Its great for users, although its traumatic for vendors, when information-based devices evolve from fixed-function appliances into open application platforms. Flexibility always wins in the long run, but an open platform needs to offer its users new applications all the time and also needs to give those users updates to the platform itself at critical times. This requires update mechanisms that are at the same time both simple and secure—a challenging combination.
The challenge cant be avoided, as the record clearly shows: Dedicated word processors, for example, didnt know what hit them when general-purpose PCs came along, and pocket calculators have been pretty much eclipsed by the flexibility of Pocket PCs. The same thing has been happening over the past year to mobile communication devices, as that space has become the domain of the smart phone—but with that generality have come hazards as well as opportunities.
When simplicity gets top priority, safety can suffer. For example, Symantecs LiveUpdate facility for products such as Norton AntiVirus was once found vulnerable to hijack, using any of several tricks to make a malware server appear to be resolved from the DNS label of update.symantec.com. That LiveUpdate attack was blocked three years ago by adding a simple cryptographic handshake, but we have to wonder how many other update mechanisms are out there—especially in custom or vertical applications with small numbers of installations—without that kind of protection. Developers must think ahead of the attacker, not let themselves be surprised when attackers take notice of new targets.
The same kind of people who write malicious code aimed at the PC platform have now discovered the mobile device as well. Late last year, a virus for the Symbian mobile platform was said to be a likely prospect by experts including F-Secure research director Mikko Hyppönen; now, that possibility is a reality with the advent of the Bluetooth-propagated Cabir worm. The Pocket PC platform is likewise vulnerable, as now shown by the proof-of-concept WinCE.Dust.A file infector disclosed late last week.
I discussed the implications of Cabir with David Staas, director of development for anti-abuse technologies at Openwave Systems Inc. in Redwood City, Calif. Cabir marks an inflection point in the industrys attitude, Staas said, “The mobile carriers went from thinking theyd have to address this someday to, Holy Cow! This is happening today.” If even 10 percent of a mobile carriers users have any kind of problem at all, said Staas, that quickly turns into a monumental support cost.
Solving the problem, Staas said, depends on three initiatives: Carriers need to collaborate on best practices, through groups like the Messaging Anti-Abuse Working Group; technologies for sender authentication require broad industry development effort and support; and regulatory efforts require international scope.
Without progress on all three fronts, said Staas, the value of the medium is at risk; “We need to work together to win this.”
Tell me what you expect and/or fear in mobile device malware at firstname.lastname@example.org.