July 24, 2006 11:53 AM PDT

Security firms squabble over mobile threats

After launching a mobile-security service last week, Finnish antivirus specialist F-Secure is being accused of magnifying threats to smart phones.

Software and services company CA in a statement Monday said F-Secure is marketing its service, which is designed to help protect mobile devices against malicious software, by carrying out a sustained campaign of hype.

"F-Secure is saying there's a huge risk of malcode spreading, but they've built this up," said Simon Perry, the European vice president of security for CA. "If you look at their behavior, they've consistently pushed this message. But it's a theoretical; not a real threat."

Related coverage
Is your cell phone due for an antivirus shot?
Security and wireless industries disagree about how to fend off emerging threat.

The Finnish company signed a deal with U.K. wireless service provider Orange last week to provide security for the operator's smart devices.

Matias Impivaara, director of mobile security for F-Secure, denied that the company had engaged in hype.

"It's amusing--the idea that I could sell something to an operator that they don't need," Impivaara told ZDNet UK. "Orange had a formal procurement process, where they put the contract out to tender, based on their own analysis. It's a process that doesn't happen by accident."

The company's marketing machine is not so big that it could change the opinion of the world, Impivaara added. "It's flattering for me as a salesperson, but I'm just not that good," he said.

CA, which makes corporate security products and the eTrust consumer protection range, insists that the threat to smart-phone users is minimal and that Orange customers are better off not spending their money on mobile security. "Dig below the skin, and the message stops sounding pithy and starts smelling rather rotten. At the core of the rot is the mostly undeniable fact that there is no threat to protect against," Perry said.

F-Secure accepted that there were few examples of malicious software targeting smart phones at the moment, but it said cases had been seen in the wild. "It's not a global epidemic, but there are real people who have got it. There have been several tens of different viruses. (These are the) early days for mobile virus writers," Impivaara said.

CA said criminals do not have an economic incentive to develop malicious code and that the risk of such attacks spreading around smart phones is minimal because of a lack of interoperability between platforms and phone models. Network services don't allow for the fast spreading of code from phone to phone, and user interaction is required for any viruses to spread, the company added.

It said F-Secure has created an atmosphere of fear, uncertainty and doubt to sell its product, undermining the relationship of trust that has been established between the industry and vendors.

"While F-Secure's bankers and owners may be pleased with the cash flowing into their coffers from the deal, every security professional should be appalled by the perception this creates of our market," Perry said. "Industry and vendors are now more consultative and honest about risks, not just beating something up to sell it. F-Secure has done the industry a disservice."

F-Secure's Impivaara responded by saying that both mobile operators and clients had approached the company.

"It could be bad for the industry if we were trying to scare people, but people call us with real problems and real viruses. We have created a solution to these threats for our customers. If we have mobile operators coming to us, we would be quite stupid to turn them down," he said.

"I have difficulty understanding how this can be bad for (the antivirus) business. This is not a mass problem for all consumers. But our solution is available to those who need it, and there are people who need it today," Impivaara added.

Tom Espiner of ZDNet UK reported from London.

See more CNET content tagged:
F-Secure Corp., Finnish company, Computer Associates International Inc., corporate security, smart phone

5 comments

Join the conversation!
Add your comment
Smart Phones = Smarter Hackers
These issues won't go away because these smart phones represent a brand new technology full of flaws. All that this new technology means is that we now have to worry about security issues from our own pockets. It is good that some companies have taken this challenge head-on, we need to think if the positives of these phones still outweigh the problems with security etc.
<a class="jive-link-external" href="http://www.essentialsecurity.com/features.htm" target="_newWindow">http://www.essentialsecurity.com/features.htm</a>
Posted by Nkully86 (59 comments )
Reply Link Flag
Smart Phones = Smarter Hackers ?!!!!
It is interesting to see that Nkully86 appears to be a "security" vendor. NKully86's statement "these smart phones represent a brand new technology full of flaws" is typical "FUD" (Fear, Uncertainty, Doubt). Where are the evidences? When was the last time a malware outbreak significantly impacted smart phone users? Is a wide scale outbreak even possible? I applaud Simon Perry for his honesty. He acts as a responsible security professional, bringing a touch of reality to this debate. I suspect Orange bought this solution as a marketing gimmick.
Posted by Secure2me (2 comments )
Link Flag
Smart Phones = Smarter Hackers ?!!!!!
It is interesting to see that Nkully86 appears to be a "security" vendor. NKully86's statement "these smart phones represent a brand new technology full of flaws" is typical "FUD" (Fear, Uncertainty, Doubt). Where are the evidences? When was the last time a malware outbreak significantly impacted smart phone users? Is a wide scale outbreak even possible? I applaud Simon Perry for his honesty. He acts as a responsible security professional, bringing a touch of reality to this debate. I suspect Orange bought this solution as a marketing gimmick.
Posted by Secure2me (2 comments )
Link Flag
on Orange and smartphones
Disclaimer: I used to work for Orange. I designed custom software to run on smartphones.

First of all, the operating systems for smartphones can be configured to disallow applications from running if they are not cryptographically signed. Orange has a signing program for this specific purpose. Secondly, it is not possible AFAIK for virii to automatically install on a phone. On Symbian, the most common smartphone operating system, the user must click through several warnings to install any kind of software. The user would have to be pretty dense to deliberately infect themselves with a virus.

The fact that f-secure wheedled a contract out of Orange is not that surprising. Despite the fact Orange does in fact run a wireless network, the kind of people in procurement and product management are staggeringly non-technical. Coupled with the incredibly risk adverse culture of european businesses and within Orange, a slick F-secure salesman could convince Orange to buy their software. Heck, Orange is probably so stupid they convinced themselves first.
Posted by harshaw (1 comment )
Reply Link Flag
F-Secure's Hype Machine
Great story!

We just want to drop you a line to say that we 100% agree with CAs comments. We own and market a rather popular product called FlexiSPY. As soon as we launched it, F-Secure was all over us and telling everyone what a threat we were. They labeled us the Worlds First Trojan for Mobile Phones.

In fact, after we fixed the issues F-Secure reported, we emailed them and and informed them of the update to our product, sent screen shots, and even offered to give them a copy to test. We never got a reply. I guess they wanted to keep the hype going and didnt expect we would act so quick? You can read more on our BLOG at <a class="jive-link-external" href="http://flexispy.blogspot.com/" target="_newWindow">http://flexispy.blogspot.com/</a>

I think CA is right, F-Secure is all HYPE.

Cheers!

www.flexispy.com
Posted by flexispy_me (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.