Today, smart phones are becoming everyday devices that can serve as a planner, phone, Web browser, and small computer — an all-in-one device. Depending on what the manufacturers call the device, it can be a smart phone or a PDA phone. The industry has classified these devices based on their main function, with smart phones being a phone first and PDA second, and PDA phones being a PDA first and a phone second. This section addresses these devices as smart phones although the industry has made a clear delineation between hardware and software types. Microsoft, for example, has two main flavors of operating systems: Smart Phone OS and Pocket PC OS.
Both operating systems perform the same functions, with the only differences being that the Smart Phone OS was developed specifically for a phone and the Pocket PC OS was originally developed for handheld PDA devices and later adapted by each hardware manufacturer to incorporate phone functions.
These devices bring a slew of complexity and risk into account when using them. The first threat directly related to smart phones is the multiple connectivity options. One of these devices can use Wi-Fi, Bluetooth, and a cellular technology on the same device. When security threats come out and are directed at one of these technologies, the user must protect against each of these threats independently. This means that the user must have a higher level of knowledge and understanding about how each of these connection technologies works and is secured.
The virus threat has plagued computers since November 3, 1983, when Fred Cohen conceived the first computer virus. Today, over 20 years later, there are more than 50,000 viruses crawling the Internet. Just recently, we have started to see viruses directed at mobile devices such as smart phones or PDA phones. The virus threat was always known on these devices, although it was only related to having a mobile device carry a computer virus and then, in the process of synchronizing the mobile device to the computer, it would infect the computer with the virus. With viruses and smart phones, not only are there the issues of removing malicious code, but there is also the threat of having malicious code place calls. A virus can attack a device, infect it, and make that device place phone calls or make requests to the Internet that can cost the user money.
Some of these devices have means built directly into them to combat viruses. The Microsoft Smartphone and Pocket PC OS have the default ability to prompt the user before running any executable code. While this may protect against viruses that are sent directly to the phone, most mobile virus writers are well aware of this and have changed their method of attack. The real threat has now moved from viruses more toward Trojan horses. The mobile virus writers want to get people to accept the executable prompt, inserting the virus into a game or an application the user might want to use does this. When they press OK to the prompt, they allow the Trojan to execute and deliver its malicious payload.
Another amazing feature of some smart phones is GPS. GPS is used for a couple of things on a cellular phone or smart phone. First, a method of locating a cellular phone is needed for emergency services. This is one requirement that has put GPS on most cellular phones. GPS on cellular phones most likely is not true GPS, because true GPS does not work correctly indoors due to a line-of-sight requirement between GPS satellites and the GPS receiver. Some cellular carriers use a technology called gpsOne, which works by having the phone be capable of receiving both a GPS constellation signal and a wireless network signal. The wireless network signal is also broadcasting GPS information to the device. Once the device picks up these signals, the measurements are combined by the location server to produce an accurate position fix. Either way GPS is used on a phone, the risks remain the same.
The first risk that comes to mind is tracking. You may know that the GPS system itself could not be tracked. The only way to track a GPS receiver is for another technology such as cellular to transmit the location information. Most phones have not only GPS for emergency services, but also location-based services (LBS). Location-based services offer applications the ability to use real-time location data; this can be used to track a delivery driver or find the closest taxi driver to someone who just called in. As amazing as LBS sounds, the malicious implications as well as privacy concerns can be major issues. Luckily, some phones have the ability to disable this feature.
There have been a number of what-if scenarios discussed about the future of LBS on cell phones. The first one is as follows. An attacker could shut down cellular coverage in a given area by sending a large number of SMS messages to people who are in a given area. This is done using LBS on top of the SMS threat. Another what-if is the LBS virus threat. What if an attacker can disable, steal, or erase someone’s phone when that person is in a particular place?
Another more real-life threat relating to smart phones is the fact that most of these devices have the ability to support a direct connection to the Internet. This means that these devices are out on the hacker-plagued Internet. The real threat comes from a hacker hacking into the device.
