The ENISA botnet report presentation
At the ENISA presentation on her botnet report at eco in Cologne, 9 and 10 March, one of the slots was dedicated to threats to the mobile environment. The message I was supposed to come home with was: we can still count the numbers of mobile viruses manually, <600; the problem will never be the same as on a fixed network as traffic is monitored and metered: We detect it straight away. We are studying the problem seriously.
Are mobile operators really prepared for what is coming?, I asked myself sitting in the room at eco. Despite the reassurances we were given, I came home with some concerns. Why?
The present state
The reason why I ask this question, is that lessons learned from the emerging threats in the fixed networks was that consumers tend to lose out the most and that operators tend to gain, at first. Some threats generate extra traffic. This leads to more revenue. The difference in 2011 may be that society at large is more aware of what is actually happening, but still. A warning and some advice never hurt anyone. So here it is.
From what I understand from F-Secure’s Mikko Hypponen’s presentation is, that so far cell phone viruses have not done much harm. He had the idea that the underground economy is testing. Also he gave the message that he expects the threats to really take of later this year or early 2012. However, if you google the net a bit, you will find information on cell phone keyloggers out there. Once on your phone it tracks all you do. The websites you visit, your passwords, bank and credit card data as soon as you access these services through your phone. In other words, your cell phone with Internet access may not be so safe after all. In general it is better to be safe than sorry. What goes for fixed networks also goes for mobile networks where the Internet is concerned. Only click on what you know and trust.
A cell phone is a very personal device. My feeling tells me that receiving an email on a cell is even more personal than on a laptop or pc. The inclination to open it will be greater, hence the danger more direct.
At RIPE 62 someone for Arbor Networks made a distinctive remark. We see a lot of infected mobile machines and thus generated traffic, but cannot detect the difference between dongle access from laptops or through smart phones. The conclusion I draw from this remark was that cyber threats are already out there in the mobile network, but maybe not all forms are used on a grand scale.
Only a few years ago it was quite normal to hear people say around you: use this pc/laptop brand as it never has viruses, use this browser because it is safe, etc. Some of these people were true believers. They claimed that a brand was technically superior and flawless. In 2011 we know better. We know now that it is a matter of critical mass. Enough market share makes the product interesting to cyber criminals and from that moment on flaws are exploited to the max. The interview with Twitter’s chief security is telling. She states that the troubles for Twitter started only after they reached the 40 millionth user. We also know that cyber criminals are learning fast. The recent security breaches reported from all over the world show that their tactics are shifting from random shots of hail: spam, to sniper tactics: spear phishing. So what is the status of critical mass and smart phones?
The fixed network has a lot of experience with spam and malware. Are there lessons learned there that mobile operators can copy straight away? Most likely and I hope they use it. But, at the same time the mobile world could ask itself whether the fight of spam and malware is a task they want to take on individually. Sure, a better defence could be a unique selling point, but it does not seem to be an overly attractive selling point to the public at large. Why not declare cyber defence a neutral subject? By learning from each other and by learning together, the whole market could profit. E.g. Dutch banks have done just that concerning phishing attacks. CSO’s meet regularly, a threat alarm system is in place and experiences shared.
The near future
After the more or less soothing words in Cologne, I came home somewhat disturbed. I’m not a technician as those that follow my blog will know by now, but still I have some thoughts about possible threats.
Around 2005 there were loads of complaints on autodialers installed in the modems of pcs that called for hours on end to premium rate service numbers in exotic islands in the Pacific. People lost hundreds of euros to this scam and more. It went on for a while and then more or less vanished. At first telco’s were not overly inclined to deal with the problem. After some pressure they responded more alert, but only the mass migration to ADSL connections really killed the problem.
As far as I know, no one ever got caught. Not even top researchers like Spamhaus could detect the real end point of the set up PRS connection. It was not one of these small islands. I was told then that the traffic simply seemed to disappear into a satellite connection from New Zealand. The cross border aspect of money transfers in combination with “only” a petty crime (siphoning of millions of euros!) probably did the rest on the enforcement side.
In a smart phone a telephony service is combined with an Internet service. So what if through the Internet an autodialer is installed in the phone part? How long before the cell phone company is alerted? How much money is charged to the end user first? On who lies the burden of proof? How strong is the incentive at first to act against it diligently? We may not want to be reminded of this, but our providers actually make lots of money from the call. For the fixed net this was ca. 40% of the PRS call. It may actually be more for mobile as they charge extra for the PRS connection on the fixed net.
People use the cell phone more and more for everyday life. So data on financial services can be extracted by criminals through hacking the cell phone. Will the data the keylogger sends to criminals easily be detected by the cell phone provider between the other data the cell phone sends? Wouldn’t this take deep packet inspection? Which all providers avoid doing?
3. Sending spam/spreading malware
After a smart phone is infected it becomes part of a botnet. As there is an almost always online situation here, a smart phone may be of much interest to spammers. Inbound filtering is a normal procedure. I think this will be close to 100% in 2011. However outbound filtering still seems to be a different matter for some operators and hosting companies. How will they respond to large numbers of infected customers? Is the incentive for cell phone operators to mitigate botnet related issues different from fixed operators?
I can even imagine other, technologically more savvy, exploits, but do not want to spread any ideas here. However, if I can think them up on a theoretical level …
4. Africa/developing countries
In developing countries a stage in telecommunication is skipped: the fixed network. People in rural areas connect to mobile networks and become dependent on their cell phone for monetary transactions as well as information on crop prices, market news, weather conditions, etc. An unsafe mobile environment in combination with the lacking of a cyber-defence at the most rudimentary level in those countries makes these people double vulnerable.
Fact is that I did not come home reassured. More like the opposite. After what I heard, I honestly wondered whether the mobile operators are prepared for the cyber challenges the criminals are going to unleash on their customers in the near future. If they are not, the end user tends to lose money and the operators reputation. Trust in the market as a whole will go down and future applications will not be used. Mobile operators can all go and fight the challenges alone, but it seems more like an option to team up. Your adversaries do so, so why shouldn’t you?
Wout de Natris, De Natris Consult
Leiderdorp, 9 May 2011