Charlie Miller, principal analyst at Independent Security Evaluators, says mobile phones are in many ways even less secure than PCs because users carry them everywhere, seldom turn them off, and in the case of smartphones, they’re almost always connected to the Internet.
Among mobile phones, smartphones are particularly vulnerable because they’re essentially handheld computers. With several gigabytes of storage now common on smartphones, users store a large amount of data and personal information on their devices—from personal photos to sales contacts. That’s why analysts say the biggest threat is losing the device.
“The biggest piece of data people don’t think about is the amount of passwords the browser has stored,” says Eric Ogren, principal analyst at the Ogren Group. “If you can figure out how to get into that, someone loses his phone and—shazam!—you’ve got access to every account. Facebook, email, you name it. You have total authenticated access.”
And given that smartphones can perform many basic PC functions, they’re vulnerable to the same exploits.
“Does somebody who’s sending out phishing emails trying to get somebody to visit a malicious Web site care if they access it from a smartphone or a desktop?” Wilson says. “From a user perspective, understand that your phone is not in its isolated little world anymore. Your phone connected to an IP network using a Web browser and email is no different from your laptop.”
Last summer, for example, security experts discovered a flaw in the iPhone that allowed hackers to take control of a user’s phone simply by sending a series of text messages. Apple quickly issued a patch, but the defect illustrated how vulnerable mobile device can be.
Analysts believe an increased focus on mobile security will provide an opportunity for wide range of companies. Along with voice encryption firms like Cellcrypt, the well-known security for example, offers Norton Smartphone Security for Windows Mobile and Symbian phones.
Symantec, for example, offers Norton Smartphone Security for Windows Mobile and Symbian phones
To protect data when a phone is lost or stolen, products from startups WaveSecureand Lookoutlet users lock down a phone, erase the disk, and track its location. Both companies also offer cloud-based storage, allowing users to restore content if the phone is recovered.
“There’s going to be a lot of interest in cloud-based security solutions,” Wilson says.
Outside of pure-play security companies, Ogren says Citrix Systems could be a sleeper in this space. The company’s virtualization technology allows users to access corporate applications without storing data locally on a device. Citrix’s Receiver software, which provides access to virtualized applications, is available for iPhone, Android, and Windows Mobile handsets.
“When it comes to IP security, the core technology is applicable to any device that uses IP, so [the vendors] go where the money is,” Wilson says. “Today the money is in figuring out how to secure mobile devices and networks, so you’ll see tons of players in it and tons of players benefiting.”
Eavesdropping on the Way?
Most people probably don’t believe their actual phone calls are at risk. In December, however, a German computer scientist announced that he had cracked the codes used to encrypt calls made from 80 percent of the world’s mobile phones.
He said a hacker armed with the codes and a laptop with two network cards could record calls within 15 minutes.
That flaw involved the 22-year-old encryption algorithm used in most GSM networks called A5/1. In 2007. The GSM Association developed an updated, ostensibly more secure algorithm for use in 3G networks called A5/3. But last week, Adi Shamir, one of the inventors of the RSA encryption algorithm, published a method for cracking the A5/3 algorithm.
No practical incidents have been reported, but it’s only a matter of time before a major breach occurs, according to Simon Bransfield-Garth, chief executive officer of Cellcrypt, a London-based maker of mobile phone encryption software.