The U.S. Defense Department has struggled for years to find ways to deploy mobile devices without introducing new vulnerabilities to its networks. But a recently released report from researchers at Georgia Institute of Technology, Atlanta, Georgia, predicts an explosion of cell phone threats in the coming months and reveals newly emerging vulnerabilities, including weaknesses in mobile device browsers.
The Georgia Tech Emerging Cyber Threats Report 2012 finds that malware targeting mobile devices constantly evolves and that the threat against Android and iPhone operating systems is exploding. Furthermore, those attacks are behaving more like traditional threats by communicating with a command and control architecture. “These devices will become major targets in the months ahead and are providing another avenue for data theft,” Dmitri Alperovitch, independent security researcher and former vice president of threat research at McAfee, says in the report.
Many of the weaknesses for mobile platforms are introduced through the browser, the report finds. Mobile applications rely increasingly on the browser, presenting unique challenges to security. The report also warns of potential compound threats that will use browser, texting and email functions to launch attacks, and it finds that mobile phones could push aside Universal Serial Bus devices as the next big thing for introducing attacks to otherwise protected systems.
For all practical purposes, mobile devices are now computers used for a wide variety of online activities and are, therefore, becoming more attractive targets, says Mustaque Ahamad, director of the Georgia Tech Information Security Center. Ahamad and his colleague Bo Rotoloni, director of the Cyber Technology and Information Security Laboratory, both applaud the Defense Department’s efforts to standardize mobile platform hardware and to create a secure marketplace for defense-specific mobile software applications.
Rotoloni warns that the Android operating system is an easier platform to attack. “The iPhone is better because the process is a little more controlled, whereas the Android is wide open. You’re seeing malware show up on the Android first,” he says.
Mobile device browsers are vulnerable for several reasons. For one thing, according to the report, they are too small for the Web address bar to appear for very long, removing visual cues that users rely on to confirm the safety of their online locations and making it easier to obfuscate an attack that is underway. In addition, for some mobile devices, even security experts cannot easily locate certificates used to establish an encrypted link between a Web server and browser.
Furthermore, mobile devices do not commonly receive patches and upgrades, and currently, industry has little incentive to change that. “For smartphones, there is basically no update,” Ahamad explains. “The software you have stays the same from the time you buy your phone. Unfortunately, in security, like in so many other cases, we are reactive. Something becomes a serious problem and then we pay attention to it. Our philosophy is that we really need to be proactive.” Ahamad predicts that changes in the marketplace will offer incentives for industry to begin updating and patching mobile browsers. “As it goes from the individual consumer to the enterprise environment, we will see more and more of a need for it,” he says.
Rotoloni adds that industry will change when the lack of security hurts the bottom line. “Until it starts really damaging their business model, they’re not going to do much. For instance, if they’re starting to take hits in their bandwidth because of malicious traffic, they may start to be a little more proactive. If they start getting a bad reputation for having a network full of malware or infections, they may start doing that. But until that happens, they’ll probably just do what they do,” Rotoloni asserts.
Other mobile device vulnerabilities include remotely controlling the camera or microphone to record the user’s actions. Although it didn’t make it into the report, Patrick Traynor, a researcher and assistant professor at the Georgia Tech School of Computer Science, recently revealed that an iPhone can be hacked and turned into a spy phone. If the device is sitting near a computer, it can be used to pick up keyboard vibrations and decipher complete sentences with 80 percent accuracy.
The report declares that the past year has witnessed cyber attacks of unprecedented sophistication and reach and that the attacks demonstrate that malicious actors have the ability to compromise and control millions of computers that belong to governments, private enterprises and ordinary citizens. Experts suspect nation states are behind some of the more sophisticated attacks that have come to haunt 2011, including Shady RAT (remote access tool), the Stuxnet virus and Duqu, the alleged son of Stuxnet, which according to experts is based on the source code of its predecessor and may have been developed by the same creator.
“These things were built by professionals. They were examples of a real professional software design process going into creating these botnets or these pieces of malicious software,” says Rotoloni. “Many of these things are doing what I would call cyber intelligence surveillance and reconnaissance—collecting information to find vulnerabilities on the chance that there may be a time to exploit that.”