Botnets on cell phones in 2009?

About 15 percent of all online computers are infected with bots, says a new report (PDF) on emerging threats for 2009 from Georgia Tech Information Security Center. And according to Patrick Traynor, assistant professor at Georgia Tech's School of Computer Science, "We'll start to see the botnet problem infiltrate the mobile world in 2009."

In Traynor's view, if botnets, or large networks of infected computing devices, gain a foothold on mobile devices, they could be used to create a distributed denial of service attack on the cellular network itself, inconveniencing thousands of cell-phone customers.

But the future need not be so dire.

"Because the mobile communications field is evolving so quickly, it presents a unique opportunity to design security properly--an opportunity we missed with the PC," he wrote in the report.

Most people keep their PCs and operating system for years, up to 10 years in some cases. Most people buy a new mobile phone every 2 years, on average.

"The short life cycle of mobile devices gives manufacturers, developers, and the security community an opportunity to learn what works from a security standpoint and apply it to devices and applications more quickly," wrote Traynor.

According to the report, researchers like Traynor expect standards for handset security to emerge within the next 12 months.

The report also called out four other areas of concern: greater prevalence of social-networking malware such as a recent botnet risk reported on Facebook, user-specific VoIP attacks such as the one presented recently at Toorcon, cyber-warfare such as the recent denial-of-service attacks against the nation of Georgia, and a maturing cybercrime economy like that in recent reports of "crimeware-as-a-service" packages for sale on the Internet.

[Vegaman_Dan]

Totally believable and very likely to happen. None of the smartphones on the market have any sort of security on them. The iPhone even runs all applications as root with zero protection. Windows Mobile, Palm, even the G1 are going to have the same issues.

[n3td3v]

i'll believe it when i see it.

[Cube Over]

Mostly a threat to Windows-powered devices.
iPhone just has more control over what you install, via AppStore.
Symbian has the certification security.
Android and the rest of them are just not enough of a target...

[Vegaman_Dan]

Cube Over wrote:

"iPhone just has more control over what you install, via AppStore."

I'd like to believe that, but as Apple has already demonstrated they do not test/verify/vet the applications that are submitted for actual content / usability, then I don't really have much hope that they would spot a trojan application in a game. They mostly check only to see if the application might compete with their own current or future products.

[Stefaninafla]

Hmm, yet another reason to only use a cell phone as a phone.

[ferretboy88]

I give up with phones.

[wawadave]

Since cell phones do use an o/s it is possible to do this.

[chash360]

Missed the security opportunity with the PC?, no they simply ignored it! When I started on the internet (before HTML or WWW) There was one solid rule of security, you NEVER EVER execute arbitrary code from a remote source. To do so is just asking for trouble. Now they have made such things standard. ActiveX, Java, etc. this is code, being streamed to the client for immediate execution. Media players, that follow embedded weblinks, etc. in media being streamed to them remotely is the same thing. If it can touch your file system, or operate in your memory/process space, without the end user's intervention, it is a security hole! The only code that should be executed on any computer, anywhere, is code intentionally installed, configured and executed by the user. No software should ever recieve remote 'data', interpret it as actual executable code and operate upon it, plain and simple. Markup languages like staright HTML were secure from this originally. The code that executed was your browser, it inteprets the remote data, to display things on your screen in a somewhat predictable way. It allowed for atomic benign data to be sent in independant isolated transactions to go back and forth between client and server, and thats it! If it did not understand the data sent to it, sent in the wrong format etc, it was discarded! If it needed to retain data from page to page you had to carry it over from transaction to transaction. No storage in objects created at runtime, no possibility for buffer over/underruns, in fact no objects created by anything from the remote site. Your browser should be able to create everything it needs before even touching the network. Few exceptions exist, like saving or sending a file to/from a remote source, required user response to give it a path.

Please, none of you 'professionals' seem to know a damn thing about computer security, I doubt cell phone security will be any different. You seem to like the flaws and holes, so you can sell more junk!