Security Watch | Matt Hines » Symantec's take on mobile security

December 19, 2007 | Comments: (0)

Symantec's take on mobile security

TAGS: Security

According to analysts at Gartner, the number of smartphones shipped to end users will outnumber the volume of laptop shipments to customers as early as 2008.

Rival analyst firm IDC (a sister company of InfoWorld under parent IDG) estimates that as many as 304 million smartphones will be in user's hands by 2011.

That's a lot of devices.

And, according to many security experts, along with the proliferation of handhelds, there will also be an increasing number of attacks aimed specifically at the devices.

Now, some mobile security experts, such as the esteemed Mikko Hypponen of F-Secure -- a company that got in on the "mobisec" angle early based largely on its close proximity to device giant Nokia --contend that the issue of mobile attacks might not turn out to be as big a deal as other think.

Because of the wide number of mobile operating systems, and the process of applications-signing that OS vendors and carriers have thus far adhered to for the most part to keep unwanted apps off of devices, he claims, malware authors won't be able to easily introduce attacks that have the same widespread impact as threats aimed at, say, computers running on the Microsoft Windows OS.

However, with the rise of platforms such as Google Android, and the push therein for more openness in the mobile device applications world, perhaps the issue of mobile security won't be as easily handled as we have been led to believe.

Symantec, among many others in the security space, has earmarked mobile device protection as one of its top areas of strategic focus for 2008.

What follows are excerpts from a Q&A supplied by the vendor with Khoi Nguyen, group product manager of Symantec's Mobile Security Group.

Question: Why have mobile threats recently become such a hot topic?

Nguyen: These devices are increasingly storing financial and confidential information. In Asia, smartphone users can use their phone like cash through pay-by-wave technology. London, England is also implementing this service in their Underground transportation system on a trial basis. Many consumers are also using their smartphones for e-mail, mobile banking, and file downloads.

Question: What is the motivation for hackers to focus on these devices?

Nguyen: Cyber-criminals go where the money is. With the increasing popularity of these devices and as people begin using them to store sensitive data, make purchases and surf the Internet, hackers will naturally look for ways to exploit the weaknesses in the operating systems.

Question: Can we learn anything from our historical experience with PCs to help guide us with these devices?

Nguyen: We have noticed that the mobile threat landscape is similar to what the PC threat landscape was 15 years ago. For example, for every mobile virus variant in the wild today, there are more than 450 variants for the PC. It is important for users to develop the same critical thinking when using their mobile phones that has become second nature on their PCs. As these viruses propagate, it will be increasingly important for users not to use a discerning eye when receiving strange IM, e-mail, and other requests.

Question: How do mobile threats differ from PC threats?

Nguyen: There is a current attack we have labeled "Snoopware." This kind of attack compromises a person's privacy rather than their bank account. Snoopware threats can remotely activate a device's microphone or camera, allowing the hacker to spy on or listen in on the victim's conversations, whether or not the phone is currently in use. Because these devices are rarely far from the owner, it is a definite violation of a person's privacy. Other attacks use the phone features for financial gain.

Question: What can people do to protect themselves?

Nguyen: [People] need to remember that with increasing flexibility, mobile devices shift away from the definition of a traditional cell phone and become in truth more of a PC. As a result, users need to develop [their] awareness when using a device's Internet, Bluetooth or WiFi functionality and bring the same scrutiny for their mobile devices that they have cultivated for their PCs. With awareness and a layer of trusted protection, consumers can feel comfortable making the most of their mobile experience.

Question: What else can users do to protect themselves besides software protection?

Nguyen: Aside from installing security software on their smartphone, users should be generally aware and informed about potential security risks, the same way they’ve come to be about their PCs. For example, many smartphones come Bluetooth-enabled by default. This means that whenever possible the phone will look for available Bluetooth networks to connect with. Some cyber-criminals use these networks to propagate malware, so it is important for a user to disable Bluetooth. If a person has a Bluetooth headset or some other device that requires this feature to be enabled, they should pair it with the accessory and disable the Bluetooth broadcast option in their phone.

Posted by Matt Hines on December 19, 2007 02:00 PM

RATE THIS ARTICLE: