by Deb Radcliff

Part 1  |  Part 2  |  Part  3

Smart devices have become the latest attack vector for online criminals, putting intellectual property, regulated and personal financial information stored on them at risk. In this first of a three-part article, author Deb Radcliff explores these new attack vectors into the enterprise.

Dozens of viruses, worms, and Trojans have been written against smart phones and pocket PCs since 2004. And even though most of these are proof-of-concept and nuisance malware, experts are warning of more serious crimes to come.

More criminal elements are already stealing identities and other personal and private information of value in countries where Symbian-based mobile phones are being used as money, in business collaboration, and in other valuable e-commerce applications, says Danny de Temmerman, head of cybercrime and security for the European Commission's Directorate General for Justice, Freedom, and Security. While speaking on a cybercrime panel at the RSA Security Conference in February, he also said that crimes over cellular phones have now become a top law enforcement priority in Europe.

"We're seeing fraud, phishing, spam, spyware, and adware all over these smart phones in countries where phones hold information that could be monetized," adds Vincent Weafer, director of operations at Symantec's Security Response Center, which sifts millions of spam messages per day through its global content scanning systems. "And in India, they're real concerned about pedophiles getting to their kids through their smart devices."

Even in the U.S., today's smart phone malware poses more than just a nuisance. For example, there are real costs to enterprises that issue smart, and feature-rich devices being targeted by malware. For example, skyrocketing phone bills when Mosquitos malware enter company-issued smart devices through games and start messaging expensive toll numbers. Other malware, such as the RedBrowser Trojan, repetitively ring up $5 - $6 SMS calls. And Commwarrior blasts millions of MMS text-based spam messages, also wracking up huge telecommunications bills.

Indirect costs also abound. Consider the lost revenues when productive road warriors lose their customer data and contact lists because a worm turned their phones into useless "bricks". Such worms can already kill reboot (Fontal.A), crash the operating system (Locknut), and drop the operating system and other critical applications altogether (Skulls). There's also the cost of cleaning up the network when an infected smart phone synchs to a PC or connects to the network through the VPN.

Fortunately, there's also more security around U.S.-based smart phones, particularly in closed carrier networks where phones are issued and maintained by the network operators. But there's much room for improvement, particularly in developing standards around device authentication, application integrity, and data protection on the handset. And, as with PCs, users -- including the enterprise customers -- must do their part to avoid malware, spam, and fraudsters in the first place.

A Safer Gateway

Ask Verizon Wireless, and you'll get an earful about how the risks are blown out of proportion by vendors wanting to sell security on the handset. It's all in the network, says Jeffrey Nelson, Verizon Wireless Spokesman, echoing Verizon's marketing message.

His biggest beef with such dire portrayal of crimes to come to the U.S., he says, is that carrier networks have more control over their phones than they do in the U.S., where most phones are sold through closed-carrier networks, meaning carriers sell the phone and the service bundled together. This way, network operators can control the phones and the applications allowed on them.

"There's a huge difference in risk between the U.S. and Europe and Asia," Nelson adds. "In the United States, people buy wireless service from a company, while in Europe and Asia, you buy a phone you like, and then get service for it, then buy a carrier service. Then you slip in a SIM card, and walk into this dangerous, unprotected world."

With more control, carriers can lock down vulnerable applications like Bluetooth and manage downloads somewhat by, at the very least, working off a whitelist of approved vendors, and denying the rest.

In addition, any carrier network worth its salt is already filtering out malicious code and unwanted spam entering through their messaging and e-mail gateways, he continues. They should also be filtering content from loading directly off the Internet. For example, Nortel Networks is using Websense to block damaging and unwanted content from getting onto browsers from malicious Web sites.

There are other reasons we've not seen as much malicious activity in the U.S. as we have overseas, say experts. For starters, the U.S. has been slow to standardize on a single operating system; whereas Europe, Asia, and other heavy-use regions have standardized on Symbian. So, by defaut, Symbian has become the operating system to attack, says Thomas Longstaff, deputy director of technology, Network Systems Survivability for Carnegie Mellon's Software Engineering Institute.

Another reason is slower adoption of smart O/S-, and browser-enabled phones in the U.S., which currently make up12 percent of North America's cellular phone user base, according to the Yankee Group. But, by 2009, that number will rise to 46 percent. And, 87 percent of all U.S. cellular phones in circulation are already feature rich, according to Yankee. Where there are new features, there are also new vulnerabilities.

--

Deb Radcliff is an award-winning freelance writer, educator and speaker based in Northern California. She's been covering online crime and security ever since working as researcher on a book about infamous hacker, Kevin Mitnick back in 1995.