The meteoric rise in the smartphone market is creating a dangerous vulnerability in smartphone security—one that may not be patched until the problem expands into what has been dubbed an “apocalypse.”
Dan Auerbach, a staff technologist at the Electronics Frontier Foundation, points to outdated encryption standards and the inherent vulnerabilities of the baseband processor found on modern smartphones as the makings for a security hole through which users can be exploited at large.
The situation is similar to the PC boom of the late 1990s, Auerbach says. Just as PCs were designed to communicate freely with any and all network elements at the time, the baseband processors found on many of today’s smartphones interact with any base station with which they come into contact.
At the same time, “the cost of having portable base stations has decreased quite a bit,” Auerbach says. This has already enabled some police-state government agencies to create false base stations to monitor cellphone communications, he added.
“So you have just kind of a fake base station, and then you get a user’s cellphone to interact with that instead of the real base station,” Auerbach says.
This idea is known as the “baseband apocalypse,” and it is nothing new. At last year’s Black Hat DC Conference, security researcher Ralf-Philipp Weinmann presented the vulnerability and warned that new open source tools for establishing mobile base stations will make smartphones easier to exploit than in the past, when the code for base stations was retained by the service providers that managed them.
What’s scarier, though, is that smartphone developers since have focused on features like user interface and screen resolution, as opposed to fixing a fundamental vulnerability that has been public knowledge for at least the past 16 months, Auerbach says. The Global System for Mobile Communications (GSM) standard for 3G cellphones still employs the A5/1 encryption algorithm, which Auerbach says is “incredibly broken” and “basically worthless.” Indeed, the industry has been aware of an attack against A5/1 that can intercept voice and text communications since 2009.
“So, in light of that, controlling the base station and the network elements really does give you access to users’ communications,” Auerbach says.
Another similarity between the mobile industry of today and the PC security outlook at the turn of the century is that OEMs and mobile carriers have no incentive to secure this vulnerability during the product development life cycle, Auerbach says. The faster smartphones are developed and pushed out to market, the more money companies like Qualcomm and Apple stand to make. With the way the smartphone market has grown lately, they likely won’t be slowing down any time soon—a recent IDC report showed 42.5 percent year-over-year growth in worldwide smartphone shipments in the first quarter of 2012.
Although he says he does not know the exact cost it would entail, Auerbach believes that “it would be significant to overhaul the encryption that’s used.” As long as OEMs and carriers aren’t feeling any pressure to make such a significant change, they will continue pushing more smartphones through the assembly line as is.
Herein lies the difference in security for smartphones and PCs. Just over a decade ago, then Microsoft CEO Bill Gates wrote a memo to the company’s employees that set off the industry-changing Trustworthy Computing initiative. From 2000 to 2003, the number of Internet users across the globe nearly doubled, from 389 million to 759 million, and a large-enough security threat could affect roughly 12 percent of the world population. With numbers this staggering, Gates was compelled to ensure Microsoft “customers will always be able to rely on these systems to be available and to secure their information.”
Ten years and 1.5 billion new web users later, Trustworthy Computing seems to have made a difference. Microsoft has since come up with the Security Development Lifecycle, for example, to instill security and privacy considerations before new products come to market.
Whether the mobile industry will receive a similar call to arms remains to be seen, but Auerbach, for one, is less than optimistic. Because the smartphone market is not showing any signs of becoming as monopolized as the PC market was in 2002, Auerbach says any federal legislation aimed at improving cybersecurity, such as CISPA or the SECURE IT Act, “should at least be thinking about incentivizing companies to care about security.” So far, partially because lawmakers are unaware of these threats and partially because those tasked with educating them have their own agenda, solutions to that problem are “nowhere to be found,” Auerbach says.
“I think, unfortunately, members of Congress are not very educated about real security issues and real problems, and instead they are taking their cues from interested parties, for example the intelligence community, as to what needs to get passed,” Auerbach says. “Unfortunately, the result is that the legislation is not focused on the relevant issues, such as mobile, and instead it tends to become blanket legislation.”
An increase in user education about the privacy and security issues with their smartphones could help the problem, as could improvements in sharing information about and patching newly discovered mobile software vulnerabilities, Auerbach says. However, OEMs and carriers are unlikely to respond until they have to, after a major security issue puts their customers directly at risk, he says.
“Unfortunately, it might be the case where it will require some sort of big, newsworthy event where users’ privacy is compromised in a big way,” Auerbach says. “I hope that’s not the case. I hope that we can kind of improve security without that, but unfortunately I think it’s going to take a lot of press coverage to get mobile platform vendors and manufacturers to really start caring about this issue.”
[Colin Neagle covers emerging technologies, privacy and enterprise mobility for Network World.]