Last week, researchers from a security company found a flaw in iPhone software that allows it to be remotely controlled. The weak spot was in the Safari Web browser, software that’s also used on Apple’s computers. “It’s a good example of how flaws in PC software show up in a similar guise on cell phones,” says David Wagner, a professor of computer science at the University of California, Berkeley.
Cell-phone viruses have been around for nearly a decade, but many experts believe that serious threats could become a serious problem in the next couple of years thanks to the gadgets’ growing computing power and complexity. “I think a large part of this is that cell phones are becoming miniature computers,” Wagner says, “and as a consequence, they are starting to inherit some of the same problems that we face with PCs.”
Many cell phones are scaled-down computers, and they can take advantage of some of the existing efforts to make personal computers more secure, such as using antivirus software. But cell phones have their own set of problems. For instance, mobile devices are easily lost or stolen; they are accessible via a number of methods, including the cellular network, Bluetooth, and, increasingly, Wi-Fi; and they have a limited battery life and constrained processor power. Researchers have only recently started to grapple with the implications of designing cell-phone security systems that encompass these and other challenges.
Currently, a number of security companies that provide antivirus software for computers–including Symantec, McAfee, and Sophos–have also introduced products for mobile phones. Such software works similarly to computer versions, says Anand Raghunathan, senior research staff member at NEC Laboratories America, in Princeton, NJ. He says the cell-phone software tends to be more efficient and is designed to run on a phone’s lower-end processor (compared with modern desktop computers). However, these antivirus tools are scaled down a bit, “designed to have limited functionality so they don’t drain the battery too much.”
In some cases, the problems of constrained battery life and processing power can be addressed by simply running security software on the cell-phone carrier infrastructure, as opposed to on the phone. Raghunathan says that today, many carriers have software built into their equipment that scans network traffic for known signatures of viruses, bits of code that act like a fingerprint. This network software can keep malicious programs from making their way to and from people’s devices.
But Raghunathan is skeptical that security software will be the final word on keeping cell phones from harm. “I think the next generation of solutions will be hardware-based security, where phones have security built in,” he says. While security hardware alone couldn’t prevent security holes in software, such as in Apple’s Safari browser, it would “certainly limit the consequences.”
Raghunathan explains that security hardware in a phone–often an extra processor and some memory that are hardwired for specific tasks–works by dividing the phone into two environments: one that the user has access to, with all the applications, and another that is designed to be impenetrable to viruses and malicious software. Passwords and other critical information are stored in the secure environment so that even if a virus is downloaded, it can’t access the data. This sort of approach would also be useful if a phone were lost or taken, Raghunathan explains, because when it’s reported stolen, the carrier could access the secure environment to shut down the phone, locking out anyone who wanted to read the theft victim’s e-mail or look at her pictures.
Phones with hardware security aren’t yet available to consumers, Raghunathan says, but he expects that the first versions of these will appear within the next year or so. One of the driving forces behind hardware security is the Trusted Computing Group, a consortium of technology companies including Intel, Microsoft, IBM, and Hewlett-Packard. One of the organization’s goals is to establish hardware-security standards for phones. While secure hardware could provide users with benefits, there is some disagreement regarding who would have access to the hardware. Some groups, including the Electronic Frontier Foundation, argue that with trusted computing, consumers might have less control of their devices than service and content providers do. For instance, content providers might use the platform to create unbreakable digital-rights management software to lock a downloaded song or video onto a device.
Some experts believe that the companies that make mobile phones and software can solve many of the security issues. By incorporating better software practices so that security is integrated from the first day the software is written, companies can do a lot to keep viruses to a minimum. However, because it costs money to make phones more secure, and because it’s a feature that isn’t readily visible to a consumer (unlike a three-megapixel camera, for example), security is often an afterthought. “The real failing is that the vendors didn’t learn the PC lesson and design better operating systems,” says Steven Bellovin, a professor of computer science at Columbia University, in New York. “It’s not like they weren’t warned.”
Even so, mobile virus and malicious software attacks have been minimal within the past few years, possibly because the industry is broken up into many different cellular service providers and software and hardware manufacturers, says Richard Ford, a professor of computer science at Florida Institute of Technology, in Melbourne. This means that for a virus to make a large impact in the industry, it would need to be rewritten a number of different times to work on various devices. Unlike the PC world, there is no big cellular target yet, although thanks to the iPhone’s initial buzz, it may be developing a bull’s-eye. “Hopefully the next year will be quiet,” Ford says. “Quiet is good, but I think that sometime in the next three to five years, we’re going to see a nasty outbreak.”