Securing Mobile Devices May Be Impossible
From via Securing Mobile Devices May Be an Impossible Task:
Attacks against smartphones such as BlackBerrys, iPhones and Android phones have become quite prevalent in recent years and many of them have focused on getting malicious apps on users phones. Thats a quick and easy way to get access to user data and sensitive information. But there are a slew of other real and potential vectors that attackers have at their disposal no, as well. Going after the device firmware is one potential method, as is attacking the mobile infrastructure itself.”
If I can update your phone remotely, I own the phone at every level and I own you. Its game over,” said Don Bailey, a senior security consultant at iSEC Partners, said during the panel discussion.
While I myself have been thinking about mobile security, this is an angle I didn’t even consider. If hackers can pwn the mobile phone network itself, well, everyone’s mobile device is in danger. There’s not much you can do about it, either.
Comment by Robmitch
How is this any different to the current paradigm with PC’s and the Internet? I don’t see that the issues are much different, just that the form factors and the areas of attack change slightly. There’s an interesting commentary at http://www.theregister.co.uk/2011/08/04/secret_iphone_hacking_tool/ on iphone hacking vectors, if you combine firmware update capabilities and this then there’s some very evil stuff going on. But it’s no different to the sort of MITM or Phishing-style attacks that we’ve seen on the Internet for years. Surely the same defence model can/should be used?
Comment by PhoneBoy
Surely it can, but the mobile operating systems are so locked down third parties can’t provide security services like they can on a PC. You also can’t easily “firewall” your mobile phone with a hardware device like you can with your PCs at home.
Comment by Robmitch
Fair point – that just means that the Mobile OS providers either have the obligation to secure their OS (Guess Apple kinda missed the boat on that one!) and the mobile network providers need to start incorporating that external “firewall” capability into their mobile networks. I think that corrupting endpoint devices is a relatively minor concern if the whole network is up for grabs – I guess the telcos have relied upon the technology to hijack or emulate a base station to be too expnsive and/or obscure up until now. Again, these are lessons that have been well learnt in the PC/Internet world, and another point where IP convergence into telephony/SCADA/infrastructure catches out historically poor security practice.
Comment by Tomas
I bought my first Smartphone some weeks ago and I was thinking about security issues, too. I was looking for some good methods to secure my phone, but my search wasn´t as successfull as I was hoping. So it is and will be hard to really securing your phone.