Darlene Storm

Mobile security at TakeDownCon: Hackers handing out a healthy dose of paranoia

December 07, 2011 2:38 PM EST

Smartphones are mini-computers packed with financial and personal info, but even though folks can use their mobile devices for everything from paying bills to GPS, it's a bit confusing when wondering why folks don't consider mobile security. To ignore the need for mobile security is a bit like choosing to run a computer without any regard to security precautions. Not wise at all. Even without any malicious intent by app developers, many are not concerned about security; their apps may ask for overreaching access permissions.

Mobile and wireless security news is pouring out of TakeDownCon in Las Vegas. During the keynote presentation, Moxie Marlinspike said "mobile malware detection should be done by the app stores" and "Google has done the absolute bare minimum to secure the Android platform." Marlinspike tweeted, "Half way through my talk at #TakeDownCon this morning, I realized it included some minor Android 0day we hadn't reported." 

Georgia Weidman presented Transparent Botnet Command and Control for Smartphones over SMS and demonstrated how malware on mobile phones can be used to create smartphone botnets. Weidman told Ars Technica, "The approaches used by Carrier IQ developers to create phone monitoring software could be adopted by hackers as well to create botnets that could silently steal users' data, or send data without users' knowledge. From what I've seen in Carrier IQ, they just didn't think about what they were going to do. But malware writers are going to take advantage of those techniques."

Interesting mobile and wireless security stats include the prediction by ABI Research that "enterprise adoption of ultra-mobile devices is predicted to hit $12.5 billion by 2015." According to IDC, "Worldwide shipments of app-enabled devices, which include smartphones and media tablets such as the iPad, will reach 284 million by year's end. In 2011, makers are expected to ship 377 million of these devices, and in 2012, the number is likely to reach 462 million which exceeds PC shipments."

Yet some experts say it is safer to input your credit card info online in order to pay bills than it is to physically hand over your credit card at restaurants. A KSNV MyNews3 video quoted Secure Ninja cybersecurity expert Michael Vien as saying, "30 - 40% of Internet access currently originates on mobile devices." Just the same, there are "sophisticated attacks" aimed at online holiday shoppers. It's a trap! . . . or at least some small online sites that "offer very low prices" and are found via tainted search results might be a trap, according to KVVU Fox5. "Experienced hackers are learning new ways to compromise your online experience." Chris Eng, Vice President of Research for Veracode, said, "Compliance requirements aren't really going to protect against a dedicated attacker."

There are XSS vulnerabilities that exploit embedded browsers in mobile apps, Heise Security reported. Researcher Kyle Osborn "noted that the use of embedded browsers in mobile applications can make those applications vulnerable to cross site scripting attacks." For example, Ars Technica discussed Osborn's research that showed how Google Earth and other mobile apps can allow the "execution of arbitrary JavaScript code on the device by embedding script in location data."

Yet in another example, it was pointed out that anyone could take advantage of ARP poisoning (spoofing) tools for a Man in the Middle (MITM) attack. There is no extreme knowledge needed to attack smartphones or other mobile devices. One such Android wireless security defense to protect your smartphone from MITM attacks is Heinrich Gurke's WiFi Protector. This Android anti-ARP poisoning security app is currently priced at $1.33 on the Android Market.

In yet another interview discussing the "mobile security minefield" coming in 2012, X-Force, IBM's IT security research team, predicted "33 software exploits targeting mobile devices in 2012." Zach Lanier, principle consultant at Intrepidus Group, said the "lack of savvy is not going to go away." Gary McGraw, CTO of Cigital and a co-founder of BSIMM, added that the "business model for mobile commerce hasn't really been laid out" and "you can't protect people from themselves."

Justin Morehouse with ThreatSim explained that basic identifiers in smartphones can be accessed to gather information about the phone's owner. Morehouse said, "A lot of applications on your phone use that for authentication purposes. Instead of you having to sign into Facebook every single time, Facebook identifies the unique phone and automatically logs you in," noted 8NewsNow. Online bank, retail and other ecommerce accounts work in the same way. And a password does not guarantee protection. "Experts say it is not just phones that are at risk. The hottest new target for hackers are tablet computers."

The potential for these attacks on mobile devices is "generic across all tablets." While explaining how hackers are targeting tablet computers to access "any activity involving submission of personal information" via WiFi hotspots, email, or text messages, TakeDownCon speaker Wayne Burke said, "We're not trying to scare people off these devices, but we're trying to give them some healthy paranoia, so they're going to think twice." 

If you still haven't installed any mobile security on your smartphone, Lookout offers one of the most popular, free security apps for Android. It also offers a Carrier IQ Detector app.