There have been few mobile phone viruses so far, but as more handsets use WiFi and bluetooth, is it just a matter of time? Mark Mayne reports.
The growing popularity of mobile working has given rise to concerns about the risk of mobile viruses and other attacks on handsets and PDAs. But how real is this threat? In contrast to the world of PCs, where the number of viruses "in the wild" runs into the thousands, there are still fewer than 400 mobile viruses. Many of these have been proof-of-concept code, only seen in a specific test area or research laboratory.
Experts disagree as to the precise reason for this lack of viral attacks. The most obvious explanation is the huge variation in the mobile handset market. Infecting PCs via the internet requires the creation of malicious code that will work on a Windows PC operating system, for example XP. A hacker can be reasonably certain that such a piece of code is likely to run on the vast majority of home and office machines it encounters. However, mobile handsets all work differently. Generally speaking, only the top-of-the-range smartphones (two per cent of the mobile market) have decent processing power and storage, and while many modern handsets can handle J2ME and multi-media messaging services, millions of older phones cannot.
"There is a considerable amount of pain involved in even considering sending a software application over the air to a handset," says Mike Hawkes, director of mobile security at the Mobile Data Association. "For example, Sony Ericsson has implemented Java (J2ME) differently in one handset, so another application is needed. And that's just one variation in one language in one product line from a single manufacturer - imagine this multiplied by the number of models and brands. Security certificates are also an issue, as they are stored in different places on each device."
As a result, writing for-profit mobile malware is difficult and may not be worth the effort. "The problem, from the hackers' point of view, is the lack of a clear, dominant operating system in the mobile market," says Graham Cluley, senior technology consultant at Sophos. "When the market standardises, we'll see attacks begin in earnest, and a company's handsets will become their weak link. At the moment, though, there's plenty of money for hackers in attacking Windows PCs - so why bother to research, design and build hacks for mobiles?"
Very early to market
In spite of the lack of exploits, almost every major anti-virus (AV) company has brought out a mobile product. Operators such as Orange UK, Japan's NTT DoCoMo and manufacturers including Nokia are also offering or promoting anti-viral products. There appears to be a demand for defence, even if the attackers aren't yet interested. A recent report from Juniper Research predicts that mobile security products will be installed on 247 million phones by 2011.
"AV vendors are worried about revenue erosion," says Alan Goode, a senior analyst at Juniper Research. "They've seen their PC market share being gradually eroded, and mobile technology offers an excellent opportunity."
New research from McAfee Mobile shows that it's not just AV manufacturers driving the market: even though the number of handsets affected may be small, 83 per cent of operators reported device infection in 2006. According to the study, the number of mobile security incidents increased by more than five times in the same year. Operators fear the potential cost of cleaning handsets after a virus attack, as well as the damage to their brand such an attack could cause.
This is one of the key issues. Many experts point to the operators' grip on business and consumer users alike as the reason for the lack of attacks. "The operators currently run pretty tightly controlled networks, with all content being checked carefully," explains Hawkes. "However, as we move away from this model, and more handsets become capable of connecting via Bluetooth and WiFi, we will see more infections, as users move outside the security of the operator's networks."
Such connectivity is only beginning to penetrate to business users, but a handful of devices exist, and products are available to defend them. Anti-virus vendor F-Secure has been looking into mobile viruses since 1999 and has found 346 so far, according to Mikko Hyponnen, the company's chief AV researcher. "When we began looking at this space, I expected someone to port existing Windows viruses across to Windows Mobile - it's technically very easy - but this has still not happened," he says. "The main area where we see new attacks is via Bluetooth, and I think this will remain a key vector."
Danger in the middle
One aspect Hawkes is very worried about is radio. "The potential for man-in-the-middle attacks with a mobile is huge. The current trend among operators to move from large GSM transmitters to smaller Pico cells means that something the size of a briefcase can be a fully-functioning GSM cell, only it's monitoring all through-traffic," he warns. "GSM phones are designed to be connected to and roam seamlessly between the nearest and strongest signal, so you wouldn't notice anything wrong. You can buy a Pico cell for about EUR200. Imagine unscrupulous businesses installing them to intercept visiting delegates' conversations. People forget that GSM is a radio technology, and is therefore not very secure."
Another issue that may soon have an impact is the eventual adoption of mobile wallets and associated mobile payments. A recent announcement by the GSM Association detailed a new method of initiating local money transfers using mobile handsets in partnership with MasterCard Worldwide. The result will be a global hub that enables migrant workers to send money to their families back home using their mobile phone, according to the organisation.
Here today, gone tomorrow
The increasing advance of mobile devices into the corporate environment brings its own problems. PDAs and smart phones are being used to transport confidential data, often in sync with the desktop. Aside from the concerns attached to this evasion of the firewall, IT managers face a shift in the ways in which data can be lost. In the UK alone, 10,000 mobile phones are reported stolen every month.
"The more data you can fit on a device, the more risk you face," Richard LeVine, senior manager at Accenture's global architecture and core technology security practice, points out. "Of course, people now won't admit they have lost vital data, they just buy a new device and copy the data on to it again. Mobile working has become a concept, and there is no way of stopping your staff from doing it."
