A View from Christopher Mims
Preventing Smart-Phone Armageddon
If hackers got access to enough smart phones, they could paralyze wireless communications.
In 2009, Scott Totzke, vice president of security at Research in Motion – maker of the BlackBerry smartphone – told Reuters that his nightmare scenario was a type of attack in which a sufficient number of smart phones in a given area were compromised in a way that they would send so much data through a local cell phone network that normal cell phone service would effectively be knocked out.
Now researchers are working on a way to prevent the kind of malicious access that would allow such an attack. The bad news is it’s nowhere near being implemented yet, leaving many smartphones vulnerable to being compromised and exploited.
To understand the attack, which is the cell-phone equivalent of what’s known as a Distributed Denial of Service (DDoS) attack, it helps to understand that something like it has happened before – on 9/11. On that day a phenomenon common to many natural disasters and large-scale emergencies occurred: everyone tried to call out from or into the Manhattan cell phone network at once, overloading the network and making it almost impossible for calls to get through.
In a smartphone DDoS attack, hackers would have to get access to a sufficient number of phones in the same area, and then, all at once, get them to start pushing as much data through the network as possible. When this happens on the Internet, with conventional PCs and routers, it can bring a targeted Web site to its knees, making it impossible for anyone to access it.
Even if an attack of this kind never happens – fortunately it’s unlikely, given its scale and the still limited reach of smartphone viruses, trojan horses and rootkits – the growing ubiquity of smartphones, along with the sensitive information they carry, makes it likely that exploits for these phones will continue to proliferate. That could be more than just a route to identity theft - rogue software could also slow the cell phone networks in general.
The solution, proposes a pair of researchers at the University of Colorado at Boulder, is to devise an effective way to check smartphones for viruses. It sounds simple, but the problem is that smartphones don’t have the battery life to be constantly running onboard virus-scanning software. So Bryan Dixon and Shivakant Mishra propose running the virus scans on the PC to which smartphones are so often connected.
In this way, the smartphone could send over hashes of all the files on the phone - hashes are small representations of large files - and the PC could use this information to determine which files have changed since the last time the phone was connected, scanning only those files in order to save time.
The researchers admit that their strategy wouldn’t be able to defeat a rootkit (software that gives a malicious hacker total control of the phone and to some extent replaces its operating system), but they argue there are also potentially strategies for determining whether a phone has been compromised in this way. These strategies include, for example, timing how long the phone takes to respond to certain challenges - a rootkit might be able to provide the right answer, but it wouldn’t be as quick at doing the calculations as the phone’s native OS.
Smartphones are now computers, which means that they are vulnerable to the same kinds of exploits as computers. While Apple and RIM have created walled gardens for their software to minimize the access points for malicious software, the Android market does not - it’s basically a ratings and trust-based system. In addition, with cell phones, in some sense the stakes are higher: because bandwidth on wireless networks is at such a premium, if there were as many smart phones enlisted in the ranks of the world’s hacker-controlled zombie computers as there are PCs, it would almost certainly affect network performance, making the wireless Web that much more difficult for everyone to access.