Securing the Mobile Enterprise

August 27, 2009

Smish out of water

Filed under: Mobile Security — Balaji Prasad @ 3:15 am
Tags: , , , , ,

The typical malware writer has gradually shifted the intent of malware from pure fame and geek curiosity to more diabolical ends. A few months ago, Kaspersky reported a trojan that can steal your money by exploiting a vulnerability in the SMS implementation on your phone. Such phishing attacks are called by a new term called “smishing”. Then again F-secure has earlier demonstrated another vulnerability in Series 60 phones that allows for a privilege escalation attack that allows complete access to the underlying file system. This vulnerability has been addressed in a firmware upgrade since.Smishing attacks are not that prevalent in the United States as it is in Europe or Asia, since SMS is not the preferred way of communication yet.  This is changing though… Carriers are  now including unlimited SMS plans for under $10 and this is encouraging SMS phishing.  The also exist legitimate services out there that facilitate bulk SMS tranmission.

         Traditional phishing attacks which can be easily identified by their broken links or non-rendering images or plain bad spelling (think Nigerian 419 emails), however these shortcomings are not that evident on SMS. Typically the messages themselves are concise and are usually entirely composed of text. It is also relatively easy to spoof the sender name, so that it may look like a legitimate source. This attack has been recently demonstrated in the Blackhat conference albeit on a jailbroken iPhone.
So how does one guard against this attack? Truth be told, there isn’t a single reliable way. Most brick-and-mortar legitimate companies will not use SMS to communicate with you (exception being your carrier). If you get an SMS from your bank, utility company or even your friend, soliciting for any information, simply ignore it and try to reach them offband (i.e. from another phone or email etc.). The cell phone industry has not developed standardized and robust protocols to guarantee the security of the SMS channel. Hopefully that will change soon.

August 26, 2009

What is this blog about?

Filed under: Mobile Security — Balaji Prasad @ 2:37 am
Tags: , , , , ,

Today’s smart phones offer as much processing power as personal computers from half a decade ago. These devices and the complimenting apps offer incredible flexibility in processing and pulling information from the cloud around us, yet at the same time they expose us to new and unique attack vectors that can compromise the sensitive and often personal nature of data resident on the phone.
Security Vendors are furiously developing solutions that address this up and coming threat. In this blog I will discuss this exciting new frontier that will prove to be the next battleground between the good guys and the bad.

Blog at