Researchers mention myriad possibilities when asked where mobile security is headed in coming years — yet all predict that securing non-stationary devices will become a greater priority for corporations. Mikko Hyppönen, chief research officer for Helsinki-based vendor F-Secure, says it's too early to tell if or when malicious attacks on mobile devices will become as commonplace as they now are on PCs. However, a "nightmare scenario" could occur if a mobile virus using a remote exploit code is found — "something that would be able to infect phones without the user doing anything at all."
His prediction could be on its way to becoming true. The first viruses spreading through multimedia message service alerts and Bluetooth phones were discovered in the past two years, followed by a crossover virus affecting both Microsoft PCs and mobile devices. In response, a number of vendors are now offering anti-virus solutions for mobile workstations.
On top of these occurrences, the average smart phone user is soon likely to see some security issues that already plague PC users: botnets using mobile devices to send spam via short and multimedia message services and for-profit mobile viruses, Hyppönen adds.
"We're seeing a big increase in the amount of mobile viruses. We just passed the threshold of 200 different mobile viruses. It's getting harder, but obviously it's still much more common to get hit by PC viruses than mobile viruses," he says. "I'm convinced we will be able to contain this problem much better than the PC virus problem."
IT professionals are not the only ones aware of this situation. Hackers are expected to look for ways to access company networks — as well as stored personal information — on mobile devices.
Mark Komisky, CEO and co-founder of Bluefire Security Technologies, a Baltimore, Md.-based mobile security vendor, says remote access to corporate networks is a top challenge to security professionals — one that will only become more difficult.
"People are accessing a lot of corporate networks from different places," he says. "What we're seeing right now is a number of proof-of-concept viruses and fairly low-level attacks. The actual viruses have more of a 2006 and 2007 timeframe."
These risks are compounded when IT professionals face the all-too-common mixture of corporate network use and personally owned hardware, according to Stu Vaeth, CSO of Diversinet, a Toronto-based mobile device security vendor.
"People are using their own devices for logging on to professional networks," he says. "This is something that IT managers have to deal with in data protection."
Like security for home PCs, much of the changing mobile security landscape depends on how much of the market is eaten up by Microsoft, says Komisky.
"If Microsoft has its way, it will have a much larger share of the market," he says. "In terms of data-enabled devices, Microsoft will have a much larger slice of the pie."
If Microsoft indeed does obtain a considerable portion of the mobile device market, the software giant would unintentionally be doing malicious users a favor. In this scenario, hackers could concentrate on exploiting flaws in just a few operating systems, says Komisky.
"There is a convergence going on here. It started about five years ago when there were a zillion different operating systems. Now you're starting to see three or four dominant operating systems," he says.
Chris Parkerson, senior product marketing manager, developer solutions, RSA Security, Bedford, Mass. (which is to be bought by EMC), disagrees. He doesn't believe Microsoft will ever control anywhere near the market share of mobile software that it enjoys with PC software.
"Microsoft is a very long way off from having the same kind of dominance they have now in the PC world," he says, adding that some degree of variance of operating systems will remain constant.
No matter what operating systems mobile devices use in coming years, smart phone and mobile users will want access to the same conveniences they have on their home PCs. One of those — home banking — is becoming a driver for more secure mobile applications, says Vaeth.
Financial guidelines, such as new Federal Financial Institutions Examination Council standards requiring expanded use of multifactor authentication, are helping to raise the bar for security features on mobile devices.
Customers accessing their accounts from the bus stop or corner bistro doesn't just make banking more convenient for mobile users, it also saves the banks money, says Vaeth.
"If consumers are worried about identity theft, they're going to shy away from online banking," he says. "For every $1 a bank spends on a bank transaction, it spends 10 cents at an ATM and a penny for every online transaction."
What to watch out for
The following factors will lead to an increase in threats for smartphones:
- The percentage of smartphones in use is growing, making attacks more profitable.
- The number of people interested in conducting an attack will also increase.
- Smartphones are becoming more functional and powerful, and will squeeze PDAs out of the market. This will then offer both viruses and virus writers more functionalities to exploit.
- The increase in functionality leads to an increase in the amount of information stored on smartphones. In contrast to standard mobile phones, smartphones have information usually stored on PC hard drives.
Source: Kaspersky Lab