Systems prime for exploitation?

Introduction

In previous security articles we have discussed the fact that malware writers seem to have changed their focus from exploiting vulnerabilities in operating systems like Microsoft's Windows systems, to popular applications like Adobe Reader.

We have now looked into our crystal ball and believe that we see new types of systems, which in the near future will rapidly climb on attackers' ladder of priorities.

General considerations

There are two different approaches for malware creators when they determine what kind of malware to create:

1. Targeted malware with sophisticated social engineering techniques aimed at a limited number of users, with high potential for successful infection.
2. Malware with potential to reach lots of users, with minor average potential for successful infection, counting on a satisfactory number to become victims.

In this article we will focus on the second type of approach.

It follows from the description of 2 above, that one major factor in determining whether a system (i.e. application, operating system or hardware) is an interesting target for exploitation, is whether there exists a substantial number of users.

Operating systems for handheld devices

Apple's new iPad set a phenomenal record in sales recently, with more than a million devices sold in less than one month. This number would presumably have been even higher if production capacity had been higher. Apple's other recent super-success - the iPhone - is one of the winners in later years' mobile phone competition. Both iPad and iPhone use iPhone OS, an operating system derived from Apple's operating system OS X.

Another operating system for handheld devices, which has received notable success recently, is Android. This is Linux-based and in later years a product developed by Open Handset Alliance, a consortium of several major players in the mobile phone markets. Handheld devices which use Android operating systems include models from Sony Ericsson, HTC, Motorola, Samsung, and Google's Nexus One. According to Google, earlier this year 60 000 Android-based handsets were shipped each day.

The third operating system for mobile devices that should be mentioned in this context, is Symbian. Like Android, this started as a proprietary system, and later became an open system operated by Symbian Foundation. Mobile phones using Symbian operating system include models from Nokia, Sony Ericsson, Fujitsu, Samsung and Sharp.

Ripened for serious attention from attackers?

Norman has not been among the security companies most eager to warn against malicious software attacking mobile phones. The main reason for this is that there have been no serious attacks (yet?). More than one year ago we wondered - in our article Mobile phone threats - hype or (finally) truth? - if the time had come for malware on mobile phones to constitute a real threat for the average users. However, we should be careful to conclude that the situation is significantly altered a year later.

There are at least two reasons why handheld devices, like mobile phones and tablet computers like iPad, may be "the next big thing" for cyber criminals:

• Their integration with organizations' protected systems are becoming seamless. Employees may view and change corporate information from their handheld devices from anywhere in the world. Illegitimate access to such a device therefore approximately equals access from a device inside the organization.
• They have become widespread to a degree that they may qualify as interesting for malware writers, based on the approach mentioned in item 2 above.

Protection mechanisms

The developers of the operating systems for handheld devices are of course concerned about security, as any other developer of operating systems.

Unfortunately we know from the history of operating systems used for "traditional computers", that over the years dedicated hackers have been able to find a plethora of vulnerabilities. We are naïve if we count on operating systems for handheld devices to be qualitatively different, even though security issues have been significantly more focused upon in recent years.

Apple's special protection system

Apple has attempted to enforce an additional level of security by requiring that third-party applications developed for iPhone OS must be authorized by Apple to be able to run on the devices. Seen from a purely security conscious point of view, this is a good idea. However, it also has its drawbacks.

Some applications that are seen as useful by many users are not authorized, and lots of handheld devices running iPhone OS have therefore been jailbroken to have Apple's built-in restriction removed. The disadvantage is obviously that a protection mechanism against malware is simultaneously removed, and these jailbroken devices may be specially targeted. There are already worms in the wild that attack jailbroken devices only.

Predictions

Handheld devices have reached a level of propagation, which makes them an interesting new target for cyber criminals.

During the next few years we will see an increase in attacks focused on these devices.

As we have discussed in other security articles. users have a low awareness of attacks against devices that are traditionally regarded as safe. The probability for successful attacks by even minor sophistication is therefore high.