Security

McAfee highlights mobile network threat risk

Absurdly precise

McAfee Security today released research designed to persuade mobile operators to invest more in security - or risk huge loses through malicious attacks by 2005.

Mercer Management Consulting, commissioned by McAfee to look into the issue, reckons that from 2005, European operators stand to lose $10.5bn annually, unless they install protection.

(Actually, Mercer comes up with the extraordinarily precise figure of $10,542,493,947 in losses without protection, and $749,669,496 lost even with "effective protection" against mobile malicious threat assaults.)

McAfee's wireless security evangelist, Sal Viveros, conceded loyally defended Mercer against our scepticism. Mercer's figures are, in our opinion, guesstimates at best.

It's very difficult to quantify virus-induced losses caused by PC-targeted attacks. Prosecution evidence of financial harm caused by jailed virus author Simon Vallor was, for example, conspicuously absent during his sentencing hearing earlier this week.

How much more difficult, then, to estimate losses caused by malicious attacks two years hence on mobile platforms?

According to McAfee it is easier to estimate costs in the mobile world. We're unconvinced.

Mercer's study looks at loses from a variety of attack scenarios: jokes, hoaxes, viruses and worms.But how many mobile phone worms, or come to that PDA viruses, have we seen so far?

We see little evidence that VX writers have the skill, or the tools, to cause widespread disruption to mobile networks. There's never been a mobile phone virus thus far, McAfee concedes, thanks in part to the closed nature of this environment. It's hard enough for legitimate developers to get development toolkits, let alone virus writers. This has forestalled the development of mobile phone malicious code creation kits.

There have been a handful of viruses (mostly ineffective) targeted at PDAs, but none have caused any real harm. In short, there have been very few financially damaging attacks against a mobile networks or devices up to now.

SMS Assault

An SMS assault against Japanese carrier DoCoMo is one of the few examples of the sorts of problems mobile operators could face in future.

In April 2001, an SMS containing an Internet link which, when clicked, caused iMode phones to repeatedly dial Japan's emergency services reached an estimated 100,000 subscribers and caused significant disruption.

McAfee's argument that the increased power and connectivity of wireless devices, and poor existing content protection, pose a risk that operators need to address is essentially sound but the Mercer figures are best ignored.

Operators, and manufacturers, do need to think about wireless security risks which increased standardisation, malicious Java applets, rogue SMS/MMS, and even Bluetooth might bring. But estimates of future damage shed little-or-no light on the likely threat future DDoS or email attacks directed at mobile networks might bring. In this area, we are all flying blind. ®

Sponsored: Go beyond APM with real-time IT operations analytics