Researchers Outline Hurdles for Mobile Security
According to a newly released security advisory report out of Georgia Tech, attacks against smartphone applications and browsers will continue to rise as the adoption of tablets and smartphones increase.
"Mobile applications are increasingly reliant on the browser," said Patrick Traynor, GTISC researcher and assistant professor at the Georgia Tech School of Computer Science. "As a result, we expect more Web-based attacks against mobile devices to be launched in the coming year."
The Emerging Cyber Threats Report 2012, presented at last week's Georgia Tech Cyber Security Summit 2011, focused specifically on the rise of vulnerabilities from mobile browsers and applications that are reliant on an Internet connection. In one example of this, researchers discussed that smartphone users aren't as aware as desktop and laptop users when a malicious link is clicked due to the smaller screen size and disappearing address bar.
Another reason given was due to the fact that Internet security protocol information is either lacking or hard to access on mobile devices. "If you're a security expert and you want to see the SSL certificates for a site from your mobile phone browser, it is extremely difficult to find that information -- if it's there at all," said Traynor. "And if a security expert can't verify a connection and a certificate, how do we expect the average user to avoid compromise?"
The report points to not only the lack of verification by security experts, but also the lack of overall problem solving when vulnerabilities do arise. The report cited that device constraints and "tension between usability and security" make it difficult for security experts to devote time to debug issues.
This is evident in that, unlike traditional Web browsers, mobile browsers rarely get fixes for issues that arise over time. "One of the biggest problems with mobile browsers is that they never get updated," said Dan Kuykendall, co-CEO and chief technology officer for NT OBJECTives. "For most users, their operating system and mobile browser is the same as it was on the phone’s manufacture date. That gives the attackers a big advantage."
Another disadvantage to mobile security is in the case of how quickly a patch or fix can be applied on the rare instances of updates. While fixes can be turned around in a matter of days for a specific vulnerability, it can take months to roll out, due to OS limitations and carrier testing and regulations, giving would-be attackers plenty of time to exploit the hole before going unpatched.
Georgia Tech's security report forecasts that attacks will become more sophisticated and numerous in the next few months, especially for those targeting the Android and iOS platforms. During the study, researchers have noticed an evolution of attacks on these two mobile OSes that rival computer viruses.
"The Zeus-in-the-Mobile (ZitMo) and several other examples of Android malware are acting more like traditional bots by communicating with a command-and-control (C2) architecture," said Gunter Ollmann, vice president of research for Damballa, in the report. "This marks an evolution beyond premium rate fraud and other tactics that do not rely on C2, and makes mobile devices as susceptible to criminal breach activity as desktops."
While criminal breeches of tablets and smartphones and the spreading of malware are growing risks in the mobile security landscape, researchers at Gergia Tech also point to these same devices being used to spread harmful programs to desktops.
Researchers noticed an uptick of security incidents involving the upload of harmful software through a mobile device connected to a traditional PC. This attack, while not new, had previously been associated with the transfer of malware through USB devices.
The threats report advises that with the growing increase of smartphone and tablet attacks, security protocols need to evolve with the attacks, especially in the enterprise setting.
"As mobile devices become an increasingly attractive target in the integrated economy, it is critical for organizations to adopt a multi-faceted strategy that leverages the right combination of security best practices with business technology requirements," said Tony Spinelli, senior vice president and chief security officer of Equifax.