From the Security Experts

November 24, 2008

Expert: Popularity of Mobile Devices Brings New Threats from Hackers

By SIP Trunking Report Editor

Consumers aren’t the only ones who love the iPhone.
According to one expert that TMCnet interviewed today, the popular device’s familiar Web browser and operating system is giving hackers a leg up in finding entry points to exploit.
Terry McCabe, chief technology officer at Airwide Solutions – an international company headquartered in Burlington, Massachusetts that provides next-generation mobile messaging and wireless internet infrastructure, applications and solutions – also says that in this slower economy, more consumers are using their mobile devices to comparison shop, as well as check their bank balances and portfolios.

Mobile devices become more and more prevalent, and there uses more diverse, as an entire industry rises around Apple’s model for the iPhone App Store and devices such as HTC’s Google Android phone and the BlackBerry Storm follow that model. As TMCnet has reported, some experts say that text messaging itself will emerge as a core piece of all advertising within five years.
For McCabe, the platforms that support today’s popular devices, such as the Symbian operating system or Java, while offering high functionality and interoperability – both major plusses – also are vulnerable to malware writers who know their shared source code.
TMCnet had a chance to speak to McCabe about the security threats facing mobile devices. We also discussed which regions of the world are facing biggest challenges when it comes to increasingly prevalent problems such as mobile spamming, and what areas hackers may be targeting next.
Our exchange follows.
TMCnet: Much of what we’re reading about in the IT market these days has to do with applications for Internet-ready mobile devices, as BlackBerry smartphones and the HTC Google Android phone follow Apple’s iPhone example in setting up an online “store” for the programs. How is the rapid spread of these mobile devices, and the increasingly large amount of applications now available for them, affecting users’ security?
Terry McCabe (pictured left): Many in the security industry have warned smartphone platforms are ripe for attack – particularly when users lack awareness of potential threats and many will unwittingly ‘go looking for’ the viruses by actively downloading games or other content.
The open source nature of the Symbian OS yields major benefits in terms of interoperability and functionality. However, this same operating system cuts the other way when it comes to security. Due to the shared-source code, malware writers can gain a deep understanding of the operating system.
Additionally, Java while extremely valuable in terms of premium downloadable content like games, and highly functional applications, the technology also poses a major security threat. As mobile phone users download more and more functional content, the risk that they may unwittingly also download a game or application with a hidden bit of code that could attack their phone greatly increases.
According to some industry experts, security breaches that can be traced back to the actions of one individual are not the fault of one uninformed employee but rather a failure to educate and engage the whole workforce around the importance of good security practice. However, small businesses without the benefit of IT training or support will have difficulty running their business and making themselves experts in the latest threats to their mobile devices.
While there as yet have not been high profile examples of this in the press, there is also an increasing risk posed by applications like Mobile Instant Messaging. This requires users to download a client application for use on their handset that has not necessarily been vetted by their operator. While most of these clients are downloaded from a reputable firm like Yahoo or other, there is a possibility that along with the client could be downloaded a virus or other potentially damaging Trojan.
Whereas Java brings functionality and versatility to the world of mobile devices, at the same time it also introduces new security threats. The rapid growth of the number of mobile devices that support Java makes this a pressing issue.
Already mobile malware has evolved from annoying text message spam to snoopware that enables the hacker to listen in on conversations, install spyware that allows him to access phone logs and contacts, and send text messages and multimedia spam to other devices.

However, the most frightening aspect about mobile malware is its potential to use an infected smartphone or other device as a proxy or gateway into an organization’s core network. By hijacking a handheld device, hackers can breeze past a traditional firewall and make their way onto a company’s mail server, customer database, CRM tools, and other critical parts of the network. And this damage may result from something simple, such as an employee receiving a message to download a free game or antivirus update.
An iPhone can hurt an enterprise in many different ways. The device’s porous e-mail support is one big concern. Many enterprise employees are planning to use the device like an improved Blackberry, counting on it to provide e-mail capabilities that synchronize with their PC, Mac and Internet service-based contacts. But iPhone fails to incorporate basic security safeguards, like a firewall or data encryption. It also doesn’t support Microsoft Exchange or Lotus Notes, meaning that users must forward their e-mail to an Internet service provider, potentially exposing enterprise data to unsecured connections and servers.

The iPhone’s iffy security also extends to the road. Unlike the Blackberry and other enterprise-class telecom devices, the product doesn’t allow users to lock the unit or destroy stored data in the event it’s lost or stolen. That means an iPhone could disappear without a trace, placing sensitive e-mails and other data into the hands of strangers.

Managers also worry about iPhone’s capability to store prodigious amounts of data. The unit can function like an external storage device, and will be recognized as such by most networks, storing up to 4GB or 8GB of data, depending on the model. This means unscrupulous iPhone users can swipe large amounts of data from unsecured enterprise PCs.

