Network World - The meteoric rise in the smartphone market is creating a dangerous vulnerability in smartphone security - one that may not be patched until the problem expands into what has been dubbed an "apocalypse."
Dan Auerbach, a staff technologist at the Electronics Frontier Foundation, points to outdated encryption standards and the inherent vulnerabilities of the baseband processor found on modern smartphones as the makings for a security hole through which users can be exploited at large.
The situation is similar to the PC boom of the late 1990s, Auerbach says. Just as PCs were designed to communicate freely with any and all network elements at the time, the baseband processors found on many of today's smartphones interact with any base station with which they come into contact.
At the same time, "the cost of having portable base stations has decreased quite a bit," Auerbach says. This has already enabled some police-state government agencies to create false base stations to monitor cellphone communications, he added.
"So you have just kind of a fake base station, and then you get a user's cellphone to interact with that instead of the real base station," Auerbach says.
This idea is known as the "baseband apocalypse," and it is nothing new. At last year's Black Hat DC Conference, security researcher Ralf-Philipp Weinmann presented the vulnerability and warned that new open source tools for establishing mobile base stations will make smartphones easier to exploit than in the past, when the code for base stations was retained by the service providers that managed them.
What's scarier, though, is that smartphone developers since have focused on features like user interface and screen resolution, as opposed to fixing a fundamental vulnerability that has been public knowledge for at least the past 16 months, Auerbach says. The Global System for Mobile Communications (GSM) standard for 3G cellphones still employs the A5/1 encryption algorithm, which Auerbach says is "incredibly broken" and "basically worthless." Indeed, the industry has been aware of an attack against A5/1 that can intercept voice and text communications since 2009.
"So, in light of that, controlling the base station and the network elements really does give you access to users' communications," Auerbach says.
Another similarity between the mobile industry of today and the PC security outlook at the turn of the century is that OEMs and mobile carriers have no incentive to secure this vulnerability during the product development life cycle, Auerbach says. The faster smartphones are developed and pushed out to market, the more money companies like Qualcomm and Apple stand to make. With the way the smartphone market has grown lately, they likely won't be slowing down any time soon - a recent IDC report showed 42.5% year-over-year growth in worldwide smartphone shipments in the first quarter of 2012.
- Leverage the Power of APIs to Turbocharge Your Mobile Strategy: 7 Steps to a Successful API Program In this guide, Intel® Services-which offers industry-leading API management solutions for over 150 top enterprises, including Best Buy, Netflix, Expedia, ESPN, and The...
- Mission Critical Cloud Powers Freesat Website, Mobile App When subscription-free satellite TV service Freesat needed a scalable, cost-effective infrastructure it found the disaster recovery and security features it needed with Peer...
- Bring Your Own Device: From Security to Success Download this e-Book to learn best practices for executing a BYOD policy.
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- API Management: The Key to Improving the Consumer Travel Experience Join PhoCusWright's Senior Technology Analyst, Norm Rose, as he shares his insights on how travel suppliers and intermediaries can improve industry data flow...
- Don't Believe the Hype: Not All Containers are Created Equal Hear executives discuss the 3 C's of Secure Mobility-content, credentials, and configurations-and learn the inherent security risks to your organization of using MDM... All Mobile/Wireless White Papers | Webcasts