Hackers Try To Outsmart Smart Phones

John Moore|Special to CNBC

Smart phone users may be too smart by half.

Thanks to Apple’s iPhone and slick new devices running Google’s Android operating system, the mobile phones are subject to the same threats that computer users deal with every day, such as phishing and malware.

Most users don’t protect their phones the way they protect their PCs. That may change soon.

“By the end of this year I expect a major smart phone compromise that affects lots and lots of devices,” says Jeff Wilson, network security analyst at Infonetics Research. “The general consumer mindset is hackers are not attacking phones yet, which is naïve. It’s going to take a major, highly publicized malware event to get the larger population of buyers to look at whether they need to make a specific investment in a security solution for their phones.”


Common Threats

Charlie Miller, principal analyst at Independent Security Evaluators, says mobile phones are in many ways even less secure than PCs because users carry them everywhere, seldom turn them off, and in the case of smartphones, they’re almost always connected to the Internet.

Among mobile phones, smartphones are particularly vulnerable because they’re essentially handheld computers. With several gigabytes of storage now common on smartphones, users store a large amount of data and personal information on their devices—from personal photos to sales contacts. That’s why analysts say the biggest threat is losing the device.

“The biggest piece of data people don’t think about is the amount of passwords the browser has stored,” says Eric Ogren, principal analyst at the Ogren Group. “If you can figure out how to get into that, someone loses his phone and—shazam!—you’ve got access to every account. Facebook, email, you name it. You have total authenticated access.”

And given that smartphones can perform many basic PC functions, they’re vulnerable to the same exploits.

“Does somebody who’s sending out phishing emails trying to get somebody to visit a malicious Web site care if they access it from a smartphone or a desktop?” Wilson says. “From a user perspective, understand that your phone is not in its isolated little world anymore. Your phone connected to an IP network using a Web browser and email is no different from your laptop.”

Last summer, for example, security experts discovered a flaw in the iPhone that allowed hackers to take control of a user’s phone simply by sending a series of text messages. Apple quickly issued a patch, but the defect illustrated how vulnerable mobile device can be.

Opportunities Arise

Analysts believe an increased focus on mobile security will provide an opportunity for wide range of companies. Along with voice encryption firms like Cellcrypt, the well-known security for example, offers Norton Smartphone Security for Windows Mobile and Symbian phones.

Symantec, for example, offers Norton Smartphone Security for Windows Mobile and Symbian phones

To protect data when a phone is lost or stolen, products from startups WaveSecureand Lookoutlet users lock down a phone, erase the disk, and track its location. Both companies also offer cloud-based storage, allowing users to restore content if the phone is recovered.

“There’s going to be a lot of interest in cloud-based security solutions,” Wilson says.

Outside of pure-play security companies, Ogren says Citrix Systems could be a sleeper in this space. The company’s virtualization technology allows users to access corporate applications without storing data locally on a device. Citrix’s Receiver software, which provides access to virtualized applications, is available for iPhone, Android, and Windows Mobile handsets.

“When it comes to IP security, the core technology is applicable to any device that uses IP, so [the vendors] go where the money is,” Wilson says. “Today the money is in figuring out how to secure mobile devices and networks, so you’ll see tons of players in it and tons of players benefiting.”

Eavesdropping on the Way?

Most people probably don’t believe their actual phone calls are at risk. In December, however, a German computer scientist announced that he had cracked the codes used to encrypt calls made from 80 percent of the world’s mobile phones.

He said a hacker armed with the codes and a laptop with two network cards could record calls within 15 minutes.

That flaw involved the 22-year-old encryption algorithm used in most GSM networks called A5/1. In 2007. The GSM Association developed an updated, ostensibly more secure algorithm for use in 3G networks called A5/3. But last week, Adi Shamir, one of the inventors of the RSA encryption algorithm, published a method for cracking the A5/3 algorithm.

No practical incidents have been reported, but it’s only a matter of time before a major breach occurs, according to Simon Bransfield-Garth, chief executive officer of Cellcrypt, a London-based maker of mobile phone encryption software.

CES '10 - Your Digital Life - A CNBC Special Report

“It’s brought the cost of intercepting GSM calls from hundreds of thousands of dollars to a few thousand dollars,” Bransfield-Garth says. “We don’t believe the threat is widespread yet. We think it’s something this is still a few months away. What we do see is a trend, and the trend is going more quickly than we thought. This open-source community approach to breaking the code tables is occurring at a rate faster than we had expected.”

To most people, the idea of encrypting phone calls possesses a whiff of Jack Bauer-type intrigue, if not flat-out paranoia. Within the United States and United Kingdom, Bransfield-Garth says, voice security hasn’t been cause for alarm. But it has been a common concern in Latin America and other developing regions.

Bransfield-Garth says large companies whose executives frequently travel internationally have become more interested in voice encryption, noting that Cellcrypt’s customer base has grown more than tenfold within the last year.

“Two or three years ago, it was thought of something that was used in a rarefied atmosphere, for the more secret bits of government, or corporations that had a specific security need,” Bransfield-Garth says. “What we’ve seen in the last six to nine months is a massive increase the number of mainstream organizations—in oil and gas, legal, finance, pharmaceuticals—who want to be able to secure their conversations.”