Fact or Fiction: Your Smartphone and Tablet Are Vulnerable to
Hackers
Stories of high-profile attacks on Internet-connected mobile devices are hard to come by, but it may not always be this way
Jul 22, 2013 |By Larry Greenemeier
Courtesy of IntelFreePress, via Flickr
Personal computers have been subject to cyber attacks from the moment we began connecting them to the Internet. Nowadays, malicious software lurking in spam and on Web pages is kept at bay only through effort and expense. So why don’t we have the same security problem with our smartphones and tablets, which are essentially variations on the PC?
Several factors hold back what may someday become serious effort on the part of cyber attackers to infect mobile devices with malware designed to raid apps and commandeer sensitive data. For starters, devices running Apple iOS, Google
Android and other mobile operating systems still are not nearly as numerous as
PCs, which therefore remain as hackers’ most likely targets. Smartphones and tablets are also, for the most part, better designed than PCs to minimize the potential damage caused by viruses and other problematic programs. In addition, Apple’s tight control over the apps that can be installed on its iPhones and iPads does much to improve the security of those devices.
Of the more than 140 million smartphones in use in the U.S., less than 2 percent have been infected with mobile malware (pdf) , says John Marinho, vice president for cyber security and technology at the CTIA, a Washington, D.C., wireless industry trade group.
It is possible, nevertheless, for attackers to break into mobile devices, including the iPhone and those running Android. “I certainly have,” says Charlie Miller , a security engineer at Twitter best known for testing mobile device security as a principal analyst with Independent Security Evaluators . “But it’s much more work than it would be to do the same exact thing against Windows. A rational attacker whose goal is to make money is not going to choose that path.”
Not immune
1

Fortunately, most efforts to attack smartphones and tablets to date have been made by researchers experimenting with the security of these devices. The first program written to manipulate mobile phones—dubbed Cabir—surfaced in
2004, three years before the iPhone’s debut. Cabir’s anonymous author sent the virus to security researchers to demonstrate that phones running the mobile
Symbian operating system could be infected. Cabir would then copy itself to other mobile phones via Bluetooth, running down the phone’s battery in the process, according to security researcher Mikko Hypponen in the 2006 Scientific American article “Malware Goes Mobile.”
In 2007, Miller and his colleagues at Independent Security Evaluators greeted the iPhone’s release by writing a program that could install itself when an iPhone opened its Safari browser . Once installed, the program enabled an attacker to hijack and steal data stored on an infected iPhone. The following year, when HTC’s T-Mobile G1 Android handset debuted, the researchers discovered this smartphone could likewise be exploited if the user visited a Web page infected with a virus or some other malicious program. Once the attacker took control of the infected smartphone he or she could access saved passwords and any cookies the browser used for accessing different Web sites.
Miller helped develop another method of attack in 2009 that blitzed iPhone or
Android-based devices with a deluge of SMS (short message service) text messages, allowing an intruder to plant a virus on the phone or at the very least cause the phone to shut down (disconnecting calls and Web access in the process).
Dollars and sense
Malice and mayhem aside, cyber criminals usually want to make money from their efforts. These entrepreneurial types are more likely to design a piece of malware to attack a tried-and-true target such as Microsoft’s Windows operating system or Internet Explorer Web browser, causing maximum disruption with minimal effort. Mobile malware is newer, so authoring such an attack could come with a learning curve and less certainty for success, adds
Miller, who spent five years with the National Security Agency as a global network exploitation analyst.
Although the number of PCs sold worldwide dipped slightly in 2012 to about
350 million , the sheer number of PCs that have accumulated in offices and homes over the past several decades still dwarfs the world’s population of active smartphones and tablets.
2

Given the popularity of these mobile devices, however, this equation will inevitably shift and place them at greater risk. Worldwide smartphone sales are expected to reach 1.5 billion units in 2017, more than doubling the 712 million sold in 2012, according to a recent “Mobile & Wireless Communications
Report” from information and analytics provider IHS Inc. Smartphones, once seen as a high-end luxury device, will by the end of this year represent the majority of all handsets sold worldwide.
By 2015 more Americans will access the Internet via mobile devices than with
PCs or any other type of wireless device, according to the CTIA. (pdf) Other researchers expect tablets alone will outsell PCs by 2015. (pdf)
Layered defense
Cell phones older than the iPhone and Android handsets relied upon simpler operating systems that were difficult to corrupt and hardly worth the effort.
More advanced smartphones offer handheld access to Web browsers, e-mail and a number of other exploitable software programs. When the iPhone launched in
June 2007, much of Apple’s security strategy centered on restricting the use of third-party apps from running on the phone. (pdf)
Apple has lifted some of its earlier restrictions but maintains a vigorous vetting process for its apps. Developers submitting apps for the company’s App Store must pay $100 annually for a developer’s license and may be subject to additional questions about their identity. Assuming a developer passes that initial screening, his or her app then requires Apple’s approval to appear in its
App Store. More likely the company would find and snuff out a malicious app before it had a chance to do any damage, Miller says.
There are fewer barriers, in this context, when targeting PCs. “An attacker
[could instead] write Windows malware, and the only thing they really have to worry about is antivirus blocking it,” Miller says. “If Apple figures out what the
[malware developer] is up to, the company revokes that person’s developer’s license, and in addition to not successfully infecting any smartphones, they’re out $100. If an attacker has a limited amount of time and money, it makes more sense for them to continue attacking PCs.”
If an attacker opts instead to mimic “drive-by” malware that has been successful in infecting PCs via Web browsing, success is likely to be limited by the way many smartphones and tablets are designed. Apple’s devices, in particular, have several features to keep malware from spreading, Miller says. One such feature
Apple has added to more recent versions of iOS— called “sandboxing” —
3

