What are the dangers and how do you deal with them?
Predicting security trends is a lot like predicting the weather. We will never be able to tell exactly what the temperature will be tomorrow, but we can have a pretty good idea of whether or not it will rain. The information security community has experienced continually changing security problems for a number of years and now has a very robust understanding of the security laws of physics: how and why attacks occur. Although specific situations are unique, the laws of physics never change. Today, lost and stolen devices are arguably the most prevalent mobile security threats. Looking forward, multiple trends are causing mobile devices to become both an easy and valuable target for criminals to attack. The good news is that we recognize the problems and can take steps today and in the future to prevent the scale of attacks that have plagued traditional networked computers.
Why are mobile devices easy to attack?
Residing on closed networks with a wide dispersion of operating systems, mobile phones have been relatively isolated from attackers; however, times are changing and mobile devices are becoming increasingly accessible. Devices are now participating in standardized, open networks. Instead of communicating only through legacy circuit-switched carrier systems, new devices are IP address-carrying members of the Internet and often have Bluetooth and Wi-Fi connectivity. Furthermore, the operating system dispersion that has made a mass-scale attack infeasible in the past is disappearing as standard operating systems such as Windows Mobile and Symbian overtake proprietary devices.
Bad code has been a significant (if not the most significant) contributing factor to security problems on computers as well as mobile devices—memory corruption, logic errors, and other bugs are still being found in software every day. As the demand for new features keeps mobile phone software changing rapidly, there are constantly new ways for bad code to be introduced. Meanwhile, as development cycles on mobile devices shrink, the probability of bad code in final products increases.
With servers and PCs, bad code is usually fixed with a patch. Mobile devices, however, are not as easy as other systems to update. Manufacturers of mobile devices often integrate software from dozens of independent software vendors (ISVs) and produce customized builds for each carrier they provide devices to. Unlike PC software, where each vendor can independently modify their code, mobile devices have a long update pipeline. In order for a manufacturer to patch a security vulnerability, they need to fix the code in every customized build. For large manufacturers, this can mean hundreds of carrier-specific pieces of firmware. Furthermore, after the fixes are complete, the firmware has to undergo internal QA testing as well as carrier and possible FCC qualification. End to end, this process takes much longer and costs much more than an equivalent PC or server software patch. With the increased amount of effort required to fix security bugs, our decreased ability to respond to outbreaks makes mobile vulnerabilities very dangerous.
Even with significant security holes, criminals only attack mobile devices when there is sufficient incentive to do so. In the past, mobile devices were not sufficiently valuable targets for criminals to invest time in attacking them; however, as mobile devices are gaining the capability to initiate financial transactions, store confidential information, and have privileged access to network resources, the incentive to attack such devices continues to grow.
Why would a criminal attack an enterprise mobile device?
Printer-friendly version