Paul Ruggiero and Jon Foote
Mobile Threats Are Increasing
Smartphones, or mobile phones with advanced capabilities like those of personal computers (PCs), are appearing in more people’s pockets, purses, and briefcases. Smartphones’ popularity and relatively lax security have made them attractive targets for attackers. According to a report published earlier this year, smartphones recently outsold PCs for the first time, and attackers have been exploiting this expanding market by using old techniques along with new ones. 1 One example is this year’s Valentine’s Day attack, in which attackers distributed a mobile picturesharing application that secretly sent premium-rate text messages from the user’s mobile phone. One study found that, from 2009 to 2010, the number of new vulnerabilities in mobile operating systems jumped 42 percent. 2 The number and sophistication of attacks on mobile phones is increasing, and countermeasures are slow to catch up. Smartphones and personal digital assistants (PDAs) give users mobile access to email, the internet, GPS navigation, and many other applications. However, smartphone security has not kept pace with traditional computer security. Technical security measures, such as firewalls, antivirus, and encryption, are uncommon on mobile phones, and mobile phone operating systems are not updated as frequently as those on personal computers. 3 Mobile social networking applications sometimes lack the detailed privacy controls of their PC counterparts. Unfortunately, many smartphone users do not recognize these security shortcomings. Many users fail to enable the security software that comes with their phones, and they believe that surfing the internet on their phones is as safe as or safer than surfing on their computers. 4 Meanwhile, mobile phones are becoming more and more valuable as targets for attack. People are using smartphones for an increasing number of activities and often store sensitive data, such as email, calendars, contact information, and passwords, on the devices. Mobile applications for
PandaLabs. “Quarterly Report PandaLabs (January-March 2011).” http://press.pandasecurity.com/wpcontent/uploads/2011/04/PandaLabs-Report-Q1-2011.pdf 2 Symantec. “Symantec Report Finds Cyber Threats Skyrocket in Volume and Sophistication.” http://www.symantec.com/about/news/release/article.jsp?prid=20110404_03 3 National Institute of Standards and Technology. “Guidelines on Cell Phone and PDA Security (SP 800-124).” http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf 4 Trend Micro. “Smartphone Users: Not Smart Enough About Security.” http://trendmicro.mediaroom.com/index.php?s=43&news_item=738&type=archived&year=2009 © 2011 Carnegie Mellon University. Produced for US-CERT, a government organization. 1
social networking keep a wealth of personal information. Recent innovations in mobile commerce have enabled users to conduct many transactions from their smartphone, such as purchasing goods and applications over wireless networks, redeeming coupons and tickets, banking, processing point-of-sale payments, and even paying at cash registers.
Typical Attacks Leverage Portability and Similarity to PCs
Mobile phones share many of the vulnerabilities of PCs. However, the attributes that make mobile phones easy to carry, use, and modify open them to a range of attacks. • Perhaps most simply, the very portability of mobile phones and PDAs makes them easy to steal. The owner of a stolen phone could lose all the data stored on it, from personal identifiers to financial and corporate data. Worse, a sophisticated attacker with enough time can defeat most security features of mobile phones and gain access to any information they store. 5 Many seemingly legitimate software applications, or apps, are malicious. 6 Anyone can develop apps for some of the most popular mobile operating systems, and mobile service providers may offer third-party apps with...