Home > All, Security Issues > The mobile phone, its (lack of) security, and the future

The mobile phone, its (lack of) security, and the future

Over the last few days there have been at least three major security reports:

All three are worth reading – but I’m going to cherry-pick from them in order to justify my own preconceptions about the future of mobile security. But first I must ask you to accept a personal observation: the majority of mobile phone users do not recognise a need for security, and currently have little or no security.

We’ll start with the future direction of threat suggested by McAfee/SAIC:

The targets for the underground economy have shifted significantly in the last couple of years. While it remains a profitable enterprise to buy and sell stolen credit cards, lately, intellectual capital has become the new source of large and easy pay-outs.

We don’t really know how long this has been going on, but it came to the fore in early 2010 with Google’s revelation of what became known as Operation Aurora and the advanced persistent threat (APT). IBM concurs with this view: “The single most common threat vector used over the past few years as observed by ERS [IBM’s Emergency Response Services] is spear phishing where an object contains a link to a web page that contains malware.” Spear phishing is the targeting of an individual or small group of people for a specific purpose – such as the theft of intellectual property.

How is this relevant to the mobile market? Well, it isn’t; at least, not yet. However, the IBM report shows the increase in mobile vulnerabilities, with these two graphs showing how matters have escalated over the last year:

IBM fig 76

Total Mobile Vulnerabilities

IBM fig 77

Total Mobile Exploits

Nevertheless, IBM says these figures should be seen in context. It points out that

First, most of what is considered best practice around securing mobile devices is still not nearly as well defined as it is in the corresponding personal computing space. Second, the underlying platforms themselves are substantially untested and likely contain years of vulnerability discovery ahead of them.

And it further comments that

We aren’t seeing a lot of widespread attack activity targeting these vulnerabilities today, because mobile devices likely do not represent the same kind of financial opportunity that desktop machines do for the sort of individuals who create large Internet botnets. As e-commerce involving mobile phones increases in the future, it may bring with it a greater financial motivation to target phones, and an associated increase in malware attacks. However, mobile devices do represent opportunities for sophisticated, targeted attackers today.

Our conclusion so far, then, is that mobile phones are not yet heavily targeted; but that the potential already exists.

Let’s now apply IBM’s comments to the threats defined by McAfee/SAIC: stolen credit cards (that is, mass identity theft typically delivered as malware and phishing spam via botnets); and intellectual property theft via spear phishing. Neither of these appear to be happening to any great extent in the mobile market; but IBM points to the increasing use of mobile e-commerce as a spur for the former, while the potential for the latter already exists. This is where we turn to the TNS survey, which shows in particular, that the use of mobile phones for mobile banking (including the e-wallet) and social networking are the main drivers behind the future use of mobile phones.

click for full size

Strong growth in social networking and mobile banking

Mobile banking and mobile payments will mean an increasing likelihood of account details and passwords being stored on mobile phones. That will attract the criminals seeking to steal credit card details. Social networks are an ideal source of the personal information that can be used for the individual social engineering that lies at the heart of spear phishing. And that will attract the criminals seeking to penetrate corporate networks in order to steal intellectual property. An increasing use of mobile phones for social networking is a given; the only question is how quickly and to what extent will banking and payments migrate to the mobile platform. Well one technology (not new, but only now taking off) that has the potential to change things very quickly is near field communications (NFC).

NFC is already in use, although not yet widespread in phones, in Barclaycard’s contactless payments. “This allows people who have a Barclaycard to swipe their card across a payment terminal (if the retailer has an appropriate terminal, such as at Prêt a Manger), without entering a pin for purchases of up to £15,” explained Amali de Alwis, a senior research consultant at TNS. “It is a similar line of technology that will be incorporated into mobile phones to allow people to make payments using their mobile instead of a card.” In other words, the migration of bank cards onto mobile phones is technologically easy via NFC, and already well in hand (as seen by Barclaycard’s presentation at the Barcelona Mobile World Congress last year).

click for full size

Contactless payment will migrate to the mobile phone

“According to recent press, Apple are looking to incorporate this technology into their i-Phones, and additionally Google have teamed up with Citigroup and MasterCard to facilitate these types of services on Google Android phones – buzz is saying within the coming year,” continued Amali.

Amali

Amali de Alwis, TNS

“From our Mobile Life study we also have consumers telling us directly that there is a demand for these types of services to be available, and that consumers are already willing to consider the use of their mobiles as an e-wallet/payment device (and in some cases, such as with the use of M-Pesa in Kenya, are already doing so), and we see growth potential here not only as a device for paying for goods in store, but also for services such as bill payments.”

If we put all of these elements together we have a new platform that is not yet fully exploited by the bad guys, but one that offers a mass target that will increasingly hold financial details ripe for identity theft, and personal details ripe for socially engineered intellectual property theft – and yet it remains a platform where security is hardly considered by the user. Unless the security industry and/or the phone manufacturers can rapidly explain the need for, and implement adequate security – that is one hell of a window of opportunity for the bad guys over the next few years. My suspicion is that IBM’s current observation that “we aren’t seeing a lot of widespread attack activity targeting these vulnerabilities today” will change dramatically, very quickly.

Categories: All, Security Issues
  1. April 6, 2011 at 10:38 am

    Absolutely spot on!

    You my friend have sensed the tremors of change that will soon break on our shores, here in the UK.

    “Unless the security industry and/or the phone manufacturers can rapidly explain the need for, and implement adequate security – that is one hell of a window of opportunity for the bad guys over the next few years.”

    I couldn’t agree more! Already case studies are emerging concerning the vulnerabilities to unauthorised disclosure amongst smart phones and RFID enabled ‘smart cards’. A British-based company RFID Protect seems interested in compiling many of these developments, and is packaging them into easy to digest PDF downloads. Available without charge, they make for interesting reading at some particular level. You can see the PDFs at my blog, or visit: http://www.rfidprotect.co.uk

    Thanks again for a superb article!

    Like

  1. April 3, 2011 at 8:41 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s