The first ever computer virus spread by mobile phones was discovered by anti-virus firms back in June 2004. The discovery led to the prospect of phones and PDAs being attacked, with hackers potentially taking over phones and racking up massive bills for their unsuspecting device owners. Mayhem could ensue – how would anyone again have confidence that a hacker wasn’t listening in to their potentially sensitive business and personal calls?
In the end though, it turned out that it wasn’t hackers that were to fear, but users. Not only do mobile viruses still require the user’s help to do any damage, but it is simply the loss of mobile devices that is most likely to leave a company exposed. One survey found that in the six months to September 2008, 60,000 mobile phones were left in London taxis, along with 6,193 other handheld devices such as laptops, iPods and memory sticks.
While most of those devices are eventually returned to their rightful owners, the potential damage caused by the loss of sensitive or confidential information is simply too great for companies to ignore.
Modern mobile devices have the capacity to store as much as 10,000 Word documents, 11,000 pictures, 500,000 contact details or an amazing 1.1 million emails. Technologies and strategies for ensuring that this data doesn’t fall into the wrong hands is at the top of the wish-list when it comes to companies’ mobile strategies.
The birth of the mobile virus
The first ever computer virus spread by mobile phones was discovered in June 2004. The worm, known as Cabir, infected phones and devices running the Symbian operating system. It turned out to be fairly harmless, but it offered proof that mobile devices were not completely safe from the hackers.
At the time, the anti-virus firms were divided on whether it would open the floodgates to similar viruses. “It is a milestone in the timeline of viruses but technically is not that special,” said Graham Cluley, senior technology consultant at Sophos.
But as F-Secure’s UK manager Matt Piercy told the BBC at the time, “People need to take this seriously and in the same way as we protect our PCs, we need to protect our mobile phones.”
Content from our partners
Then in March 2005, another mobile virus broke cover that once again had observers in something of a panic. While earlier viruses in the mobile space had spread via Bluetooth – which meant that you had to be within about 30 metres of a device infected with the virus, have Bluetooth switched on, and accept the download of a file that your own device would have warned was ‘unknown’ – Commwarrior could replicate itself via multimedia messaging service (MMS).
That meant that Commwarrior could potentially spread as quickly as an email worm. MMS messages are text messages that include an image, audio or video; they are sent from one phone to another via email.
But while Commwarrior didn’t turn into an epidemic as some had predicted, it was enough to cause network operators to see protection from viruses and other harmful content as an important part of their service to mobile users — especially business users.
Orange, for example, did a deal with F-Secure, to provide that firm’s Mobile Anti-Virus service to Orange customers. Using of an innovative update system via the mobile network, Orange and F-Secure could now offer a simple and effective solution, ensuring that all Orange UK’s smartphone users now had the possibility to protect their phones against harmful content.
Phil Iley, head of product management at Orange, said at the time: “As handsets have become more advanced and open to meet customer needs, both the sophistication and proliferation of the mobile viruses has become an issue. Having witnessed a growing number of cases on our network we worked with F-Secure to be the first operator to proactively offer mobile virus protection — enabling our customers to protect information stored on their smartphones.”
Risto Siilasmaa, president and CEO of F-Secure, added: “I am convinced that a subscription-based security service is the way forward for mobile operators and their customers in avoiding the kinds of problems we see today in the PC world.”
Over-rated?
Yet while mobile phone viruses such as Commwarrior could have unpleasant consequences for those who install them, all mobile viruses are dependent upon the ‘help’ of users to execute – at least so far.
Indeed a look at mobile malware shows it may prove less of an immediate threat than many initially feared. As the process cannot be automated from end-to-end, social engineering is still a vital component of the mobile virus, and it is this that prevents an explosion in the spread of mobile malware.
This is as opposed to the client-server world, where there is far more common ground. Take Microsoft Windows as an example: a virus written for Windows can attack an enormous chunk of the desktop and laptop populace. In the mobile arena however, there are far more platforms: Windows Mobile, PalmOS, Research in Motion’s Java operating system, Symbian, Google Android, phone manufacturer-specific OSes and more. So it’s harder to imagine the rapid spread of a genuinely dangerous virus in the mobile sphere.
Although specific systems can be attacked, as shown by Commwarrior’s exposure of a Symbian vulnerability, this is far from the automated, zero-day onslaught feared in the broader IT world.
