Facing up to the mobile revolution
- Article 26 of 33
- SC Magazine, April 2011
Whether companies are actively encouraging their employees to work on the move, or staff are simply using personal mobile devices of their own accord, security professionals face a major new headache in protecting their organisations from threats, writes Rob Buckley.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages
"This involves the tricky subject of trust. How many of us will happily use our contactless cards to buy something from a roaming merchant with a mobile phone? Education and trust may be more of an issue than technology here," says Allen.
However, John Arnold, chief security architect at Capgemini UK, says NFC is vulnerable to network attacks such as eavesdropping, jamming and man-in-the-middle attacks. "The protection offered by the Bluetooth pairing system is not included in the NFC standards. There is no reason why an NFC app for an iPhone cannot be made secure, but developers may be tempted to take shortcuts. From the end-user's point of view, there is a big difference in the risk posed by losing a £10 Oyster Card and an NFC iPhone app that may have access to an enormous amount of personal data."
The rise of mobile malware
Mobile malware finally came of age in March when Google removed 50 free apps from its marketplace after they were discovered to be carrying malicious code. An estimated 20,000 to 500,000 users could have downloaded the infected apps, most of which were pirated versions of legitimate Android apps and contained a piece of malware called DroidDream.
DroidDream wasn't the first piece of mobile malware, but it was the first serious infection. The creators of the Zeus Trojan have also begun targeting mobiles, with Zitmo (Zeus in the mobile) able to intercept SMS messages from banks to BlackBerrys. KPMG's Dimitri Yates argues that until recently, there has been little incentive for criminals to target handsets. "They didn't contain much data, they weren't very powerful and there were such a variety of platforms, so it was hard to target them," he says. Consolidation in the industry, as well as more powerful handsets, however, might cause criminals to reconsider.
Malware is likely to be a different beast on mobile because, unlike with viruses, it is in the interest of criminals to stay unnoticed. Malware apps that send text and phone messages to premium-rate numbers at 2am every Thursday can raise a lot more in the long term than a Trojan that makes its presence known instantly. Corporate-issued handsets may be a bigger problem than consumer devices, since employees rarely get to see their bills and spot texts and calls they didn't make.
Until the Google outbreak, mobile malware was largely nothing more than 'proofs of concepts', particularly on the iPhone - Apple's insistence that all apps have to be downloaded from its App Store, as well as built-in security measures, mean that outside of 'jailbroken' iPhones (whose owners have circumvented their security measures), malware has been non-existent.
"There has been mobile malware for almost as long as it's been talked about, and some of the fairly recent attacks have had botnet capabilities. However, the difference is that individual threats tend not to have the same impact of a fast-spreading worm or PC virus," says David Harley, senior research fellow at anti-virus software provider ESET. "It seems that attacks such as phishing and smishing on smartphones are more widespread and more consistently successful, and they attract the most attention from cyber criminals," he adds. "Smartphone operating systems that implement tight controls such as application whitelisting and restricting the user's ability to compromise his own device are far less vulnerable to direct malware attacks."
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages