To a great extent, the cellular world has avoided the depth of the security problems faced by the desktop world. The well-documented reasons include the existence of low-hanging fruit in the wired world, the dearth (at least until recently) of valuable data on mobile devices, and the absence of the type of operating system "monoculture" that makes Microsoft such an inviting desktop target.
That isn't to say that there are no security issues for the cellular world, especially as smartphones take over. At the BlackHat Conference this week in Las Vegas, researchers Luis Miras and Zane Lackey reported that it is possible to bypass "anti-spoofing" technology used by GSM operators and trick subscribers into believing SMS messages are coming from 611, the number that operators use to communicate with their customers.
The demonstration, as reported by InformationWeek, showed how the ruse can lead iPhone subscribers to provide sensitive data such as Social Security numbers and passwords. A variation on the trickery can lead iPhone users to execute over-the-air updates that assign control of the device to the attackers. The piece points out that only GSM carriers-T-Mobile and AT&T in the U.S.-are susceptible to the hack. That should be scant comfort for the other carriers who, no doubt, are likely targets in the near future.
Miras and Lackey are not the only experts to pay attention to the problem. Forbes reports that another BlackHat presentation-by Charlie Miller, who had tipped his hand at a conference earlier this month in Singapore, according to MX Logic-and Colin Mulliner found a number of SMS-based flaws in different smartphone OSes. Miller, the co-author of The Mac Hacker's Handbook, said in the Singapore talk that he was able to crash an iPhone using a flaw in how it receives text messages. The damage he and Mulliner outlined in Vegas is far more serious.
The security community is concerned about SMS. Earlier this month, a blogger at Mobile Messaging 2.0 made the point that the tie between the carrier and the mobile phone-SMS-is a weak link. He says that current approaches are too basic and not commensurate with the value and sophistication of the devices that they are connecting.
Clearly, SMS is a weak link in the world of smartphone security. It seems that security experts are savvier in how they handle problems now than in the past. Let's hope that the communication enables these SMS problems to be handled efficiently.