Communications Security: A moving target

Mobile devices' operating systems are vulnerable to attack, particularly through drivers where traditional protection from anti-virus software is not enough. New software approaches such as hypervisors provide some protection, but not enough to fully protect the system. Secure, segregated areas for critical code have to be combined with secure communications in order to provide protection for mobile devices.

An industry group of over 300 of the world's largest business and public sector organizations — The Information Security Forum (ISF) — is warning of an increase in malicious threats aimed at mobile devices including attacks from organized crime and industrial espionage, along with a rise in mobile malware and Web 2.0 vulnerabilities. As smartphone devices running application operating systems such as Linux and Symbian become more common, a widespread infrastructure is also evolving that provides a more attractive — and potentially lucrative — target to the hacker. While system developers often believe that the operating system will provide sufficient protection for the device, there are many threats the conventional OS simply cannot protect against.

Types of attacks

Several types of attacks on mobile devices are now being identified; from malicious code embedded on websites to downloads that embed themselves in the heart of the device. Many use the vulnerability of a crash in the operating system to gain access to the device, finding instabilities in the OS and creating a crash that puts the OS into its protected mode so that when the OS restarts, the malicious code is in place. Although devices may have some protection against such attacks, hackers are most ingenious in circumventing system defenses.

One relatively benign example that shows how to hijack the iPhone was demonstrated by Independent Security Evaluators (ISE) on their website where the iCalc application downloads additional code that gives a hacker control of the phone.

Such attacks can often come from code embedded into any website visited by the user of the mobile device. The site owner could very well be innocent — the site itself may have been maliciously compromised by hackers.

Once the device is compromised, it can then be used to send personal data such as credit card information and passwords to any location, or use the phone as part of a denial of service attack on other parts of the network, all without the user being aware of the activity. Apple has patched that particular vulnerability since it was made public last year, but it highlights the risks with mobile devices that are evolving into fully fledged computers. The researchers at ISE predict that devices running Windows Mobile will be targeted in similar ways.

Other threats are also embedded in websites that are increasingly sophisticated. The 'Silent Love China' virus uses SQL injection to infect a client, hiding the malicious code in an SQL string similar to the strings used to control the databases that hold the content. These can be on spoof sites, mocked up to imitate popular sites such as auction site eBay.