Citing a near tripling in the number of malicious software programs aimed at mobile devices in less than a year, a Congressional report is recommending the FCC and other federal agencies take a greater role urging private industry to develop stronger mobile security safeguards.
Cyber criminals are taking increasing advantage of inherent weaknesses in mobile devices and the applications that run on them, said Gregory Wilshusen, director of information security issues for the Government Accountability Office, an investigative arm of Congress.
Wilshusen, who oversaw the just-released report, said that in less than a year, the number of variants of malware programs has risen from about 14,000 to 40,000, or about 185%, according to figures supplied by Juniper Networks. These threats and attacks exploit vulnerabilities in the design and configuration of mobile devices, as well as the ways consumers use them.
• Software downloads. Malicious applications may be disguised as a game, device patch, or utility, which is available for download by unsuspecting users and provides the means for unauthorized users to gain unauthorized use of mobile devices and access to private information or system resources on mobile devices.
• Visiting a malicious website. Malicious websites may automatically download malware to a mobile device when a user visits. In some cases, the user must take action (such as clicking on a hyperlink) to download the application, while in other cases the application may download automatically.
• Direct attack through the communication network. Rather than targeting the mobile device itself, some attacks try to intercept communications to and from the device in order to gain unauthorized use of mobile devices and access to sensitive information.
• Physical attacks. Unauthorized individuals may gain possession of lost or stolen devices and have unauthorized use of mobile devices and access sensitive information stored on the device.
GAO investigators interviewed representatives from mobile device manufacturers, operating system and application developers, and wireless carriers in exploring possible response measures.
Among other steps, GAO concluded that mobile device manufacturers and wireless carriers can implement a number of technical features, such as enabling passwords and encryption as soon as users begin using mobile devices, to limit or prevent attacks, Wilshusen said at a forum on teleworking in Washington Tuesday.
In addition, consumers can adopt practices often used with personal computers, but often ignored on mobile devices, such as setting passwords, installing software to combat malware, and limiting the use of public wireless connections for sensitive transactions, which also can significantly mitigate the risk that their devices will be compromised.
Jean-Paul Bergeaux, chief technology officer of SwishData, is among many in industry who said one of the core challenges industry faces is the fact that there isn’t a practical mechanism today to ensure that applications comply with common security standards.
While federal agencies are not responsible for ensuring the security of individual mobile devices, several agencies are involved in activities designed to address and promote cybersecurity and mobile security in general, the GAO report said. Among them: the Federal Communications Commission, Department of Commerce, National Institute of Standards and Technology, National Telecommunications and Information Administration (NTIA), the Department of Homeland Security, and even the Department of Defense. <
The FCC plays perhaps the largest potential role in mobile security issues because of its broad authority to regulate interstate and international communications. The FCC has also established a federal advisory committee, called the Communications, Security, Reliability, and Interoperability Council, to provide recommendations for improving secure and reliable communications systems.
Although the Federal Communications Commission (FCC) has facilitated public-private coordination to address specific challenges such as cellphone theft, it has not yet taken similar steps to encourage device manufacturers and wireless carriers to implement a more complete industry baseline of mobile security safeguards, the report found.
The GAO report made two other recommendations:
To help mitigate vulnerabilities in mobile devices, the chairman of the Federal Communications Commission should continue to work with wireless carriers and device manufacturers on implementing cybersecurity best practices by encouraging them to implement a complete industry baseline of mobile security safeguards based on commonly accepted security features and practices.
To determine whether the National Initiative For Cybersecurity Education (NICE) initiative is having a beneficial effect in enhancing consumer awareness of mobile security issues, the Secretary of Homeland Security in collaboration with the Secretary of Commerce should establish a baseline measure of consumer awareness and behavior related to mobile security.