Evolution of Mobile Threats
Abhishek Dubey and Anmol Misra
As mobile devices have evolved from basic to smartphones, threats to mobile devices have evolved in parallel. Smartphones have a larger attack surface compared to basic phones in the past. In addition, the usage patterns of mobile devices have also evolved. Basic phones were primarily used for text messaging and phone calls. Today smartphones are used for everything one can imagine using a computer forperforming routine banking transactions, logging onto Facebook, directions, maintaining health and exercise records, and so forth.
For a long time, Nokia's Symbian OS was the primary target of attackers due to its penetration in the mobile market. As the market share of Symbian continues to decline and there is a corresponding increase in the share of Android devices and iPhones, attackers are targeting these platforms today.
Symbian is still the leading platform for phones outside the United States and will be a target of attackers in the foreseeable future. However, Android and iPhone attacks are increasing in number and sophistication. This reflects the fact that bad guys will always go after the most popular platform. As Android continues to gain in popularity, threats against it will continue to rise.
Looking at the threat landscape for Android devices, it is clear that attacks against Android users and applications have increased quite a bit over the last couple of years. As Android adoption picks up, so does the focus of attackers to target the platform and its users. Android malware has seen an upward trend, as well.
This trend does not only apply to Android devices. Mobile phones have increased in their functionality as well as attack surfaces. The type of data we have on a typical smartphone and the things we do with our phone today are vastly different from just a few years ago.
Attacks on basic phones targeted Short Message Service (SMS), phone numbers, and limited data available to those devices. An example of such an attack is the targeting of premium SMS services. Attackers send text messages to premium rate numbers or make calls to these numbers. An attack on an Android or smart-phone is different and more sophisticatedfor example, a malicious application accessing a user's sensitive information (personal data, banking information, chat logs) and sending it to potential attackers. Smartphones are susceptible to a plethora of application-based attacks targeting sensitive information.
The following is a sample data set on a typical smartphone:
- Corporate and personal e-mails
- Contacts (along with their e-mail and personal addresses)
- Banking information
- Instant Messaging logs
- Credit card Information
- Location and GPS data
- Health information
- Calendar and schedule information
Attacks on a smartphone running on the Android platform could result in leakage of the above data set. Some possible attacks that are more devastating include social engineering, phishing, spoofing, spyware, and malwarefor example, a mobile application subscribing a user to a premium service. The user would then incur data and usage charges, in addition to subscription fees. Smartphone browsers are miniature compared to their desktop counterparts. Therefore, encryption functionality on a smartphone OS as well as browser can be limited and can take more time to respond compared to on a PCfor example, revoking certificates from mobile browsers.
Until now, we have focused on attacks on applications and protocols used for communication on the Web. Another class of attacks is on the cellular technology itself. GSM and CDMA are the most widely used communication standards. Carriers use one or the other standard for providing cellular service (i.e., calls, SMS). As the adoption of cellular devices increase, these standards have come under increasing scrutiny from researchers and attacks from malicious users.
GSM is used on a majority of cellular phones in the world (200+ countries, 4 billion+ users). GSM uses A5/1 encryption to provide over-the-air communication privacy (i.e., to encrypt SMS and telephone conversations). Although it was initially kept a secret, it was reversed engineered, and some details became public knowledge through leaks. In the early 1990s, A5/1 was shown to be broken in research papers/academia. By 2009, researcher Karsten Nohl demonstrated an attack that could allow someone to determine the encryption key used for protecting SMS and telephone conversations. Even more interesting was the fact that this could be accomplished with relatively inexpensive equipment. A5/1 uses a 64-bit key and can be attacked using hardware available today. Given two encrypted, known plaintext messages, the secret key can be found in a precomputed table. Given the increasing use of cellular devices for Radio Frequency Identification (RFID)/Near Field Communication (NFC), this can result in the compromise of not only SMS and voice communications but also of data (e.g., credit card payments).
Many users are not aware of the risks and threats to their mobile devices, which are similar to those on a PC. Although the majority of users use some kind of protection on their desktops or laptops (e.g., antivirus software), they are oblivious to the need to protect their mobile devices. The majority of users are not technically savvy enough to understand the implications of performing certain actions on their cellular devices. Jail-breaking or rooting is an example. Users are also placing their trust in applications they install from an application repository, whether it be the App Store (iPhone) or the Android Market. Malware applications were found on the Android Market disguised as popular applications. For a typical user, a $0.99 application download is becoming routine practice, and if a user regularly downloads and installs an application, the security or behavior of an application might go unnoticed.
Increasingly, workers are bringing their own devices to work and shunning their company-sponsored devices. The use of Android devices and iPhones continues to rise in the business environment. However, corporate policies have not kept up with users as they still focus on securing "full-fledged" PC devices more than mobile devices. This exposes their environment to attacks that leverage mobile devices and users. In fact, it might be easier to compromise mobile devices in many cases than their desktop counterparts, where corporate dollars are still being spent. Threats yet to materialize but not considered as such by researchers/business enterprises are those coming from state-sponsored entities, such as government intelligence agencies. One can imagine attacks possible in cyber-warfare, such as the spreading of mobile malware, which could clog the communication medium.
Read more IT Performance Improvement
Certain names and logos on this page and others may constitute trademarks, servicemarks, or tradenames of
Taylor & Francis LLC. Copyright © 20082013 Taylor & Francis LLC. All rights reserved.