Smartphone Security: Alarming Complacency Among Mobile Users
Most consumers are unaware of the security risks associated with their smartphones.
McAfee released its mobile security report and, as you would expect, it found that mobile devices in general are not adequately secured. I received the report to review earlier this week.
The concerns around mobile devices were timely given the recent concerns surrounding a rootkit-like product installed on many smartphones called Carrier IQ, which secretly tracks and reports all user activity including keystrokes (directions on how to find and remove it can be found here). Like many have warned over the last year, Android is specifically called out as being excessively vulnerable, which is consistent with the positions that many IT managers have taken to block Android this year. Much of the exposure is tied to decisions made in hardware, software and app store design and, as a result, most are out of your control.
Let's cover some of the highlights.
The report covers a number of exposures that would uniquely impact mobile devices used in military, government or law enforcement as part of a multi-front attack either from terrorists or by a hostile state. These include corrupting the firmware on batteries so that the batteries run down at a massively accelerated rate disabling the mobile device and making communication impossible. Malware was identified that could either remain dormant or run at very low power while waiting for a command to execute, making it very difficult to detect until it is activated as part of a coordinated attack.
Given the poor security, particularly on Android-based devices, McAfee creates a scenario that suggests these devices could be effectively used as a virtual fifth column working inside the state to destroy it.
The report points out that much of the existing discovered malware is specifically targeted at making money. Compromised phones were identified that automatically call or text to expensive locations that are often in parts of the world (Eastern Europe) that appear to allow this behavior, which makes law enforcement and recovery very difficult.
One of the newly identified financial threats is using near field communication, which is increasingly being deployed so that phones can be used like credit cards, to strip digital cash off of the phones. Since NFC is short range, McAfee believes efforts to boost reception by hostile receivers could be used to strip large numbers of phones in places where people congregate, such as shopping centers or transportation hubs.
Unsecure Hardware - PINs Suck
The author takes hardware design to task given that these mobile devices are personal computers that are more capable than the PCs we had a decade ago. He points out that many users don't even use PINs to secure their phones, and the PINs that are used aren't secure enough given that they can be easily observed and because users have a habit of using trivial PINs (e.g. 1234).
The report spends time looking at what wonderful new exposures are in the coming hardware for mobile devices. Products are already in market with two processing cores and up to five cores will be in market by year end. Malware can seize a core and dedicate it to doing harm isolated from the rest of the device and be largely undetectable. Virtual machines, which are enabled by these more powerful systems, can fool the operating system into thinking it is talking to the hardware when it is actually being virtualized. This allows the malware to operate below the operating system and remain undetectable to it.
The report highlights a type of phishing attack that could be incredibly damaging and really isn't just tied to mobile devices. This is the trend to fool executives and get their high-access credentials, which could be used for everything from industrial espionage to insider trading. It is likely time to consider a policy of regularly training executives to avoid this kind of attack before it turns into the latest scandal.
Wrapping Up: Android
One thing you really get from this report is that Android is unacceptably unsafe. While there are clearly exposures on the other platforms, McAfee believes that Android is excessively exposed and, due to its popularity, it is also the most targeted. One interesting fact is that Android malware is becoming so prominent that it is actually being picked up by Windows security products as it passes through PC downloads and onto Android devices.
In short, it appears much of this report is aimed at Google, suggesting that it fix its platform. Reminds me of reports a decade ago that seemed to say the same thing about Microsoft. Hmmm ... Google becoming like Microsoft - where have I heard that before? Oh right.