Wednesday, August 01, 2007

Securing Cell Phones

Phone companies should consider the recent hack of the Apple iPhone a wake-up call for better mobile security.

By Kate Greene

Credit: Technology Review

Last week, researchers from a security company found a flaw in iPhone software that allows it to be remotely controlled. The weak spot was in the Safari Web browser, software that's also used on Apple's computers. "It's a good example of how flaws in PC software show up in a similar guise on cell phones," says David Wagner, a professor of computer science at the University of California, Berkeley.

Cell-phone viruses have been around for nearly a decade, but many experts believe that serious threats could become a serious problem in the next couple of years thanks to the gadgets' growing computing power and complexity. "I think a large part of this is that cell phones are becoming miniature computers," Wagner says, "and as a consequence, they are starting to inherit some of the same problems that we face with PCs."

Many cell phones are scaled-down computers, and they can take advantage of some of the existing efforts to make personal computers more secure, such as using antivirus software. But cell phones have their own set of problems. For instance, mobile devices are easily lost or stolen; they are accessible via a number of methods, including the cellular network, Bluetooth, and, increasingly, Wi-Fi; and they have a limited battery life and constrained processor power. Researchers have only recently started to grapple with the implications of designing cell-phone security systems that encompass these and other challenges.

Currently, a number of security companies that provide antivirus software for computers--including Symantec, McAfee, and Sophos--have also introduced products for mobile phones. Such software works similarly to computer versions, says Anand Raghunathan, senior research staff member at NEC Laboratories America, in Princeton, NJ. He says the cell-phone software tends to be more efficient and is designed to run on a phone's lower-end processor (compared with modern desktop computers). However, these antivirus tools are scaled down a bit, "designed to have limited functionality so they don't drain the battery too much."

In some cases, the problems of constrained battery life and processing power can be addressed by simply running security software on the cell-phone carrier infrastructure, as opposed to on the phone. Raghunathan says that today, many carriers have software built into their equipment that scans network traffic for known signatures of viruses, bits of code that act like a fingerprint. This network software can keep malicious programs from making their way to and from people's devices.

But Raghunathan is skeptical that security software will be the final word on keeping cell phones from harm. "I think the next generation of solutions will be hardware-based security, where phones have security built in," he says. While security hardware alone couldn't prevent security holes in software, such as in Apple's Safari browser, it would "certainly limit the consequences."

Raghunathan explains that security hardware in a phone--often an extra processor and some memory that are hardwired for specific tasks--works by dividing the phone into two environments: one that the user has access to, with all the applications, and another that is designed to be impenetrable to viruses and malicious software. Passwords and other critical information are stored in the secure environment so that even if a virus is downloaded, it can't access the data. This sort of approach would also be useful if a phone were lost or taken, Raghunathan explains, because when it's reported stolen, the carrier could access the secure environment to shut down the phone, locking out anyone who wanted to read the theft victim's e-mail or look at her pictures.