botnet lies dormant and is then activated.
VoIP and mobile VoIP mean cheaper calling but also leave an open window for attackers to send out thousands of spoof calls, trolling for personal data and bogging down already taxed cellular data networks.