Unforeseen Growth of Cellular Industry and Foreseen Security Challenges

The problems with the cutting edge technologies are the unprecedented risks that get associated with them. Before something stabilizes, a lot is already done and the same can be very true to the changing Mobile Industry. We all know how easy it was to crack a hotmail, yahoo or any other mail account. A couple of people can still do it, but yes relatively the risk was much lower as compared to what is happening.

The cellphones available in the market today are nothing less than computers with processors and Operating Systems. The most popular are of course Symbian Operating System (the most popular embedded operating system in the mobile industry) with ARM architecture based chipsets.

The Exploitation can go to the extent of:

Bank Transactions

Credit Card phishing

Spamming Users

Wireless: Bluetooth was the name taken from king harold (not very sure about this), but the implementation has serious flaws. The way OBEX handles it is really not that sound. A guy in our office had challenged me and I demonstrated it in our Test lab. But what do we do in the case where a lady was sent an sms with a personal opinion on her dress. And there have been thousands of incidents like the one I have mentioned. The worst is as of today with me writing this article, there is no way to detect the sender. that's the way internal protocol handshaking w.r.t OBEY has been designed which is being exploited. It can go to any extent from spanning to using Trojan horses and viruses. I have being using bluetooth for testing purposes and there were enough incidents where it my device had got infected with mobile viruses.

And then I had to do so much R & D to remove the viruses. I do it as a tester, but what happens to any mobile phone user.

Other considerations:

1. No cost overhead for the exploiter as it uses ISM band which is license free.

2. Bluetooth is just one case there are so many other compelling technologies as WiMax IrDa

Mobile Space:

Exploitation of IMSI no ESN No

Flashing & re-programming the phones

Exploiting Operating Modes of Cellphone

E-Mail Exploits: The mail composed is a copywrited material to the extent of being subpoenaed. As the law states, its a legal document. Imagine, someone using your mail id to

Channel Exploits: It is very much possible to extract the data from the cellular network's paging channel (a special frequency that cellular networks use to communicate administrative information to cellular phones) & use it to track users through the networks? Each time there is a hand-off from one cell to the next which is taken care of by OBEX protocol.

Cash Cards Exploits: Although the Government has taken so many measures to enforce identity proofs for even prepaid connections, but still Cash Cards for someone who illegally pirates telephone codes - who will give you some minutes of talk time to any place in the world for a couple of rupees/dollars.

Base station Exploits: Ever noticed the place name changing on the phone display making it different based on geographical location. When we travel from 1 base station to another the codec(hidden from end users) which is corresponding to the trans receiver base station. And the same can be used to do any damn thing that the user of the phone could do. Other Exploits: A simple voice-activated recorder could then tape the call. And, ot course a reprogrammed phone could automatically decode touch-tone passwords - making it easy to steal credit card numbers or voicemail codes.

And the list is endless.....................
Endless Governing bodies:
Endless Operating systems:
Endless Inter-Op Issues and associated Governing bodies.
Worst: Knowledge gaps of Law Enforcers

There was a case where in a school student had taken some video with his/her pal and mailed it to his pals which eventually landed up in an auction site, with people making money out of it. And guess what, “the CEO of the Organization was arrested”. That was the first handset launched in India with Advanced Video Codec (AVC H.264) implementation. Recent Paradigm change in the Technological Arena Space.

1. Vendors giving myriad solutions right from hardware to software along with communicator making it a all in One product. Which could mean: Microsoft coming into hardware space selling 1 communicator device which has:

An Operating System

Middleware Support

Wireless Support

Mailing support

Office Applications support

Camera to what not including Anti Viruses also as one single product.

Exciting isn't it?

Solutions & Recommended Best Practices

The one and only thing I can think of is prevention is much much better than cure. An example could be never keep Bluetooth in discoverable/auto-accept mode.

Keep the devices/systems patched

Highest and lengthiest passwords with a combination of alphabets, numbers, special characters and so on.