Mobile devices carry intrinsic security flaws

April 9th, 2012

By Byron Acohido, USA TODAY, 09Apr2012, P1B

Those cool mobile devices beloved by consumers carry deep-rooted security flaws that are only now being discovered and addressed.

That’s the upshot of two recent deep examinations of popular mobile devices. The findings highlight how designers of the current generation of smartphones and tablet PCs failed to fully account for the security and privacy implications.

“Today’s smartphones and tablet devices perform the same functions as a PC,” says Dan Hoffman, chief of mobile security at Juniper Networks.“However, the vast majority of devices lack security software and mistakenly rely upon the operating system to keep people safe.”

In one study, Cryptography Research showed how it is possible to eavesdrop on any smartphone or tablet PC as it uses cryptographic keys to protect sensitive operations, such as when a mobile device is being used to make a purchase, conduct online banking or access a company’s virtual private network.

The secret keys can be deciphered, enabling a criminal to use them to access a financial account or a company network, says Benjamin Jun, Cryptography Research’s chief technology officer.

Jun

“These type of attacks do not require the device to be modified and there is usually no observable sign that an attack is in progress,” Jun says.

Cryptography Research is “working with one of the major smartphone and table companies right now to put countermeasures in,” Jun says. No known actual attacks have occurred, he says.

In another theoretical study, researchers at security firm McAfee, a division of Intel, demonstrated several ways to remotely hack into Apple iOS, the operating system for iPads and iPhones.

McAfee’s research team remotely activated device microphones and recorded conversations taking place in the vicinity of the hacked device. They also stole secret keys and passwords, and were able to pilfer sensitive data, including call histories, e-mail and text messages.

“This attack method shows ways that advanced attackers can compromise and control devices indefinitely,” says Ryan Permeh, McAfee’s principal security architect. “This can be done with absolutely no indication to the device user.”

Apple spokeswoman Trudy Muller declined comment.

Security experts and law enforcement officials anticipate that cybergangs will accelerate actual attacks as consumers and companies begin to rely more heavily on mobile devices for shopping, banking and working.

“Responsibility for addressing these security concerns is far reaching,” says Hoffman. “The broader security community needs to assist in providing all users the highest-level of protection.”