partitions different parts of the mobile device so a problem in one area, such as an attack against the mobile browser, will not spread to the rest of the device.
“An attacker would need one vulnerability to get onto the phone and then a second one to break out of the sandbox,” he adds.
The Android way
Despite Apple’s popularity and high profile, more than 470 million Android handsets were sold in 2012. By 2017 this number is expected to grow to more than 1 billion, giving the platform a 67-percent share of the smartphone market, according to research firm Canalys . The researchers project Apple will own about 14 percent of the market in 2017.
“Android is a very secure operating system—if you keep it up to date,” Miller says. “This is not always possible, especially if device makers don’t support the most current versions of the operating system.”
Defensive posture
As people start using their smartphones and tablets instead of their PCs to do online banking and purchasing, mobile devices become more appealing targets for attackers, Miller acknowledges. Likewise if PCs become more secure, attackers are likely to direct their efforts toward mobile.
One of the best protections against mobile malware and attacks is to keep all smartphone and tablet software up to date. It is important to be vigilant and question any app making strange or superfluous requests to access data on your device. “It’s very easy to write an app for Android, for example, that asks for tons of permissions, such as sending text messages even when the app doesn’t need to do this,” Miller says.
The Electronic Privacy Information Center (EPIC) recently filed a complaint (pdf) with the U.S. Federal Trade Commission over an Android smartphone app conceived by Samsung and Jay-Z to promote the performer’s latest album. The complaint claims, among other things, that Samsung
“collected data unnecessary to the functioning of the Magna Carta App.” The app requested permission to access the phone’s call log as well as modify or delete contents of the phone’s USB storage.
Before adding any app, look at the permissions it is requesting. Your device will be much more secure if you resist the urge to install suspicious software.
4

More In This Article

Google Android, iPhone May Be Vulnerable to SMS Hackers
Security researchers say at this week's Black Hat security conference that they can break into and/or shut down popular smart phones
Jul 30, 2009
|
By Larry Greenemeier
© ISTOCKPHOTO.COM/PETOO
Smart phones such as the iPhone or those running Google's Android or Microsoft's Windows Mobile operating systems are beloved by their owners for their ability to function as pocket-size, Webconnected computers. Unfortunately, the iPhone and its ilk also share the kinds of security problems that have plagued PCs since the advent of widespread Internet access.
The latest smart-phone security vulnerability garnering attention is one that could allow a hacker to blitz one's iPhone or Android-based device with a deluge of SMS (short message service) text messages, an attack that could allow an intruder to plant a virus on the phone or at the very least cause the phone to shut down (disconnecting calls and Web access in the process).
Security researchers Charlie Miller, principal analyst with Baltimore-based Independent Security
Evaluators , and Collin Mulliner, a Ph.D. student at Technical University of Berlin , provided more details about this potential problem today at the Black Hat USA computer security conference in Las
Vegas.
On test phones running iPhone versions 2.2 or 2.2.1 or Android versions 1.0, 1.1 or 1.5 operating systems, Miller and Mulliner claim they could crash the programs that manage connectivity to the phones' voice and data networks, causing the units to automatically shut down and require restarting, cutting any calls or Web usage in the process. The researchers claim to have notified Apple and
5

Google of these problems. Although Google says last week it patched the problem in Android, Apple
(which introduced 3.0 of its iPhone operating system last month) has not responded to media inquiries , including one from Scientific American . Microsoft isn't necessarily off the hook—the researchers say that, as of the time they wrote their presentation for Black Hat, they were still probing Windows
Mobile.
The SMS security problem differs from previous attacks against iPhone users, which required first luring the iPhone user to a virus-infected Web site or open an infected e-mail, Miller told CNET . This new vulnerability involves no effort on the part of the smart-phone user and requires only that an attacker have the victim's phone number, according to CNET. Once inside a victim's phone, the attacker could then send an SMS to anyone in the victim's address book and spread the attack from phone to phone.
Miller, who spent five years as a global network exploitation analyst with the National Security
Agency (the U.S.'s cryptologic organization), regularly probes Apple gear in search of weaknesses,
Popular Mechanics reported last October. He was also part of a team of security researchers who in
2007 found what is considered to be the iPhone's first exploitable vulnerability (which allows hackers to break into an iPhone via Apple's Safari Web browser). "Because of all the hype surrounding the iPhone and the large amount of personal information stored on the device, we wanted to see what level of security the device currently provides for the user," Miller and his colleagues explained on the
Independent Security Evaluators Web site at the time.
Black Hat has become one of the premier venues for hackers to showcase controversial methods of breaking into many of the electronic devices—PCs, smart phones and networking routers, to name a few—on which society has come to depend. At the 2005 conference, a security researcher demonstrated how to take control of Cisco network routers thanks to a security hole in Cisco's software. The company demanded that Black Hat remove information about this from its conference handouts and obtained a court order to prevent the researcher from presenting this information in the future.
At times lost in translation is the fact that many security vulnerabilities can be exploited by only the most sophisticated hackers who have the time, will and financial incentive to do this. The security researchers who dissect computer programs for weaknesses are seen by some as the counterbalance to lax technology companies that sell vulnerable products and by others as opportunists who promote their work so they can sell products and services designed to fix the problems that they find.
 Malware Goes Mobile

Fact or Fiction: Encryption Prevents Digital Eavesdropping


Wiretaps through Software Hacks to Get Legal Scrutiny
Spear Phishers Want Your Info
6

7