Mobile devices have become the primary medium for business and personal communications. Mobile spam, as a relatively new means of duping unsuspecting users, can spread quickly so immediate action must be taken to protect users. For many reasons, patch management and client side application are not the solutions for SMS vulnerabilities.First, the process of getting millions of subscribers on the network to update their devices to the latest patch level or security applications, across multiple smartphone operating systems is ominous. Second, some devices don't even support over-the-air provisioning – leaving users to manually upgrade their devices. This process can take months which leaves users vulnerable to serious attack.
Solutions that provide SMS protection in the network infrastructure could immediately prevent these attacks for all network users. Network level solutions are able to block malicious SMS messages before they are sent to the device, preventing the messages from even being delivered.
– Jamie de Guerre, CTO, Cloudmark
Defense-in-depth is widely accepted as the proper way to approach security. To argue that network level protection is better than device patches for any vulnerabilities is to promote single point of protection over defense-in-depth.
While network level security does make sense and has a place, it would be absurd to not fix a device vulnerability in the mistaken belief that network-level security is infallible. Whenever and wherever software is found to have exploitable vulnerabilities, the problems need to be addressed immediately, rather than ignored.
There is no perfect security in this world, but when your first line of defense is also your last line of defense, it is not a good position to be in.
There is no doubt that the network has a critical role to play in preventing malicious SMS attacks. However, anything that can be done to make the devices themselves more resilient to such attacks enhances overall security, and that is a good thing.
– Randy Abrams, director of technical education, ESET