Mobile Devices - Current and Future Security Threats
by Toby Zimmerer
This article will focus on a system that many people utilize every day. Yet they are oblivious to the power of the threat that they are exposed to.
That system is your mobile phone. The advent of smart phones and PDAs has spawned a new security hole that the majority of people completely ignore. Most mobile phones can access the Internet and have Bluetooth communication systems for linking other devices without the use of cables.
Additionally, smart phones are utilizing Linux and Windows operating systems and have the processing capabilities of a small computer. Since these devices do not have a built-in firewall and provide multiple open communication channels, it becomes perfectly clear that mobile phones pose a prime target for attacks.
Mobile Devices and Operating Systems
Smart phones are currently using two operating systems (Symbian and Windows Mobile 5.0) that are customized to each cellular provider's mobile device.
Symbian (www.symbian.com) is a lightweight Linux operating system that is bundled with a number of applications that can allow a user to work on the road without the use of a laptop.
Microsoft has taken their lightweight Windows OS that was originally developed for the iPAQ and into the cellular provider market by developing Windows Mobile 5.0 (www.microsoft.com/windowsmobile). Microsoft offers a complement of applications to allow a user to work remotely without the use of a laptop.
For those of you not familiar with smart phones, I would suggest looking at the websites for Symbian and Microsoft Mobile in order to see the mobile devices that are currently supported. As I mentioned earlier, smart phones have the processing capabilities of a small computer.
These phones are normally equipped with 64 MB to 128 MB of memory and can be expanded up to 2 GB of additional memory by adding a miniSD memory card to the phone. Some smart phones have integrated keyboards and touch screens that allow you to quickly navigate through menus and enter information. I own a Nokia 9300 that flips open to give the user access to a 1" x 4" high resolution LCD, a 66-button keyboard, and a thumb mouse.
Open Communication Channels
Mobile service providers have expanded their services to provide users with greater access in information through their mobile phones.
People in Europe and Japan have been using their mobile phones for web access, messaging, and purchasing goods directly from their mobile phones long before the U.S. market started to offer these services. Mobile phones can retrieve an IP address from their mobile service provider, which provides full access to the Internet to transmit HTTP, SMTP, SSH, Telnet, and other TCP/UDP functions.
Most devices are now equipped with Bluetooth to allow the user to connect to their laptops, wireless headsets, or other mobile devices.
Bluetooth has a transmit radius of approximately 30 feet and can be configured to allow other devices to find or "discover" the host device. Open Bluetooth channels broadcast a lot of information, including the MAC address, device name, and device model.
I saw a demonstration at the Interop show in Las Vegas this year where the vendor was listing all of the Bluetooth connections that were currently open near their booth. On average, there were 60 open Bluetooth connections near the vendor's booth and they were able to retrieve the device name and model device. As a test, I switched on the Bluetooth connection on my phone, disabled the discover feature, and my device was detected.
If you are interested in performing some Bluetooth vulnerability scanning, I would recommend checking out BTScanner by Pentest (www.pentest.co.uk), which runs on a desktop system, or Blooover (trifinite.org/trifinite_stuff_blooover.html), which runs on your handheld device.
Current and Future Mobile Threats
Mobile device viruses began to show up in 2004 with the release of the Cabir virus.
Since then, the number of viruses has grown exponentially which has resulted in both financial and hardware loss. The Skulls and Onehop viruses are designed to completely disable the mobile handset, whereas the Commwarrior virus will start to transmit SMS messages to everyone in your address book, resulting in additional costs on your phone bill.
These viruses currently propagate through two mediums: SMS and Bluetooth.
The Commwarrior virus shows up as an SMS message with an MMS attachment. If the user activates the attachment, the mobile phone will become infected. Bluetooth viruses, such as Cabir, broadcast a message with an attachment to all Bluetooth devices in range. Once again, if the user activates the attachment, the phone will be infected.
As I had mentioned earlier, mobile devices are now retrieving IP addresses and run compact operating systems to provide the user with all the features and functions of a desktop system on their mobile devices.
These systems do contain software flaws and holes that will eventually get exploited through the open Internet channel on the devices, leaving the users vulnerable to attacks.
As of March, the first Java ME viruses started to appear. Sooner or later, viruses will start to propagate to mobile devices over the Internet.
Defending Against Mobile Threats
Currently some software companies are offering anti-virus and firewalls for mobile devices.
I would recommend doing some research on the different vendors to see which companies support the broadest range of mobile devices and operating systems. I know one company has been designing mobile AV/firewall solutions for a number of years and has a pretty large distribution throughout the world with a number of mobile service providers.
I will let you make your own decision on which route to go. Additionally, I would scan your open Bluetooth connections to see how many open connections you have.
Finally, and most importantly, educate yourself and those around you. Most of the current mobile viruses can be thwarted by deleting the attachment or not opening it at all.
Mobile devices are the next vulnerable resource on the market today and will eventually be targeted by viruses that spread across multiple communication channels. As the complexity, features, and processing power of the mobile devices increase, they will provide a prime avenue for malware to exploit.
By protecting your mobile devices with anti-virus and firewalls, as well as disabling unnecessary services such as Bluetooth, you can protect your network and yourself from current and future threats.