Current Event: Beware, Cellphones Attacks Next
[Devy Pranowo and Xia (My) Cam]
A report from the Georgia Tech Security Center predicts that botnets were likely to hit mobile phones sometime soon. Botnet <http://en.wikipedia.org/wiki/Botnet> can be delivered to machines through email or instant messages, which now is a feature many smartphones have. Because of the developing cellphone culture all over the world, what’s on cellphones can be great treats for attackers.
There are many reasons why this problem might arise. Cellphones are now essential in people’s lives. Many smartphone is taking over the market because it can do much more than just making voice calls. These phones can take pictures, send text messages, and send emails. Furthermore, now that cellphones can access the internet, people can download applications to run on their phones and might not be aware if they’re installing malicious software. The more prevalent use of cellphones and the more advanced technology adapted on cellphones means there will be more people impacted from unwanted malicious attacks.
At least for now, there is no evidence of attacks aiming at cellular phones, however the loopholes are there. As cellphone technology advances, it’s only matter of time. For now, since technology of cellphone has room for growth, there are opportunities to incorporate better security mechanisms as we develop cellular technologies. Also, it is important to educate user not to open unknown emails or URL that will allow Trojan, viruses, or worms to infect user’s cellphone and thus allow control of cellphone by attackers. The latter is the best way to prevent social engineering attacks.
Cellphone attacks may also relate to a bigger part of personal data security. As cellphones becoming important tools for personal and corporate communications, this is another way for attackers to gain private information. For example, attackers can easily obtain social security number or credit card numbers.
We think the reason there hasn’t been major attacks on cellphone is because there are so many different OS (Java-based Blackberry OS, Mac OS, Windows Mobile OS, etc) running on today’s cellphones, making it harder for attackers to create malicious code for them. But it’s better that some prevention should be done before bad things happen. For instance, cellphone producer should give warnings to user before they do potentially unsafe actions or download information from the Internet. With the warnings, users will be more aware of potential dangers of entering information or accessing data via their cellphones.
Article source:
http://www.networkworld.com/news/2008/101608-report-botnet-spam-attacks-to.html
Comment by Ethan Apter
January 9, 2009 @ 7:31 pm
At first I felt a little dismissive toward this (I suppose I don’t have the security mindset yet), largely because the computational power of cellphones pales in comparison to that of personal computers. I felt similarly about the notion that using someone else’s cellphone drains their battery power.
Of course, then I thought about it and I was clearly wrong.
I first thought draining the battery was a mere inconvenience (which is all it is in many circumstances). However, many of us have our cellphones at least partly for the security of being able to call for help in an emergency. If your battery was run down during the day (without you noticing) and then you needed to make an emergency call, you’d have a problem.
Similarly a denial of service attack to the cellular networks could be devastating, especially if the right target was chosen. Having all the botnet cellphones dial 911 would take out 911 assistance for a large number of cities very quickly. Depending on the capacity, these attacks may even be able to perform denial of service on a cellular network itself.
I don’t think having many different OSs on phones particularly helps with security: if I wanted to stage one of these attacks, I would just go ahead and start it anyway while just accepting the fact that not all cellphones would be receptive of my exploit. It seems like having the entire contact list of an exploited phone would guarantee at least a few more infectable targets for a significant number of iterations.
Comment by Kevin Wallace
January 9, 2009 @ 8:17 pm
Also worth considering is that most malware authors are not after processing power. In addition to the possible DoS attacks you describe, I can see cell phones being a huge target for botnet owners, due to the increasingly commonplace high-bandwidth internet connections they have access to. I would also imagine that smartphones make particularly useful targets for keyloggers.
I would argue that this actually hurts security – each different platform brings with it a new set of vulnerabilities, decreasing the overall security of the network.
Comment by stasis
January 9, 2009 @ 10:10 pm
I would argue that this actually hurts security – each different platform brings with it a new set of vulnerabilities, decreasing the overall security of the network.
I would strongly disagree. Diversity in platforms, configurations, etc. tends to reduce the effectiveness of attacks. It may increase the number of potential vulnerabilities, as you say, but any given vulnerability will be less virulent. The fewer assumptions an attacker can make about the configuration/vulnerability of a target, the slower it can spread. It may be the case that any contact list may yield a few new targets with the same device, but a few is not enough in order to stage an effective attack. It is still a security risk, but the diversity helps contain how fast an attack can spread. Just like in biology, it’s good to spread the genes around.
I think the reason there hasn’t been major attacks on cellphone is because there are so many different OS (Java-based Blackberry OS, Mac OS, Windows Mobile OS, etc) running on today’s cellphones…
This may be true (and the huge popularity and pervasiveness of the iPhone may make such an attack even more imminent) but there are other factors at play here. One such factor is the time it may take attackers to adapt to the changing view of the cell phone. Smart phone are effectively portable, low-power personal computers, but I think an important part of the reason why a large attack has not happened yet is the high availability of susceptible personal computers. Why attack a smart phone, when there are many times more PCs out there? My impression is that the rationale for the absence of a large-scale smart phone attack can be seen as comparable to the absence of a large-scale attack on Macintosh computers. Until the market-share is high enough and the devices are standardized enough, a reasonable (though not necessarily sufficient) amount of security can cause attackers to go after bigger game.
The last point I want to bring up is that, up until recently (with the iPhone and Blackberry), the notion of having an unlimited data plan had not yet reached the middle class. Thus, only recently has the infrastructure be put in place for traditional bandwidth-intensive attacks to be used for smart-phones. A few years ago not many people used their phones to connect to the internet, even if the phones were capable. Smart phone attacks only seem reasonable if most people have data plans to allow the attacks over.
Comment by James Peck
January 9, 2009 @ 10:51 pm
About having many operating systems, I would think that it would help security from a certain perspective. True, as Kevin Wallace pointed out, there would be more total vulnerabilities, but the variety of OSs would help make it difficult for an attacker to affect all cellphones at once. As in nature, where genetic variety prevents an entire species from being wiped out by a single disease, the varying OSs in cellphones would mean that it is less likely for a single attack to affect all of them.
Another possible gain for an attacker aside from the ones mentioned in the article could be feeding a cellphone code to make it send text message spam to all the numbers in its records. Obnoxious advertisements could be spread quickly at the victim’s expense. Fun.
Comment by jap24
January 9, 2009 @ 10:55 pm
Grrr. I made a comment but wasn’t logged in, so it doesn’t appear properly. Here are its contents, and sorry if it shows up twice:
About having many operating systems, I would think that it would help security from a certain perspective. True, as Kevin Wallace pointed out, there would be more total vulnerabilities, but the variety of OSs would help make it difficult for an attacker to affect all cellphones at once. As in nature, where genetic variety prevents an entire species from being wiped out by a single disease, the varying OSs in cellphones would mean that it is less likely for a single attack to affect all of them.
Another possible gain for an attacker aside from the ones mentioned in the article could be feeding a cellphone code to make it send text message spam to all the numbers in its records. Obnoxious advertisements could be spread quickly at the victim’s expense. Fun.