Bob Graham doesn’t wait for a threat to become a pandemic. Several years ago, when one of his employees decided to start using a Treo handheld for phone and e-mail, he purchased and installed Symantec anti-virus software on the device — even though there had never been a documented case of a virus hitting the Treo. Graham’s motto: Be proactive. As Senior VP of Information Systems at Farmers and Merchants Bank of Long Beach, he maintains a constant vigil over security.
With twenty branches in Los Angeles and Orange County California, the bank prides itself in being one of the strongest banks in the country, as measured by a variety of industry metrics. Its approximately 550 employees are subject to stringent information control and security policies, which govern access to and usage of sensitive information both inside and outside the firewall. The rules are strict: no employee can use equipment for company purposes unless it is purchased by the company. Period.
“Because we’re a bank, we are very careful to ensure customer privacy and security. And yes, we are concerned about the threat posed by smart phones. A smartphone is really just a handheld endpoint — and you need to protect every endpoint,” he explains.
Banks and other organizations that are subject to stiff regulatory requirements are obviously proactive. And with specific regulation aimed at protecting an individual’s personal information, such as the California Breach Notification Act (SB 1386), it’s doubly important to ensure that all information security policies are enforced, all the time. But let’s take a look at the situation: how real is the threat to handheld devices and what is the danger? How widespread is the vulnerability? What makes mobile phone malware different from PC malware? And what can, and should, we be doing about it?
How Real is This Threat?
We have seen a rapid evolution of cell phones into handheld devices — smartphones — with memory, capacity and attractive capabilities — especially address books, call history, memory, etc. While this type of phone is not the norm today (it is estimated that only 4 percent of the two billion mobile phones are smartphones, using Windows Mobile, Linux, BlackBerry or Symbian technology), the percentage is growing rapidly. So we have a significant target population — 80 million devices, and growing.
Up until about a year and a half ago, there was no real threat to handheld devices. Some may remember, early in 2000, when we began to hear about the possibility of viruses hitting Palm devices and WAP phones — but that was more paranoia than reality. Everything changed about a year and a half ago, when real instances of viruses targeting handhelds began to appear. And with the appearance of Cabir, on June 15, 2005, we saw the threat become reality.
Since then, in only four months, there have been more than 100 mobile viruses. And new mobile phone viruses and Trojans are appearing at the rate of approximately one per week, according to Mikko Hypponen of F-Secure, the company that has been a pioneer in the field of mobile security, “Although some people still think of mobile viruses as an urban legend, in reality there have already been tens of thousands of infected mobile phones around the world. I know of one operator with nine million customers who sees 200 infected handsets a week. And that’s just the handsets that are reported!”
How Can a Smartphone Become Infected?
Roughly half the viruses are included in programs available for download from Web sites — purporting to be file explorer tools, fun applications, ring tones and the like. In reality they may destroy the phone book, prevent the mobile device from booting or otherwise cause havoc and prove the writer’s prowess. But all Symbian viruses arrive with a warning to the user that the application is not signed. If the user acknowledges the warning and continues with the download anyway, the virus is effectively invited in.
Downloads are not the only way of getting infected. In fact, there are four methods of infection. In addition to downloads, a virus can come in via Bluetooth even when you are not using it but merely have it enabled and visible in the phone. An MMS message could carry malware. Yet another source is an infected memory card. But the most important factor behind all methods is still the human factor: users who fail to heed warnings, blindly install memory cards and don’t use anti-virus software will continue to be at risk.
Striking Similarities Between PC and Mobile Phone Viruses
Several years ago the authors of PC viruses just wanted bragging rights, but that changed in January 2003 when we saw the first confirmed case of a PC virus being used for purposes of making money. Today’s virus writers are aimed squarely at financial gain, and cost more than US$166 billion per year. Will we see the same evolution with mobile phone viruses?
According to Sarah Hicks, VP of Strategic Opportunities at Symantec, “With smart phone virus writers, bragging rights will only go so far. I believe we will see a much quicker turn toward for-profit hacking and virus writing on mobile devices.”
Another parallel: Virus writers go after the most popular operating system. Just as most computer viruses attack systems running Windows (the market leader) so too do most mobile phone attacks target Symbian, which represents some 80 percent of the smart phone market. This doesn’t mean that other operating systems will never be vulnerable. According to Hicks, the danger will increase as operating systems open up, and we will undoubtedly see more proof of concept viruses being written for platforms other than Symbian.
Perhaps the most striking similarity is the degree to which human factors play into the equation. For years we warned people to make sure to protect their PCs. Some did, but many didn’t, and viruses ran rampant. We warned people not to open e-mail attachments from unknown senders, and some heeded the warning but many did not. Now we warn them to protect their smart phones, recognizing that they hold valuable information and can form a connection to even more valuable corporate data. But we see far too many instances of people making the same poor choices on the smart phones as they made on their PC’s.
What Can You Do?
You are still much more likely to get hit with a PC virus or worm than with a smartphone virus — today. But let’s take a look at history. It took 20 years to get to today’s situation, with more than 140,000 PC viruses. But it has only taken 18 months to go from zero to 100 mobile phone viruses. At that rate, smartphone viruses could catch up to PC viruses within five years. Let’s not allow that to happen. We must have learned something through 20 years of fighting viruses, right?
Should you rush out and buy a suite of products to protect their handheld? Actually, it’s not such a bad idea. While consumers are not terribly worried these days, according to Symantec’s Hicks, there is more concern on the part of the enterprise. There, the concern is over malware in general, with an acknowledgement that smart phones will be susceptible.
Smart companies treat smartphones as just another endpoint. “Companies need policies in place around how they will manage these devices and best practices,” she says. “But the bottom line is that people need to get smarter. Use passwords. Turn off file sharing. Don’t download attachments. Don’t assist the viruses!”
Bob Graham goes a step further. He believes the threats will multiply next year, as devices become more prevalent and are used to do things like purchase products. Once again he advises organizations to be proactive. “The cost of antivirus software for handhelds is next to nothing compared to the risk if someone gets in and does something to or with the data. Treat smartphones like any other endpoint. Give them all the layers of protection you would a laptop or desktop. “
Tanya Candia is a consultant and expert on information technology (most notably data management and security), business management and marketing issues. As president/founder of Candia Communications, she consults with a variety of companies on busienss, strategy and maketing programs. Candia can be reached at firstname.lastname@example.org.