This morning, while driving to work I tuned in to NPR as usual. On air, in one of the techie segments that NPR did this morning was Kevin Mitnick. Mitnick was at one time on FBI’s most wanted list for hacking into phone systems, corporate networks and the like in the 80s and 90s. He was eventually arrested, served time and was released in 2000. He, then went on to found a security consultancy that helps corporates secure their bases from malicious hacks among other things. Mitnick is to many a hacker what Tony Hawk (Hack?) is to millions of aspiring kids with a skateboard itch.
With that as a background, what really caught my attention was Mitnick’s answer to the question that I’ll try to paraphrase.
Interviewer – “Mr. Mitnick, what in your mind is the next frontier for hacking?”
Mitnick – “Simple answer – mobile phones!”
And then, Mitnick went on to lay out some hacking scenarios in the mobile phone space. I have been digging deep down into the mobile security space in the context of mobile payments for some time now and Mitnick’s answer resonated with me. As this market literally explodes, the risk for malware, viruses and the like to hit mobile phones also compound. The risk is even greater with smartphones where everything is converging.
With CMD’s (Converged Mobile Devices) becoming the center of universe for a huge population, the security risk is very real. I am always drawn to compare the mobile world with the world that’s fast taking a back-seat – the world of PC’s and to an extent laptops. I am no expert in security, but my opinion is that device security was a more controlled beast in the PC/laptop world. Over time, it became well understood and many corporate and consulting organizations devoted a lot of manpower and intelligence in order to protect electronic assets. Furthermore, there were only a few OS’s used in the corporate world – MS Windows, Linux (UNIX) and Mac OS. The limited proliferation of OS’s was helpful in containing millions of attacks (Millions, because we’ll never know of these attacks as they were quietly dispensed with). Despite all those efforts, there have been well known hacks that did make it through the defenses and caused widespread grievances.
On the other hand, the mobility is relatively new – well not really. As smartphones drive feature phones to a rapid extinction, the threat becomes more real. In large part it is because the CMD has now become a repository of personal, corporate and social information. And this information can easily be put to many nefarious uses. Furthermore, there are several OS’s in use – Apple OS, RIM, Symbian (on its way out), Android, Bada, Palm/Web OS – each of which makes it even more difficult to secure bases. RIM, arguably had the best end to end OS when it came to security and hence became the preferred corporate device choice. But, with more and more companies now favoring the BYOD (Bring Your Own Device) model, the IT-edge is now sitting on these CMD’s with varying OS’s. An unprotected edge is a risk to the entire corporate network.
According to Mitnick, OS vulnerabilities could be taken advantage of by malware to access the Outlook client on the device. Once that happens, the address-book is compromised and with some social/behavioral engineering it could be determined what emails the device owner would be inclined to answer and at what time. Email can then be spoofed with a very authentic looking PDF from a supplier/vendor/partner/colleagues or even the boss. Once the PDF is opened (say in a corporate setting), the laptop/PC is compromised, giving the attacker access to the entire corporate network. This is a time tested route, but what is interesting here is that your Gmail, Yahoo, Hotmail accounts could be also just as easily be compromised on the mobile device. Add to that, once the mobile device is infected, other accounts such as your bank accounts, social networking accounts etc could also be hacked into. Once compromised, the attacker is most likely going to profile the person before attacking at the most opportune moment (Inopportune, for the device owner of-course).
I know I am laying out a lousy what-if scenario, but these attacks will happen. It’s not a matter of if, but when. That said, there are a number of companies working to ensure that these attacks are mitigated. Companies that are already in the security business such as Kaspersky, AVG, Check Point, PGP, F-Secure McAffee, Symantec etc have now begun to focus on securing the mobile space. Companies such as RIM, Good Technologies, Zenprise etc that already are in the mobile security business are shoring up their foundations.
On technology that holds promise in this aspect is mobile VT (Virtualization Technology). More on this later. And location aware security is also another feature that’s being looked into. For example, in certain geographical locations, the mobile device will have full access to say corporate email and folders. In other locations, there will be no or limited access. Such a technology will use the GPS capabilities on the mobile phone.
Are you concerned about securing your mobile device? Or do you even care?