by Dragorn

What's the most insecure device in your life?

Like thousands of others, I left the Batcave this month to stand in line to get the latest must-have gadget, a new Android phone.  After showing up to the store so many times that the employees recognized me, running the gamut from "Hey, it's the guy who ordered the first one," "Oh, it's you," and "Why are you back again," and finally, "Sir, you know we don't open until 10:00, right?," I had a little brick of technology waiting for a login.

A week later, while standing in a museum overseas looking at Soviet-era Eastern-Bloc's finest computing offerings, my phone blinking "No carrier, didn't you know you're on a network with no international support?," it occurred to me that I had more general purpose computing power in my pocket than on exhibit in the entire room.

My old cell phone was a phone.  It didn't even do that terrifically well, and it sure didn't do much else.  Attempts to bully it into running some bastard version of a web browser usually led to it crashing unceremoniously.  The new phone has a real operating system, a browser with JavaScript, multitasking, GPS, and is basically a netbook with a smaller screen.

With added complexity comes added security risks.  With my old phone, I was reasonably confident that the only way to snoop on who I called was for my helpful phone company to supply those records (of course, this would never happen without a warrant, right?) or for someone to physically take my phone.  What can my phone do now?  Automatically launch applications on incoming calls, override the outgoing dialer, run Python scripts... and this is with the user's permission!

Despite being a techie, I've sometimes been accused of bordering on Luddite tendencies.  I'm not entirely sure, for example, that pushing everything to wireless is a great idea.  I don't love the thought that aspects of the power grid are being connected to commodity networks.  I'm not convinced my phone needs to know where I am at all times and call back to the mothership.

For once, I have proof I'm not entirely overreacting.  Using a trick I've been a fan of for some time, there are iPhone worms targeting jailbroken users who haven't changed their root passwords (hint: "alpine"), ranging from the mostly benign "pay me $5 to explain how to fix this" to the annoying Rick-roll to the highly malicious, which can establish a command channel to download future malware to the device.

Of course, this time, only users who have already bypassed the protections in the system are exposed: Enabling SSH with root allowed, with a known default password, is as inviting a target as one could make, and bypasses the protections where apps aren't normally run with full privileges.  Infection rates and date don't seem to be available, but the worms have been newsworthy despite a very small percentage of the device users being vulnerable.  A worm like this is a harbinger of problems to come, however.  If a vulnerability had been found in the operating system (be it iPhone, Android, Windows Mobile, Symbian, WebOS) with similar access rights, a worm capable of spreading device-to-device in an urban area could hit a large percentage of the users in a short period of time.

This doesn't even touch the problem of malicious "legitimate" applications.  Multiple applications have been accused of accessing the phone books of users and stealing information, though generally the APIs are designed to prevent a complete compromise of the phone (as much to enforce policy as for user security).  Some phone operating systems attempt to force applications to identify what services they'll utilize and allow the user to allow or deny the behavior, but once general purpose code is running on the device it's likely difficult to completely secure it, especially when applications are meant to interact with each other and the phone settings.

Now that phones act like common computing devices, they're also vulnerable to attacks against the browser - a phone on an open Wi-Fi network is just as susceptible to TCP hijacking attacks and browser cache attacks as a PC, and may preserve those attacks into the future when a user is on the cell network.  No unencrypted connection should be considered secure (do you really think your cell carrier has your security interests at heart?), and phones which opportunistically switch to Wi-Fi networks will happily send your plaintext passwords over the air.

How much data is at risk on your phone?  At least your calling records and phone book, indicating friends, employers, family.  Billing is directly tied to your phone - if a compromised program can make or redirect phone calls, it can rack up direct charges.  Browsing history, session cookies, cached web data, and saved passwords are all stored on the device, including logins to services which can directly cost you money (at the best) or expose billing information (at the worst): banks, shopping sites, and application markets.  Most phones don't have any concept of on-device encryption, meaning your information is most likely stored unencrypted if the phone is ever stolen.

Having a high-power always-connected computer in a pocket sure is convenient, but I think I might want to go back to being a Luddite after all.