Hackers Fail to Compromise Smartphones…For Now

Each March, TippingPoint, the intrusion prevention arm of 3Com, sponsors a contest called PWN2OWN designed to discover and exploit security vulnerabilities of computers and software. This year they expanded the field to include vulnerabilities of smartphones. The good news is that none of the five targeted smartphones was compromised in the effort. How is that possible with some of the smartest minds trying to crack them?



That's not to say that smartphones aren't vulnerable and never will be compromised, just that they present a target that is more difficult to hit. There are essentially five distinct groups of such devices on the market today distinguished by the operating system (OS) that they use. They are the Apple iPhone which uses Mac OS-X, BlackBerry phones which use the proprietary BlackBerry Handheld Software, Google Android which is currently only available on the T-Mobile G1 but is certain to expand rapidly, and Windows Mobile and Symbian operating systems which are used on a wide variety of smartphone platforms.

In addition to the OS differences, each mobile carrier also makes modifications to the software that enable and disable capabilities to meet their specific requirements. Combine that with limited processor power and memory availability when compared to a computer and you've got a more challenging ecosystem for would-be bad guys. That's not to say, however, that smartphones won't eventually fall victim to the same sort malevolent activities that have become all too common on computers.

While it may be a commonly held belief that people who try to discover security flaws in programs are a bunch of malicious hackers, the large majority of such individuals who pursue these efforts are actually trying to stay a step ahead of the bad guys and prevent problems. TippingPoint sponsors a program called the Zero Day Initiative which encourages security researchers to submit vulnerabilities they've discovered. TippingPoint validates the problem and offers monetary rewards to researchers that discover valid vulnerabilities. TippingPoint develops Intrusion Prevention Systems (IPS) protection and notifies the affected vendor so that security patches can be created.

In general, hackers aim to install programming referred to as "arbitrary code" onto a targeted device. Arbitrary code allows the hacker to then control the device for his own unsavory purposes such as stealing information, damaging or destroying files, or denying access to service by the rightful user. Hackers can do the most damage when they gain high level access such as administrator rights. Ultimately, they seek to control the underlying kernel which is essentially the heart of the operating system.

This year, TippingPoint's PWN2OWN contestants failed to find a smartphone vulnerability that they could exploit. Next year's competition is likely to be a different story. They'll have had more time to prepare and some of the details regarding specific platforms, operating systems, and wireless providers will be clarified from this year's comparatively ad hoc contest scenario. In the meantime, we all need to be very careful about the things we download and the links we click...and hope that the benevolent white knight researchers find the vulnerabilities before the bad guys do.

For more information, see the mobile security review site. For more tech news, stick with the blogs:

Porting Flash onto Google Android Smartphones (G1)

Android App Shows You What's on Store Shelves

Blockbuster Moves to TiVo, Glares at Netflix

Wi-Fi Enabled Mintpad to Give iPod Touch a Run for Its Money?

Verizon Rated Best Wireless Service, Call Quality Gap Narrows Among Wireless Providers