Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Is danger looming: Mobile vulnerabilities

Safeguard that tablet and smartphone, say industry analysts, or face imminent threat. Lucas Rivera reports.

While countless cyber criminals continue to wage war in the traditional realms of the internet, launching SQL injections, trojans and denial-of-service attacks, many industry analysts say a new tier needing protection has developed – tablets and smartphones – since these so-called consumer devices now also face endless threats from would-be cyber attackers.

While there has been a tremendous effort to secure traditional computers, today, mobile platforms are going through the same growing pains, says Bob Flores (below), founder and president of Applicology, a Vienna, Va.-based independent consulting firm specializing in cyber security. He also has more than three decades of experience working at the Central Intelligence Agency, where he served in the Directorate of Intelligence, Directorate of Support and National Clandestine Service. 

Flores says that as businesses move more toward conducting their business over mobile platforms, they face a greater danger from nefarious cyber criminals. “Especially when you get into open systems, such as the Android,” he says. “There is a tremendous advantage to having an open platform, but it also makes it easier to hack.”

There has already been a paradigm shift from the internet to mobile platforms, he says. “I liken it to the state of the internet when it was young,” he says. “The internet was built for connectivity. Very few people thought the internet would become the super highway for information, outside of government and universities.”

He says mobile technology will generate countless partnerships and merger-and-acquisition activity in the coming years, so the makers of future mobile devices need to figure out ways to better secure them. 

“That is why Intel purchased McAfee,” he says. “They wanted to start embedding security at the chip level. The intent is to take the security features and build them into the Intel chips.”

Developers, he says, have got to get security down to its most fundamental basics possible. The challenge with all this is that there are now so many manufacturers of these products all trying to write to certain standards so the devices can all communicate with each other.

He adds that security requires vigilance on the part of any company's upper management. “What's important with security is that it requires an ongoing budget,” he says. “When you realize people can pick the lock on your fence, then you get a better lock.”

What's to stop these new threats? A number of industry observers point to the need for policies and regulations, and strict adherence to them. 

A specific policy must be instituted to monitor government and the private sector, says Bob Gourley (below), founder and chief technology officer of Crucial Point, a technology research and advisory firm. “You have to have good enterprise policy,” he says. “You have to put chief information officers and chief security officers in who will be held accountable for creating policy for their enterprise. In the federal government, it is agency by agency. In the corporate world, it is company by company.” Gourley also served as CTO of the Defense Intelligence Agency and was a senior executive with TRW and Northrop Grumman.

Brent Williams, president and CEO of Araxid, which is based in the Washington D.C. metro area and builds comprehensive trust solutions for businesses, says vulnerabilities on the mobile platform have reached critical mass. “We need to reset people's paradigm on how to actually secure the platform,” he says. “So if we just think of the mobile device as another tool with which to access the enterprise and the internet, and treat it as an analog of the traditional desktop, then what we need to do is secure the operating system and make sure it is hardened and controlled. We need to know how to prevent unwanted changes and unwanted monitoring. And finally, we need to prevent the installation of unwanted applications and unwanted eavesdropping.”

Williams says the mobile market has changed greatly, pointing to the fact that smartphones are no longer just phones, but mini-PCs, with consumers failing to realize that this makes them vulnerable to cyber crime. 

He singles out Android as quickly becoming the top destination for cyber criminals for two main reasons: It's trendy, and there aren't enough checks in place to safeguard the operating system. In fact, he says that adding an application to the Android Market is as simple as signing up as a developer and making apps available, tainted or otherwise.

“I think about where we were with Apple and Android five years ago,” Williams says. “We had nascent marketplaces for both Apple's App Store and Google [Play]. And in those nascent marketplaces, malware was only just beginning to come in and take advantage of the vulnerability.”

As the markets became better at verifying that malware, he says, the bad guys got better at hiding those things. They also started taking their wares to off-market locations. 

The threats can get far worse on platforms that have seen 90 percent of the top paid mobile apps hacked in some form, security firm Arxan Technologies found. Xuxian Jiang, lead mobile security researcher at North Carolina State University, masterminded and developed an archetype rootkit that attacks the Android platform. It can be downloaded with a tainted app and then manipulates the device. 

“I think smartphones are mainly focusing on the features,” he says. “I'm sure in the near future they will be concerned with protecting the device. We haven't reached critical mass, but we have to be concerned with a number of infections.”

Jiang also is the founder of the Android Malware Genome Project, a collaborative effort designed to improve an understanding of existing malware attacking the Android. So far, more than 1,200 malware samples have been collected for study, and as of last November, the project's research showed that Android security tools were behind in their ability to detect them. 


Photo: (L-R) Apple's CEO Tim Cook and Jonathan Ive, SVP of industrial design, with musician Dave Grohl, at the launch of iPhone 5 on Sept. 12. The revamp is aimed at widening Apple's lead over Samsung and Google in the $219.1 billion smartphone market. 

Photo by Justin Sullivan/Getty Images

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.