Those Who Cannot Remember the Past are Condemned to Repeat it.

During the last decade, many Information Security practitioners have predicted the rise of mobile phone malware. The predictions thus far have fallen short, however, there have been the occasional incidents of malware infections but to date nothing has occurred on a mass scale. I cannot predict when such malware becomes lucrative enough to develop, but I do believe that the transformation of a mobile phone to a fully functional computing system with a robust browser may signal that the day is coming soon. With the recent increase in mobile phone functionality there is an increase in sensitive data stored on the device, thus making it a valued target.

Those of us who supported and used corporate computer systems during the early part of the millennium, remember the chaos caused by virus and worm outbreaks. Being a desktop support tech at the time, it was not unusual to spend several days chasing a worm around the corporate network while frantically locking and patching systems as you went. The users were not happy, management was not happy, customers were not happy, and I can personally tell you none of us in IT were happy.

At the time, patch management was not centralized at many small to mid-sized organization; servers were installed with the default settings; users ran with local administrative rights; code reviews were non-existent; and wireless, if encrypted at all, used WEP. Over time, many organizations became conscious of the value of securing their systems. Well, some organizations did anyway.

There is a lesson to be learned in the history of computing. The mobile platform that we all use today is, for all essential purposes, the PC of 1999 all over again. The aforementioned problems of the PC during the late 90′s still exist now on the mobile phone. Moreover, what limited security features that do exist on this platform are often not enabled or configured.

During 2009 we began to see the emergence of malicious software on the mobile phones. In July 2009, the BBC reported about mass distribution of spyware on Blackberry devices in the United Arab Emirates. In November, two iPhone worms were making the rounds (http://www.f-secure.com/weblog/archives/00001822.html and http://www.f-secure.com/weblog/archives/00001814.html). Several credit unions reported malicious applications in the Android Marketplace targeting banking credentials in December (http://www.bayportcu.org/site/mobilesecurityupdates.html and http://www.firsttechcu.com/home/security/fraud/security_fraud.html).

At ShmooCon 2010, I watched a talk presented by Tyler Shield of Veracode entitled “Blackberry Mobile Spyware – The Monkey Steals the Berries” (watch the presentation at http://shmoocon.org/2010/videos/BlackberryMobile-Shields.m4v). During the talk he demonstrated proof of concept malicious code for the Blackberry platform. Veracode has posted numerous blogs about the presentation and issues demonstrated but I think Chris Wysopal formerly of L0pht and @stake summarizes the situation facing mobile phone users the best:

“We need to leave the “detect and revoke” mentality of the PC world behind as we move to new platforms. Attackers are able to game the PC antivirus model by continuously flooding the software ecosystem with new unknown malware. The attackers will win in the mobile world too if we don’t change it. The mobile app store is a form of whitelisting that can assure the security of an entire platform if the whitelisting means something. That is if the apps are tested for security before being published.”

I could not agree more. The unfortunate truth is RIM, Google, and Apple are not performing any detailed code review and security testing right now. Moreover, the only mobile solution that provides any measure of centralized security is RIM’s Blackberry Enterprise Server and many companies are not leveraging those features and settings. The title of this post is a well known quote from George Santayana and is sometimes referred to as the Santayana’s Law of Repetitive Consequences. I fear the security failures of the past apply to the mobile platform of today. Let’s hope we take heed and act. I think everyone could agree that the thought of chasing malware around on a platform that knows no physical bounds would be counterproductive to any organizations’ goals.

~ Tim M.