The fact that iPhone will use an operating system and Web browser that have been available, in one form or another, for years will please users seeking reliability and familiarity. But to IT managers, this time tested, standardized approach means that hackers will have had a head start in finding entry points to exploit. Many managers also fret that all the media hype surrounding the iPhone will tempt ambitious hackers--those seeking notoriety--to target the product.

Meanwhile, the iPhone’s closed operating system will make it impossible for users or IT managers to install software from security companies on the device. David Maynor, a security researcher with Errata Security, recently stated that he’s already discovered a bug in the Apple Safari browser that will be used on the iPhone. Maynor claims that a backdoor can be exploited to hijack the iPhone with hidden software, just as hackers have used malware to herd millions of unwitting PCs into robots that send spam, attack Web sites and steal financial data.
TMCnet: Tell us about the world of mobile hackers. Who are these people? Are they concentrated in one part of the world? Are they computer hackers who become more technologically proficient as markets such as the mobile Web develop? How do they operate? How do they choose their victims?
TM: Hackers can most certainly be anywhere, and what we’re finding is that security threats are an international problem. Our firsthand experience is largely related to mobile spam. Spam is an international problem with global SMS spam levels on the rise. Operators are under pressure to maintain the quality of service on their networks to ensure satisfaction levels remain high for their customers. The challenge of controlling spam coming in from other countries is a major issue as extremely low SMS prices means spammers can target consumers outside their own nation.
The low cost of sending and receiving text messages is one of the most important factors behind high spam levels in Southeast Asia and China. SMS prices in the Asia/Pacific region are the lowest in the world. In China, the average subscriber receives between six and ten SMS spam messages a day. Many analysts have revised their SMS forecasts for Asia/Pacific as many operators offer big bundle SMS deals to retain their existing subscribers and acquire new customers.
Spam levels are also high in India. Mobile operators in the sub-continent report levels as high as 30 percent. In the Far East, South Korea and Japan also have serious spam attacks to report - at one point in South Korea mobile spam was even higher than email spam.
SMS billing in the United States is different to the rest of the world. In North America, subscribers receiving messages are charged. Paying for getting unsolicited messages has resulted in consumers chasing operators for refunds. One in four messages sent to mobile phones via email in North America is spam.
Across EMEA SMS demand differs greatly. Mature markets in Western Europe have different spam issues to newer African markets. Western Europe is likely to see increased spamming due to the rise of mobile marketing. Application-to-Person SMS will increase as mobile advertisers find new ways to communicate with consumers, pushing new brand messages. In Africa, countries such as Egypt and South Africa will maintain their healthy levels of sustained growth. Lower SMS prices similar to those in Asia Pacific mean that there is growing concern about spam in the African region.
The Middle East has a very lucrative subscriber base which is a good target for spammers to attack the region from outside the area. Operators in the region will want to protect their customer base as new advanced messaging services are launched.
One of the fastest growing SMS regions in EMEA is Eastern Europe. Serbia, Estonia, Romania and Ukraine have the largest subscriber bases and biggest growth rates. SMS demand in Eastern Europe is driven by its ease-of-use, low price and interoperability. Competitions and voting add to the growing demand in the region. With the increased SMS activity, major operators in the region look to provide new services such as sending alerts and supplying micro top-ups.
It will not be long before spamming becomes the issue it has in South East Asia. To prevent spam-related scams, mobile operators need an adaptable solution that allows them to monitor and analyze all in-coming and out-going traffic in real-time. For many operators the spam threat to their subscribers is too serious to be left alone. In the end an advanced efficient spam prevention solution gives operators a competitive advantage and ultimately a tool to retain customers and acquire new subscribers.
TMCnet: Protections against identity theft and fraud, including on mobile devices, are areas that we read about from time to time. Companies such as SMobile Systems offer mobile platform security, and CA Inc. and Arcot Systems recently developed an authentication technology to fight phishing and other Web-based attacks. What differentiates the Airwide’s solutions from competitors’?
TM: It is important that security be provided at multiple levels, the network the device and personal controls for the subscriber. Airwide’s technologies address security at each of these levels. make sure that if you are rolling out a mobile email solution for handsets, you install spam-filtering technology that works to filter messages before they’re passed to mobile devices.
Especially for small businesses without IT departments or enterprise-grade applications, there is a need to rely on the protection that your operator or carrier provides you with.
Most operators attack fraudulent activities from a few major points in the messaging chain:
Value-added service providers: when mobile operators better control VASPs, they can ensure that they respect service-level agreements and use mobile infrastructure within predefined boundaries
Mobile operators infrastructure: Traffic control to detect abnormal patterns, message checks to confirm legitimate senders, content filtering, and message blocking are some of the tools offered to mobile operators that can help identify and control fraudulent activity
Subscribers: Many mobile operators can share spam control with their subscribers by providing solutions to black-list certain phone numbers and block messages coming from these phones
