This past summer, the wireless industry was hit with its first botnet-type attack. Thousands of subscribers in the Middle East and China received a text message reading, “A very sexy girl, Try it now!"
The message contained a link that prompts the user to download software, which then sent the same message to the contacts stored in the phone. Users had nothing to be suspicious about. After all, the application had received official approval from the Symbian foundation and could therefore be considered safe.
But it wasn’t safe. It was a virus.
The so-called Sexy Space virus was capable of collecting information on phone type, IMEI number and IMSI number, and could then send that data to a central server. An IMEI number is used to validate GSM, WCDMA and iDEN devices and can be used to stop a stolen phone from accessing the network. Subscribers are identified with the IMSI number, which is stored inside a device’s SIM card.
It is not clear how the information would be used, but the attack raised alarms and caused a good deal of embarrassment at the Symbian Foundation, which has since re-examined its certification protocols. Cybersecurity experts say the virus’ ability to communicate with a central server had all the makings of a mobile botnet – a harbinger of attacks to come.
Botnet attacks turn devices into virtual zombie warriors, allowing the devices to be remotely controlled by hackers, who then use them to send out waves of virus-infested spam. Historically, these types of attacks have been levied at computers. It now appears that mobile phones are targets, too.
Cell phones have been largely free from the type of spam and viruses that have plagued the PC world. As the computing power of cell phones advances, it’s not clear how long that exemption will last, and carriers and security experts expect the problem to worsen.
The Threat May Grow
Phones have rapidly morphed from basic communication devices into miniaturized personal computers where users store personal information, purchase goods and share files. This makes them increasingly attractive targets for digital criminals like spammers and phishers.
“Instead of being harmless spam, the majority of attacks that are starting to happen are more harmful, like billing attacks and phishing: stealing private information so that the hacker can user their credit card and personal information,” says Adam O’Donnell, senior research scientist at Cloudmark, a cyber security firm.
Cloudmark, which works with two of the top three carriers in the United States, has a careful eye on the global spam and malware market. Their verdict: Mobile messaging attacks will grow, and the increase is going to happen sooner rather than later.
SMS messages are the predominant way hackers and spammers infiltrate cell phones. In Asia, text message spam is so prolific that well over 20 percent of all messages going over the network are bad, says O’Donnell.
Though U.S. consumers rarely get spam on their phones currently, O’Donnell says carriers should brace themselves for an onslaught of spam over the next two years. O’Donnell argues that carriers’ move to unlimited text messaging plans inadvertently opened the floodgates for spammers and hackers.
Before the unlimited plans came into existence, the per-message cost for spammers was prohibitively expensive. Thanks to unlimited plans, spammers can send out massive waves of junk text messages and get a positive return on their investment.
“During the past year, that return on investment has flipped because carriers have introduced all-you-can-eat messaging plans. The cost is now profitable, and the spammer will make money if they purchase a subscription,” O’Donnell says.
Calling it “a significant driver” of spamming traffic, O’Donnell predicts that carriers will see a marked increase in SMS spam over the next 12 to 18 months.
Off-deck content is another contributor to increased security risks. Content not listed on the carrier’s mobile home page brings subscribers away from the protective bubble of pre-vetted content. CTIA says security is being “subordinated” by demands that carriers offer complete openness in their networks, applications, content and devices.
The cost of this freedom, says CTIA, is that customers will have to take “a larger and larger role in protecting themselves against spam, viruses and other threats.” Its stance is essentially this: If consumers want openness, they’ll have to deal with the consequences.
“While wireless carriers will continue to work very hard at stopping [spam, viruses and other kinds of threats], if the networks were suddenly completely open, the consumer will bear the brunt of the security burden,” the association said in a statement.
CTIA points to obvious measures subscribers can take to protect themselves, such as limiting downloads to trusted Web sties and using pre-installed security features on phones.
Still, when it comes to dealing with the consequences of viruses and spam, beleaguered subscribers tend to turn toward their carrier to fix their phone and resolve unusual charges on their bill. Carriers have a vested interest in keeping their customers happy and their networks secure.
Tackling Spam on the Network
Securing the mobile environment requires a different strategy than in the PC world. Personal computers have the processing power to run filtering software in their native environment. Handset processors cannot handle that extra burden without crippling the devices’ performance.
As a result, security in the wireless world looks a lot different than it does for PCs. At AT&T, security expert Sanjay Macwan takes a proactive approach to stopping spam.
Instead of waiting until suspicious content reaches a gateway-based filter as happens in the computer space, AT&T monitors entire networks from a birds-eye perspective. That way, it can block content well before it reaches a gateway, where the filtering process used for computers could clog the wireless network. As a result, spam is usually filtered out before fraudulent messages reach handsets.
“What we have done is implemented spam detection within the cloud, taking care of it in the network before it reaches an endpoint,” says Macwan, who is the assistant vice president of AT&T’s security research and development department. “Doing it upstream in the network is much more efficient.”
Sprint Nextel employs a similar filtering method. According to a company spokeswoman who handles security issues, most spam messages come through en masse as random 888- or 800- numbers from a source Sprint doesn’t have an agreement or certification with. The carrier is able to filter them out with an efficacy rate of 99 percent.
T-Mobile USA employs a similar filtering system, which is continually updated and monitored for newly emergent schemes. The company’s postpaid and FlexPay customers can also create their own filters, allowing them to block chargeable text messages, MMS, IM and e-mail from being sent to their handsets.
Handsets rely on network security for protection against spam and viruses, though the fragmentation of handset models and operating systems further buffers them from large-scale attacks. When it comes to protecting proprietary data on corporate handsets, however, extra measures are needed.
BlackBerry from Research In Motion (RIM) is practically ubiquitous in corporate America, leading the handset maker to take extra precautions to protect the valuable data frequently held on the devices.
The manufacturer has a whole division devoted to security for its BlackBerry enterprise clients, an effort that has landed it numerous certifications from several different agencies. For instance, the BlackBerry platform’s software cryptograph modules have Federal Information Processing Standards (FIPS) 140-2 validation. BlackBerry was also the first wireless platform to earn Common Criteria Evaluation Assurance Level 4 certification. Common Criteria is an international standard for validating that information technology products meet specific security requirements.
But despite its ability to remotely change passwords and wipe data from missing devices, RIM says it all boils down to getting subscribers to take basic steps like using passwords and avoiding suspicious downloads.
“You can have all the protections in the world, but if they’re hard to use, no one is going to take advantage of them,” says Michael Brown, director of security product management at RIM. “Customers don’t want security to lie in the way of getting their job done... we work to improve the usability of security.”