Superphones: A security nightmare waiting to happen
Smartphones don't tell the half of it
If I sit down with a PC from the late 90s and a modern PC I bought yesterday they are quite obviously the same animal. The operating system has changed, and there have been some minor innovations. With the exception of speed and support for the newest protocols, a PC from the late 90s could be used to perform exactly the same tasks we would buy PC for today.
Perhaps most importantly, the security considerations of the late 90s are largely applicable to computers today. Yes, Vundo, Conficker, Stuxnet et al. are new friends here to keep security folks employed.
Drive-by-downloads and browser vulnerabilities have risen while operating system flaws have fallen. Still, the same basic rules apply: keep your firewall up and your operating system and applications fully patched. If you are using Windows then anti-malware software is an absolute necessity, as are good (non-image) backups. You’ll likely be reinstalling your PC at least once a year.
In more than a decade, nothing in the PC landscape has really changed. Smartphones are a different story. So, what exactly is a smartphone? Wikipedia offers up a potential definition: “a mobile phone that offers more advanced computing ability and connectivity than a contemporary feature phone.” The limiting factor of a feature phone seems to be that applications are limited to the anemic Java ME.
By Wikipedia’s definition, it’s been well over a decade since the first devices crept out. The problem I have with this is that modern smartphones bear absolutely no resemblance whatsoever to their antecedents. You might as well be attempting to compare a modern Windows 7 gaming rig with ENIAC.
Using Wikipedia’s definition for smartphone covers a pretty broad range. The various generations of smartphone differ greatly in functionality, media capability and attack surfaces. Smartphone has become a nearly useless term for consumers and for systems administrators as well.
The term I run across most often for post-iPhone smartphones is “superphone.” Wikipedia disagrees – searching for “superphone” returns nothing – but I lack a better term. By my definition, a superphone is a generational increment above the traditional smartphone. It is notable by the inclusion of an integrated App Store, Wi-Fi and multimedia playback capabilities.
Whatever happened to security through obscurity?
Media playback capabilities make these devices desirable to more than IT types and busy executives with the time to learn a device’s quirks. The ability to play media also means owners of smartphones have the incentive to spend time learning how to move files on and off the handheld.
Add in the ability to install an app for anything via an integrated app store and then browse your corporate Wi-Fi and we are now playing a completely different game.
The modern superphone - a category that includes post-iPad tablets - bears only an incidental link to its precursor, the smartphone. Smaller organisations can generally get away with ignoring the threat of a smartphone. Indeed, if you are using BES (BlackBerry Enterprise Server) or similar solutions to manage your smartphones, then they likely pose no real threat to you at all.
Superphones on the other hand are deadly. They are not only fully-featured computers in their own right, they are easy – and desirable – enough to use that everyday users are getting in on it. They are everywhere and worst of all, their popularity is seeing their vulnerabilities discovered, exploited and malware specifically designed to target them. That’s before we even consider the privacy implications.
I call then for a differentiation between “smartphones” and “superphones”. One is a hand-held email appliance that can browse the web (poorly.) The other is security nightmare looking for a place to happen. ®
"You’ll likely be reinstalling your PC at least once a year"
Bollocks. If you're having to do that, you don't know what you're doing.
With XP, my home machine lasted 4 years, till I replaced the hardware. I'm currently at 5 years on my work machine, and my new home machine is now hitting 16 months on Win7, no issues.
I have anti-malware software installed, I run, at all times, as an unprivileged user (if it works for *nix..), which is not so hard as people like to make out, and I use an offline scanner once every couple of months, nothing turns up. This is how I work on all my machines - my Linux server, my (now departed) Mac, and Windows - and I take nothing for granted and check them all.
Windows makes it too easy to run with elevated permissions, if you change your work methodology to stop this, it's not too tricky to secure.
you nailed it
"If you're having to do that, you don't know what you're doing"... so that's 90% of PC users then? The very people that use their phones for logging into facebook and their bank on open wifi connection at starbucks, and the very reason the last sentence in the article is so pertinent?
Waiting for the day
...that all your good intentions bite you in the ass so I can laugh at you. I can;t count the number of idiots I've supported through identity theft issues and rancid infections who had the exact same ideas as you. "If I know what I'm doing i can't get an infection."
It doesn't take downloading an infected torrent, or putting in an infected CD, or going to a "dodgy" website to get a virus. All it takes is a hacker infecting a WELL KNOWN web site you visit, or anyone bringing an infected machine into your network (or you connecting to public WiFi or tethering over 3G which has no firewall). Even major retail applications have landed on the shelves of bestBuy infected in the box, and disabling auto-run doesn't prevent the installer you told to run from installing the payload as part of the application install. If you use any e-mail app at all you can get an infection from an attachment simply by it arriving in your inbox (no need to open it at all). You can get an infection from a word doc just as easily as a PDF or a bit of flash or java (and good luck doing much without java, Flash i can get by without but not java).
There are a dozen quality and free AV/AM solutions outhere, including one from Microsoft which is actually one of the best. RUN ONE, and spare us all your becoming the next bot infected PC. Odds are, you think you;re clean, but you are already infected by numerous bots. See, in the old days, viruses were designed to cause havoc, and you knew you had one, now, they're designed to run SILENT, causing as little disruption to YOUR machine as possible when you're logged in. If you;re not scanning, you have no idea the damage you could be causing. If you ARE scanning ,WTF are you doing it remotely and why not just simply install the app to prevent the infection in the first place. AV takes VERY little load off a modern PC.