However, LeVine takes a radical approach: "The irony is that the people with the important information shouldn't be allowed to take it out of the building. The CEO really shouldn't be allowed to work remotely, due to the security risks. But workers lower down in the hierarchy have less information that would be useful for the bad guys. This isn't a popular view, but it's true from a pure security perspective."
The argument that corporates are at risk through mobile devices is a common one among experts. Hyponnen thinks that confidential data will be the first target. "We are seeing more targeted attacks in the online space generally, and mobile offers a new channel. One of the latest mobile viruses, dubbed Flexispy/Neocult, is actually designed to monitor people's phone usage - ideal for corporate espionage," he claims.
An increasingly common solution to this type of information leakage is the use of encryption. Companies such as Pointsec offer encryption software for smartphones, which also allows IT managers to keep track of data and devices and ensure policies are administered properly, although critics claim that the phones' limited processing power makes on-the-fly encryption unwieldy and affects performance.
It seems certain that the use of mobile devices to penetrate corporate security will be, in the short term, the preserve of those seeking specific information. But will we see the same mass infections of mobile handsets as we do now in the PC market? Probably, but not straight away, in Hawkes's opinion. "The mobile market is not there yet. I believe we're a couple of years away from the full convergence that will bring serious security problems," he says. "Bear in mind too, that operators and manufacturers are very keen not to see the same thing happen as with the PC market. It will eventually, but it'll be a slow process."
A few things are inevitable - more and more workers are using mobile devices and, as the adoption rate increases, so will the risk of security breaches, whether through accidental data loss or malicious attacks. These incidents are unlikely to bear much similarity to PC-based, wired threats. The mobile world has no perimeters and no boundaries to secure against the outside world. It offers opportunities and challenges that will be as dynamic as the environment they exist in. Your business has already begun to embrace mobile working, but has it thought about the implications?
VOIP - THE REAL COST OF INTERNET CALLS
The prospect of saving money on call charges is driving businesses to use their existing IP network for voice. The growth of VoIP has been rapid, and its gradual convergence with mobile technology is beginning to gather pace. Skype is also branching out into handsets, such as the SMC WiFi phone (pictured). This enables users to make Skype calls without using a PC and represents the tip of a very hefty wedge for mobile operators and businesses.
Alternative products are also available, including consumer-focused VoIP software for Symbian phones such as Truphone and a convergence appliance from Divitas Networks, which claims to allow access to a PC and deskphone functionality through a smartphone interface.
The possibility of spoofing and phishing over VoIP is widely recognised, and the same concerns apply to the converged, mobile flavours of the technology.
"A standalone handset sounds attractive, as it provides some separation between data and voice traffic," says Graham Titterington, VoIP analyst at Ovum. "However, the potential weaknesses are bypassing corporate communications policy checks and changes to call management settings made by hackers."
Despite mobile operators' and traditional telecoms companies' reluctance to see their voice revenues decline and the relatively low number of devices currently available, the market seems destined for growth in the long run.
Skype use alone in the enterprise has risen meteorically in the last year. A researcher from Cornell University found that Skype usage peaks during office hours and drops by as much as 50 per cent in the evening.
VoIP is beginning to see acceptance in many businesses. Titterington is cautious, however. "Cheap calls will attract people, but more thoughtful users will want to evaluate this in the context of total cost - including factors such as quality of service."
DEPERIMETERISATION - THE FUTURE?
The Jericho Forum (www.opengroup.org/jericho) was founded in 2004, with members including FTSE 100 members such as BP, ICI and Reuters, to focus on "deperimeterisation", a security concept that aims to move away from the hard security perimeter towards a world where just the data is protected. This becomes particularly relevant in a mobile world, where users will be outside any existing perimeter.
This approach relies on establishing trust within a network. Rather than simply locking down all access to data, progressive access is allowed. The underlying principle is to promote business and vendor acceptance of open standards for identity management, digital rights, encryption and data-level authentication.
Even Microsoft has recently lent its support. "Protection in the past has tended to gravitate around the topology of the network, along the lines of 'you can get at this segment or IP address but not that one'," says Craig Mundie, the company's chief research and strategy officer. "But today the demands are for a lot more flexibility."
However, not everyone is convinced. "The perimeter isn't disappearing," insists Brian Contos, chief security officer at ArcSight. "It is becoming more dynamic and, in some cases, shrinking, but it is certainly not going away. The dynamic nature of the perimeter is necessary to address the way people do business - VPNs, wireless, mobile devices and so on.
"This means looking at identity management, event correlation, physical and logical security convergence and the like. The days when the perimeter firewall was thought to protect organisations from all threats are gone," he adds.
10,000 mobile phones are reported stolen every month in the UK
4,000 street crimes are committed in London every month. More than half involve the theft of a mobile phone
1,200 of the victims of these attacks are specifically targeted for their handset
Source: Metropolitan Police Service National Mobile Phone Crime Unit
817 million - Total units of worldwide mobile phone sales in 2005, a 21 per cent increase from 2004
79% of worldwide mobile phone sales in 2005 were from one of the top six vendors
15 million - Total units of PDAs sold in 2005, a 19 per cent increase from 2004.