This does not mean that we should dismiss the potential risk of mobile viruses. The threat is lower, but it is still important that users are well educated about the potential risks, especially because mobile viruses need some kind of user authorisation to infect the device and propagate further.
User ‘error’
But a far greater risk from mobiles is posed by their owners themselves: users are far more likely to lose a phone, smartphone or PDA than say, a laptop. And with today’s devices storing up to a million emails or hundreds of thousands of contacts, an organisation’s most valuable customer list, patient records or confidential blueprints could all be on just one employee’s device.
Again, both network operators and a number of standalone technology vendors have had to step up to the plate, by giving those responsible for managing a fleet of mobile devices the necessary tools to prevent lost devices causing serious damage to the company’s business and indeed its reputation.
One of the leaders in this space, at least when it comes to managing and securing heterogeneous devices, is a subsidiary of Sybase called iAnywhere. Its flagship mobile device management and security technology is called Afaria, which is part of the Sybase Information Anywhere Suite.
Announcing version 6.0 of the Afaria technology recently, the firm said it now includes a relay server architecture, which works across multiple Information Anywhere Suite components to offer highly-secure communications for data synchronization and mobile device management functions.
It also upped Afaria’s device security capabilities, through new mobile device port controls, and introduced several new features focused on reducing IT administration costs, including a new policy-based device management capability, support for Open Mobile Alliance Client Provisioning (OMA CP), and a local password recovery feature.
“We have been working with Sybase iAnywhere on Afaria 6.0 testing and have had an extremely positive experience with the new relay server architecture and its enhanced secure connectivity to our network infrastructure,” said Samuel Lee, IT manager for Jazz Pharmaceuticals. “Also, their profile based management console effectively streamlines device management tasks for both IT and the end-user.”
Joe Owen, VP of engineering at Sybase iAnywhere noted that, “Afaria 6.0 is focused on reducing IT costs, which is one of the most pressing issues facing enterprises today. The new policy-based administrative model, the OMA client provisioning capabilities and the local password recovery feature all work to drive down mobile device management costs.”
On the network operator side, Orange UK recently announced the launch of its Device Management service, which it says enables businesses to effectively manage their employees’ mobile devices in-house, without having to bring them into the office or contact customer services.
Security in the cloud
Orange Device Management is a hosted offering that enables companies to remotely manage their device fleet, with IT managers able to send updates, troubleshoot, and even lock or wipe devices over the air. It requires no back end server and is said to be simple to set up and get running, making it ideal for small to medium sized firms that may lack some of the in-house IT skills of larger enterprises.
Anthony Keyworth, director of business products at Orange Business Services UK, said: “With business mobile needs constantly evolving, it is becoming increasingly important for organisations to be able to manage their device fleet in a cost-effective and time efficient way. Orange Device Management helps increase the productivity of the mobile workforce, as well as providing businesses with greater security for their data.”
Orange claimed its Device Management service will enable businesses to make better and more efficient use of their assets. Applications no longer need to remain dormant or out of date, as IT managers can send the latest software versions directly to employees’ devices. Organisations are also able to reduce the amount of time spent on support, as device problems can be diagnosed and rectified over the air.
Orange Device Management is claimed to give organisations the peace of mind that their information is secure. Security features include: the ability to remotely enforce password policies; lock Bluetooth and camera functionality; wipe data from a device with a personalised message explaining where the device should be returned should it be lost; alarm unauthorised applications by sending an email to an assigned IT manager and remove unauthorised software; and create logs of all activity performed on the device.
Research in Motion (RIM) and Microsoft also have rich mobile device management (MDM) tools, albeit for their own devices or platforms rather than supporting the heterogeneity of devices that many companies will experience. Mformation is another big name in mobile device management, supplying its technology to mobile operators around the world, while MobilityWare does MDM for both Palm and Windows Mobile devices.
Meanwhile if proof were needed of the importance of MDM to business buyers, one need only look as far as Apple’s attempts to peddle the iPhone as suitable for enterprise buyers: the second generation iPhone Software includes not just support for Microsoft Exchange ActiveSync but certificates and identities, enforced security policies, more virtual private network (VPN) protocols, device configuration and even remote wipe.
CBR Opinion
Ultimately, it’s almost impossible to stop one of your employees, or indeed your CEO, from adding their name to the other 120,000 who leave their mobile devices behind when they step out of a London taxi. But with a little education and some effective mobile device management tools and policies in place, it should be possible to prevent that mishap turning into a corporate disaster.
