Last week, a new report (PDF) on emerging threats from the Georgia Tech Information Security Center mentioned, among other predictions, that botnets were likely to hit mobile phones sometime in the next year. On Tuesday, I spoke with VeriSign CTO Ken Silva about that possibility and why it might happen within the coming year.
"Criminals will go where the money is," Silva told CNET News. "If you start doing things of financial interest with your mobile phone, they will find a way to get your money."
Silva said the mobile phone market is changing. Today's mobile phones don't just make phone calls, they stream video and support content. "Most consumers did not care about a smartphone until Windows Mobile, the Apple iPhone, and now Google Android came along. Now more and more consumers want smartphones. Kids want them; it's a cool phone to have."
Silva said that smartphones tend to use either Java-based Blackberry OS, Mac OS, or Windows Mobile OS as platforms, and it is this standardization of operating systems that should make it easier for criminals to target their victims. The way mobile users browse the Web already is standardizing. With Windows Mobile you have Internet Explorer, and on Apple's iPhone you have Safari. Both of these browsers have vulnerabilities that can be exploited, although not always on the mobile version.
Another compelling reason to think malware is coming soon to your smartphone is more bandwidth. Because of the streaming media options, this year's phones process data much faster than last year's models.
One possible malware vector might be new application downloads. "People are thirsty for applications to run on their devices," Silva said. "Despite the fact Apple has gone to great lengths to make sure the applications are signed (and) have gone through a vetting process, users continue to break their iPhone and install software outside the channel."
Silva doesn't, however, think denial-of-service (DoS) attacks will be the first choice of botnets operating on mobile phones. For one thing, DoS attacks require always-on computers, and mobile devices are not always on or connected to the Internet.
He ranks DoS attacks second behind data theft. "These smartphones now have e-mail on them--and also corporate e-mail on them. We're doing more personal transactions with them." Silva thinks it's the rise of mobile payments and the popularity of banking on mobile phones in Europe and Asia that are leading malware to the mobile phone.
"If we've learned nothing else from the desktop, we should have learned that software needs to be secure right from the get-go." We have opportunity on the mobile platform to write secure code, he said, knowing what has happened on the desktop.
As for the currently status of botnets operating on mobile phones: "Definitely theoretical." But Silva adds, "Someone--just to prove the point--will develop a toolkit to do it." So it's never too early to be thinking about this problem.
A leading Mac OS X researcher says Apple has not kept the iPhone operating system up to date with patches it has issued for the desktop.
The iPhone runs a stripped-down version of Mac OS 10.5 and automatically checks for security updates. The last update for the phone, 1.1.4, was issued in February.
That means iPhone users are still vulnerable to a flaw discovered by Charlie Miller in March.
During the CanSecWest conference, Miller found and used a buffer overflow in Safari in the Apple WebKit to win a $10,000 "Pwn to Own" contest. Apple patched Miller's Safari vulnerability for the desktop in April, but so far has not issued a similar patch for the iPhone.
Miller told the Washington Post recently he has an exploit of the flaw that will work on the iPhone.
Meanwhile, ZDNet's Ryan Naraine points out that there's another upcoming iPhone exploit expected soon from Aviv Raff.
Speculation within the security community is that Apple is currently focused on the 3G version of the iPhone. Upgrades to current iPhones may be pushed out in advance or concurrent with the July 11 release of iPhone 2.0.
Apple does not respond to requests for comment on its software security policies.
On Tuesday, Check Point Software Technologies announced support for the Apple iPhone through its Virtual Private Networking (VPN) software tool VPN-1.
Using the iPhone's embedded Layer 2 Transport Protocol (L2TP) client, VPN-1 is able to provide secure, encrypted access for iPhone users communicating with enterprises currently running Check Point's VPN-1 gateway.
A new exploit will either lock up your iPhone or iPod Touch or crash your Safari browser on your PC or Mac OS desktop if you simply visit a maliciously coded Web site. Unlike an earlier exploit that required users to click to become infected, the new code published by iPhoneWorld requires no user interaction.
So far, Apple has had no comment.
The code was first reported in January and exhausts the memory in Safari, which in turn will cause your iPhone or iPod Touch to freeze, or your desktop Safari to crash. "Given the nature of this issue," said the BugTraq newsgroup vulnerability report, "remote code execution may also be possible, but this has not been confirmed."
There is no patch available from Apple. The recommended workaround is to disable Javascript within Safari. To do so:
-
1. Under Edit, click Preferences.
2. Click the Security icon.
3. Uncheck Enable JavaScript.
4. Close and restart Safari.
Seen more as a prank than an actual threat, a Trojan horse for the Apple iPhone, first reported on Saturday, has already come and gone. Still, users should be on the look out for a package called "iPhone firmware 1.1.3 prep," described as something you need to install before updating to the new 1.1.3 firmware. Billed as an "important system update," the code does little more than cause annoyance. According to various sources, once the Trojan is installed it simply displays the word "shoes."
However, the Trojan also overwrites several legitimate applications, including Erica's Utilities, Launcher, Doom, and OpenSSH, meaning that if you uninstall the Trojan, you will need to reinstall these applications later. This appears to be a consequence of poor programming.
The risk to iPhone users is now considered negligible since the host sites have all been taken down.
As antivirus vendor F-Secure concluded in its blog, "This time it was an 11-year-old kid playing with XML files who created the Trojan. Next time it might be someone else with more skills and with specific target."
- prev
- 1
- next
