Tough Task: Smartphone Security

Monday, August 8, 2011 @ 01:08 PM gHale

Nothing in life is impossible, unless of course you are looking to secure mobile devices.

At least that is what a panel of security researchers that spoke at the Black Hat Security Conference last week in Las Vegas believes.

New DoS Tool Hits Cyber Street
Cyber Report: Crime Costs Climb
Fake Anti Virus via Social Means
Stolen Certificates: True Attacker Booty

There are so many ways an attacker can compromise phones from the infrastructure all the way down to the application level, defending against all of them is highly problematic.

Attacks against smartphones such as BlackBerrys, iPhones and Androids phones have become prevalent. That’s a quick and easy way to get access to user data and sensitive information. But there are other ways attackers can get in. Going after the firmware is one potential method, as is attacking the mobile infrastructure itself.

“If I can update your phone remotely, I own the phone at every level and I own you. It’s game over,” said Don Bailey, a senior security consultant at iSEC Partners, said during the panel discussion.

Installing a remote update is possible, but users oftentimes end up downloading malicious apps from various app stores. That ends up being the ultimate in defining low hanging fruit. Those attacks end up giving large amounts of user data to attackers in a short amount of time.

Panelists said restricting what apps users can download and taking away their ability to set permissions for those apps would be a good step in the right direction.

“Users should not be allowed to set their permissions on their apps. A sane set of restrictions that makes downloading an app from a site as safe as visiting a Web site I think is where mobile security needs to go,” said Dino Dai Zovi, an independent security researcher.

Enterprise security staffs trying to deal with the problem of users having access to corporate data on the same phones they use to download apps freely and play games on are going to find it a hard one to solve.

“The application layer is one of the hardest to secure because everyone wants to be able to download whatever they want and I’ve found it’s very rare that a company won’t let people do that when they also have access to corporate data,” said Chris Wysopal, CTO of Veracode.

Leave a Reply

You must be logged in to post a comment.