Looking Out for Mobile Data
Three hackers seeking to improve smart-phone security decided to forge their own path. Now their company boasts 10 million users.
In 2004, three students at the University of Southern California shook up the world of mobile phones. The three hackers—John Hering, Kevin Mahaffey, and James Burgess—found a vulnerability in certain Nokia cell phones’ Bluetooth connection to wireless headsets, which could let eavesdroppers listen in on phone calls. But, according to Hering, Mahaffey, and Burgess, Nokia didn’t take the problem seriously because Bluetooth communications have such a short range—generally about 30 feet. To drive home that the flaw needed fixing, the trio created a rig to sniff signals from more than a mile away. They mounted the hardware on a rifle stock, dubbed their contraption the “BlueSniper rifle,” and demonstrated it at the Defcon security conference that year.
“It was our belief that these devices would become the future of computing at some point and that software and software vulnerabilities were a big deal,” Hering says now. “And our goal was to change the mindset of those people tasked with building the software.”
Hering and his partners are continuing to forge their own path in the emerging field of mobile security with the company they founded in 2007, now called Lookout Mobile Security. Traditional computer-security companies, which sell subscriptions for software intended to protect PCs from spyware and viruses, have been predicting for years that similar scourges will soon begin to infect mobile phones. But malware on smart phones is not a significant problem yet, as the Lookout team realized. So instead they focused on helping consumers secure their devices in other ways. The Lookout app allows data on a phone to be managed remotely, for example, or it can locate a lost or stolen phone. The app (which is available on Android, BlackBerry, and Windows Mobile phones) also lets people oversee the other applications on their phones according to specific security criteria, such as which programs use the phone’s location data. “We decided to build a software product,” says Mahaffey, who serves as chief technology officer. “We did not want to sell through fear.”
The basic version of the app is free; Lookout makes money by selling a premium version. The company says its software has 10 million users; a “low single-digit” percentage of them pay for the premium version. Lookout itself employs 55 people and has raised $36.5 million in funding.
The company has focused on details such as streamlining the user interface of its app, and developed it expressly for mobile devices, rather than retrofitting business-computer software, says Chenxi Wang, vice president and principal analyst at Forrester Research. “What Lookout has done, which is remarkably simple but somehow has eluded the other vendors, is the fact they’ve designed their products for the iPhone-age consumers,” she says.
Although antivirus companies such as McAfee continue to warn that malware is a potential threat to smart phones, it has yet to become a huge problem. In fact, some security researchers argue, it should never be a problem, because of differences between the mobile and PC platforms. Applications for Apple’s iPhone, for example, all come from the App Store. Phones that use Google’s Android can download software from anywhere, but Google is able to remove programs remotely. “If we really need antivirus on current smart phones, something really went wrong,” says Collin Mulliner, a PhD student at the Technical University of Berlin, who knows Hering and Mahaffey from their Bluetooth research days.
Attackers are, however, starting to exploit the particular weaknesses of smart phones, and Lookout has to regularly update its service to detect the latest known threats. In February, a Trojan horse known as DroidDream infected hundreds of thousands of Android phones. Lookout detected other programs in the Android app marketplace with the same malicious code and notified Google. In May, the same attacker tried again with a simpler version, known as DDLite, and Lookout blocked it again.
Despite the battle between malware writers and companies like Lookout, the problem of malware is a sideshow compared the bigger problem of device management, says Andrew Jaquith, chief technology officer of Perimeter E-Security and a former analyst who covered the mobile market. “In the end, it is management that is wagging the dog, not security,” Jaquith says. “And in that space, in terms of implementation, there’s Lookout and then there’s everyone else.”