I was recently reminded by a friend of my old Symantec blog posts. The year was 2007, I was working in Advanced Threat Research specializing in mobile and having a ball (with a bit of Windows Vista on the side). As it's Friday and we're reflecting I thought it would be good to revisit some of these old posts and see how we're doing. All of these posts are from 2007 and not 2009 as some of the dates may imply (I left Symantec at the end of 2007) - click the titles for the original posts.
Getting Ready to Respond to Mobile Security Issues
Today we're in a transitional phase. While the pro-active work on mobile security is improving in leaps and bounds, as most major software vendors now have security teams, it did get off to a slow start. Platform mitigations such as code signing, sandboxes, ASLR, XN and compiler protections are becoming de-facto across all platforms even if there are some bumps along the way. The ability to respond to security issues is light years ahead of where we were on the most part for a majority of platform/handset vendors. However, there are still some challenges around the ability to deploy patches due to the need for carrier certification and/or sign-off and general carrier apathy.
Security Issues & COTS Mobile Operating Systems – Some Very Rough Numbers
The majority of issues I documented in 2007 were related to image parsing, Bluetooth, VoIP or SMS/MMS. Semi recently we've still been haunted a little bit by SMS (2009) and the protocols that run on top (2010) but it has got better. The big growth in vulnerability numbers on mobile is COTS technologies ported to mobile such as operating systems, web and complex file parsing technology. In addition the baseband security revolution has firmly taken hold due to German ingenuity and doggedness. A revolution I suspect we can expect to run for at least another decade. We knew at the time conceptuality at least the risk of GSM and other bearer protocol based attacks. Thanks to the Internet (as the Symantec version of the blog post has its image broken) I've managed to recover the old mobile attack surface diagram I produced at the time.
|Click for larger version - original (c) Symantec Corporation 2007|
If we look at that diagram not much has really changed when we consider the modern mobile device attack surface. I do remember in 2007 the lack of active attacks did create business hurdles to get anything done in terms of being pro-active with defences. The reason for these hurdles? Economics! Without attacks users wont pay for or demand protection - a frustrating business reality when you can see what'll end up happening.
Windows CE/Mobile Rootkits
We didn't predict mass rookit annihilation, but we did get to do some research around them. Lots of platforms have subsequently had numerous tiny (yes tiny - not near apocalyptic meltdown as some quarters of the press would have you believe) 'malicious code problems'. However there is now a massive ace up the industries sleeve before it runs away with itself and gets out of control. App Stores, Worlds, Market Places, Bazaars. These centralized application distribution models are going to be the places these malicious applications will be caught and not AV on your phone. Yes some will slip through, security companies will make lots of noise, but these distribution points have the ability to kill anything they've allowed be installed by accident. Also if you think Google is naive enough to not integrate the VxClass technology they acquired from Zynamics into Google Apps Marketplace then I'm a rubber duck!
Anyway that's it for the reflection on the year that was 2007 in mobile security from my perspecitve. What we knew in 2007 (and before) is still true 5 years later. So keep calm and carry on and be assured we'll get there in the end...