As mentioned above, many operators are now implementing Anti-spam solutions at the mobile network level that can help block malicious traffic at these three major points hopefully to prevent it ever making it to the subscriber’s handset.
However, in addition, many operators are also beginning to implement personalized applications that can help small businesses and interested consumers take even further steps to protect themselves from malware and spyware distributed via SMS or MMS Spam.
Some of these personalized applications allow the handset user to configure their own personal spam filters or message blocking settings right at the handset, offering an additional and more granular level of protection. You can set these filters to block SMS from certain addresses or to not receive messages sent from the Internet.
Additionally, while not offering protection from the damaging spam, these personalized applications can also allow subscribers to backup and archive their information to the network. In the event that a subscriber’s data is compromised due to a malicious attack, all of the information would be backed up and archived outside of the phone so that the user could restore it as soon as the handset has been secured or a new one has been put into use.
While theft is a critical issue facing governments and the operator community another important trend that we see continuing in strength is mobile fraud.
Fraud is responsible for over $55 billion in losses per year – as estimated by the Communications Fraud Control Association’s March 28, 2006 industry survey. One of the many flavors of fraud is SIM cloning in which a criminal obtains a SIM from a current subscriber or prior to sale and uses an electronic device to make one or more copies. The criminal then uses the SIM themselves or sells the SIM for profit. While recent development in SIM technology have made SIM-cloning more difficult, it is still a major problem in regions where operators have not upgraded to the latest SIMs. SIM cloning represents service theft and has a direct financial impact on both operator and subscriber. In addition, SIM cloning causes significant customer service costs.
Subscribers may make several calls to customer service complaining of strange charges on their bill before customer service can determine SIM theft is involved. Worse, the problem may never be properly identified and the customer may just give up in frustration and leave the operator. SIM cloning entails significant hassles for customers. Not only are their minutes stolen, the difficulty in determining the cause of the problem can lead to a protracted and unpleasant struggle with the mobile operator.
In regions where SIM cloning is particularly prevalent, it has resulted in extensive media coverage and represents a threat to the brand for operators who do not take steps to stop it. Finally, SIM cloning is also used by criminals and terrorists to make it harder to trace them. If the SIM identifier is known then it is easier to determine where the SIM or phone was purchased and to whom it was sold.
Increasingly, black market handsets are filtering into the market place for a variety of reasons. Perhaps they were actually stolen from another region, or in regions where there are high tariffs they may be smuggled in to avoid paying tariffs. When tariffs are high grey market handsets can rise to a significant number of the handsets in circulation. This leads to substantial losses for government treasuries such that many governments are beginning to work with operators to address the problem with EIR technology.
Handset cloning occurs when a criminal uses hardware to reprogram a phone’s IMEI. This is done to get around EIRs. It is also done by criminals to make harder for them to be tracked as with SIM cloning if you know the accurate IMEI you may be able to determine where the phone was sold and then find out who it was sold to.
Operators are up against many other types of fraud as well. EIRs are now being used as part of the anti-fraud arsenal to disable handsets that have been associated with fraud. For example, in New Zealand the EIR is used to disable phones that have been associated with more than one instance of credit card fraud, where subscribers top-up their phone with a stolen credit card.
TMCnet: We know that security is just one piece of what Airwide does. Tell us how security and control fit into the company’s overall mission.
TM: Controlling the flow of traffic means operators can be sure that only valid traffic is using the network. Providing a safe environment for message flows is increasingly important context for messaging infrastructure and applications. Airwide is dedicated to ensuring that mobile messaging can continue to be conducted in a safe environment which is critical to the sustained growth and success of mobile messaging. In order to continue to see the growth we’ve been experiencing it is impossible to separate messaging from a safe and secure messaging environment which is why Airwide addresses both.
No one really knows just how or when this slower economy is going to turn around. But one early result of the financial crisis is that many people are more closely examining their savings, investments, retirement plans, stocks and bank holdings – services that now commonly are conducted over the Internet. How does a rise in that type of activity affect the rates of mobile hacking, if at all?
It’s not just checking savings or stock using smartphones, but recently there is also a rise in shopping and ordering items on the mobile, and in a down economy the potential for live comparison shopping for the cheapest price could prompt an increase in this. Smartphones let shoppers feel as though they may be able to uncover better deals and encourage both online and offline commerce. Any time there is an increase in buying activity or financial transactions or even simply the exchange of financial information over a given medium there is certainly an increased risk that hackers will find this an attractive target for theft and stealing sensitive data.

TMC announces NGN – the new magazine for service providers building tomorrow's communications networks. Subscribe free today.

Michael Dinan is a contributing editor for TMCnet, covering news in the IP communications, call center and customer relationship management industries. To read more of Michael’s articles, please visit his columnist page.

Edited by Michael Dinan