Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/15/2008
04:48 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Cell Phone New Cybercrime Frontline

Whether it's your iPhone, Windows Mobile device, Android, or BlackBerry -- you're probably using your smartphone more like a computer more and more. That's great, but the more your phone acts like a PC -- the more likely all of the problems associated with PCs will follow, researchers said today. Should you care?

Whether it's your iPhone, Windows Mobile device, Android, or BlackBerry -- you're probably using your smartphone more like a computer more and more. That's great, but the more your phone acts like a PC -- the more likely all of the problems associated with PCs will follow, researchers said today. Should you care?We've been warning about the security of mobile devices for years, and years, and years. I've written so many stories about the security risks of mobile phones that I'm starting to feel like Chicken Little. So far, we've not seen a major virus or malware event. That doesn't mean it's not going to happen. The infamous Morris worm hit in 1988 -- and we didn't see a similar event at any time in the 1990s. Viruses were a problem, but they didn't become a really big humungo problem until the LoveBug overloaded e-mail servers in the spring of 2000.

These things don't always happen when we first expect them. But we can see the trend lines: more criminals are turning to cybercrime to steal, snoop, and destroy; and smartphones are growing exponentially in processing and storage power. We're also starting to see smartphones with more open, generative platforms, such as Google's Android.

It's a safe bet to predict these two trend lines will cross, and criminals will turn to mobile phones to conduct all of the types of crimes they do on PCs and the Internet today. Predicting exactly when this will happen: not so easy.

Researchers contributing to Georgia Tech's Emerging Cyber Threats Report for 2009: Data, Mobility, and Questions of Responsibility Will Drive Cyber Threats in 2009 And Beyond, see the risks.

The comments below, from the report, are from Patrick Traynor assistant professor at the School of Computer Science at Georgia Tech:

According to Traynor, "malware will be injected onto cell phones to turn them into bots. Large cellular botnets could then be used to perpetrate a DoS attack against the core of the cellular network. But because the mobile communications field is evolving so quickly, it presents a unique opportunity to design security properly -- an opportunity we missed with the PC."

Traynor pointed out that most people buy a new mobile device every two years -- a much shorter life cycle than the typical PC and Windows installation, which is closer to 10 years.

"The short life cycle of mobile devices gives manufacturers, developers, and the security community an opportunity to learn what works from a security standpoint and apply it to devices and applications more quickly," said Traynor. "However, it is not going to be an easy problem to solve."

Tom Cross, X-Force Researcher with IBM Internet Security Systems, along with Traynor, cites Google's Android -- because of it's openness, it makes it easier for security vendors to build defenses for the device. On that, I agree. However, it also makes it much easier for malware authors, as well. Which means we'll be in the same PC security arms race we've experienced for more than 20 years now.

The ultimate solution is what both Traynor and Cross stated in their closing thought: a layered approach to security on mobile devices that encompasses carriers, manufacturers, and application developers.

That type of industry security synergy is exactly the best shot we have at ensuring smart phones don't become the battleground we're now fighting on PCs and corporate networks.

It's also expensive and difficult to get all of these constituents to work so closely together.

It may happen. But my prediction is that it's going to take a significantly enough nasty event for the industry to come together that tightly over security concerns.

Check out the Georgia Tech's Emerging Cyber Threats Report for 2009, available here.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8344
PUBLISHED: 2020-09-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-8347
PUBLISHED: 2020-09-24
A reflective cross-site scripting (XSS) vulnerability was reported in Lenovo Enterprise Network Disk prior to version 6.1 patch 6 hotfix 4 that could allow execution of code in an authenticated user's browser if a crafted url is visited, possibly through phishing.
CVE-2020-8348
PUBLISHED: 2020-09-24
A DOM-based cross-site scripting (XSS) vulnerability was reported in Lenovo Enterprise Network Disk prior to version 6.1 patch 6 hotfix 4 that could allow execution of code in an authenticated user's current browser session if a crafted url is visited, possibly through phishing.
CVE-2020-15850
PUBLISHED: 2020-09-24
Insecure permissions in Nakivo Backup & Replication Director version 9.4.0.r43656 on Linux allow local users to access the Nakivo Director web interface and gain root privileges. This occurs because the database containing the users of the web application and the password-recovery secret value i...
CVE-2020-15851
PUBLISHED: 2020-09-24
Lack of access control in Nakivo Backup & Replication Transporter version 9.4.0.r43656 allows remote users to access unencrypted backup repositories and the Nakivo Controller configuration via a network accessible transporter service. It is also possible to create or delete backup repositories.