McAfee® Labs™ examines the current state of smartphones and other mobile devices and the security risks associated with their new capabilities. We also predict near-term future threats for these handy machines.
By Dr. Igor Muttik
Despite steady progress in securing desktop computers—using safer hardware, operating systems,
and applications—malware is not going extinct. With today’s explosive proliferation of smartphones,
tablet computers, and other mobile devices, we have to wonder whether our pocket devices can also be
secured. We might assume from our extensive knowledge in protecting desktop computers that the new
wave of mobile hardware should be relatively secure because we shall benefit from the lessons we have
already learned. In this paper we shall examine and describe in detail why this is unlikely to be the case.
We won’t keep you in suspense: Mobile devices are not going to be less susceptible to security problems.
The overall threat of malware might decline, but the damage to mobile devices is likely to be high because
smartphones are always connected, they always carry some personal data, and they are even equipped with
small cameras, microphones, and positioning devices—just like the spies carried in old movies. The wider
choice of built-in devices compared with desktop computers (or laptops and notebooks) makes the
operating systems (OS’s) and applications more complex and ultimately increases the attack opportunities.
The core of contemporary OS’s, such as iOS and Android, is based on Unix/Linux, which makes the
system reasonably secure. However, due to the competitive pressure of the market, the manufacturers
frequently prioritize time-to-market concerns over security and may add core drivers and applications that
are insufficiently tested. There could also be flaws in implementing updates for the firmware and OS that
would make the robustness of the OS core irrelevant—as an attack may be able to entirely replace it.
Nearly all the types of threats to desktop computers that we have seen in recent years are also possible on
mobile devices. (Parasitic viruses may be a notable exception for modern mobile OS’s, more on this below.)
Moreover, we are bound to see threats readapted to mobile environments and, unfortunately, we are also
likely to see new kinds of malware that target smartphone capabilities that are not available on desktops.
In this paper we shall use mobile devices and smartphones interchangeably.
The first term has a wider scope (as it includes pocket game consoles, readers, tablets, etc.) but the overlap of features is great and contemporary phones offer pretty much everything that other more specialized devices do.
Specifics of mobile devices
Mobility brings vulnerability
Mobile devices are on the move, meaning they can more easily be lost or stolen and their screens
and keyboards are easier targets for “over the shoulder” browsing. Even if a device is properly secured
with a PIN or passphrase, a determined attacker has a reasonable chance to intercept the PIN when
the owner enters it. The rest of the compromise depends on the pickpocketing skills of the thief or
the carelessness of the owner. Even a short lapse of control over a phone may allow a compromise.
Most of us prefer to have a single smartphone with multiple functions rather than carry around several
devices. Of course, that makes these devices more versatile, expensive and, consequently, more attractive
for thieves. They may be interested purely in the hardware but, increasingly, they also want access to the
device’s data, which can be very valuable (and may be worth a lot more than the hardware).
Contemporary security measures make it harder to resell stolen devices. (In many countries reporting a lost
phone’s IMEI (International Mobile Equipment Identity, a unique identifier) would allow the supplier to
block further use of a device; unfortunately this is not the case in some countries.) Reprogramming the
IMEI is possible, but it may be illegal in several countries to possess such equipment. Although the cost
of devices goes down each year, the cost of the data they carry may do just the opposite. Today in many
cases the data extracted from a phone is more valuable than the cost of the parts. This value will only
grow as smartphones are increasingly used for banking (including near-field communications) and business
(storing trade secrets, blueprints, roadmaps, patent documentation, etc.)… To read the full report, go to http://dl.dropbox.com/u/36016639/Securing%20Mobile%20Devices%20final.pdf