SensePost MD Charl van der Walt yesterday presented an overview of the mobile revolution, its African implications and the modern mobile threat model.
“Mobile is here to stay and it is only going to continue to grow,” said Van der Walt, adding that it will “change everything we know about security”.
"Mobile phones are highly connected, deeply integrated, widely distributed and poorly managed."
According to Van der Walt, as technology continues to develop, it is resulting in fundamental changes in society. “The way to introduce products into the market is no longer through getting IT managers to adopt them, but rather directly through consumers. For example, Microsoft sold eight million Xbox Kinect consoles in just 60 days - illustrating just how quickly end-users adopt new technology.”
By 2015, the number of mobile-only Internet users will have grown 56-fold worldwide. The same growth pattern is being seen in Africa. “Mobile will outstrip all other devices as the primary computing device for Africans,” said Van Der Walt. “In Africa, by 2015, there will be more people with mobile access than electricity at home. There's got to be a game changer in there somewhere.”
Looking at the mobile threat model, Van der Walt said the three core areas of concern are security, privacy and control.
Mobile will change everything we know about security.
Charl van der Walt, SensePost MD.
While Van der Walt could not go into detail, he said there are many issues surrounding control - such as governmental control and corporate intervention. In terms of privacy, Van der Walt said the phone has become the “ultimate bugging device”.
Citing white hat hacker Moxie Marlinspike, Van der Walt says there used to be a time when people could choose whether they wanted to make use of a technology, and sacrifice their privacy or not. Now, however, if one doesn't use the technology, one is essentially not taking part in society, so consumers are placed in a difficult position.
Van der Walt used the example of the Carrier IQ controversy, in which more than 141 million devices were shipped with technology that essentially recorded all device activity and relayed it back to the carrier (claimed to be used for troubleshooting).
New attack surfaces
Within the security aspect of the threat model, there are four key categories that need to be considered for mobile devices. These are the device, operating system, applications and data.
In terms of the device, the powerful features of modern smartphones offer new attack surfaces. A lack of standardisation across operating systems, and the fact that running security software is currently onerous, is also an issue. According to Van Der Walt, a problem for Android especially is the way in which the OS is patched by the carrier, and not all users get the updates they need at the right time.
When it comes to applications, key concerns are the reliance on cloud services, insecure storage of communications, the way in which apps can easily be spoofed, and the vast power often granted to apps (such as access to PPI, hardware and other functions).
Finally, data issues in the mobile threat model are limited encryption on devices, the fact that many devices are not locked, and that data communications are often poorly connected.
Van Der Walt says future mobile developments that will be key for security considerations include increased connectivity, HTML5, NFC, the emergence of truly locked down devices and more in-house app stores.
In terms of future impact, Android is expected to surge ahead. Looking forward, as far as security is concerned, Van Der Walt says large-scale malware attacks that will cause “lots of trouble” are expected. These attacks may occur in “islands”, with specific platforms or sectors targeted. This threat is expected to be worse for Android as opposed to closed platforms such as Apple's iOS.
Share