Apple, AT&T, and the dangerous future of smartphone viruses

Apple says it will patch the iPhone security flaw that was revealed July 30 at the Black Hat Internet security conference in Las Vegas. TUAW, a popular Apple rumor source, noted that all carriers are likely watching this development closely. That's good news. Google told BusinessWeek it has already patched the hole, and Microsoft is investigating.

What's not such good news is that it took massive amounts of media coverage to prod the phone makers into action. Because smartphone security and reliability is a very different game than PC security and reliability.
Why? Because the cellphone is a lifeline to an increasingly large chunk of America. When a child is hurt, nobody whips out a laptop to call 911. When a plane crashes into the Hudson, nobody snaps shots with an embedded PC video camera. When a terrorist attack is in progress, nobody texts a warning from a 15-inch laptop. The difference in usage profiles demands different levels of seriousness and commitments with regard to security and reliability. Apple, Google, Microsoft, and cellphone carriers -- get used to a world where your failures and security failings are both more public and painful, but also potentially vastly more serious.

Smartphones are rapidly becoming PC replacements for leading-edge technology consumers; penetration in the U.S., by some estimates, is already 20 percent. "One-device-to-rule-them-all" advocates envision a day when we will all plug our smartphones into workstations with monitors and keyboards, rather than juggle iPhones, laptops, netbooks, and desktops. They may be only partially right, but they're at least correct to assume that the smartphone will soon play a far greater role in communications.

With that role will come new responsibilities for both handset makers and for mobile-network operators. Handset operating systems and mobile networks both represent potential points of attack. And as smartphones gain processing power, the ability of devices these to rapidly propagate viruses, Trojan horses, and denial-of-service attacks grows, too. The iPhone has a 600mhz processor that only five years ago or so would have been a respectable laptop processor. The wireless broadband networks in place are also significantly faster than their predecessors. And the next generation of 4G networks promises to double or triple the speeds of today's 3G networks.

Aside from speed, there's also the double-edged sword of more open smartphones. In the past, cellphone operating systems were thoroughly locked down. It was very hard to corrupt them. But part and parcel of allowing outside applications to run on smartphones is a new openness. Phone makers must expose larger portions of the software that powers these devices to the developer community. That openess translates into greatly enhanced functionality but also greatly enhanced vulnerability.

Unlike much of the existing PC-based computer infrastructure, the smartphone ecosystem has few of the security precautions in place; I don't know many smartphone users who run antivirus software. I'm certain that AT&T and Apple both have security systems and personnel monitoring what's happening on these devices.

What remains unclear is whether these precautions are set up to deal with real-time threats. The researchers who pointed out the iPhone vulnerability said they had submitted their findings to Apple weeks earlier but had gotten no response. Perhaps Apple judged the security hole to be minor and opted to ignore the researchers. Perhaps the researchers are just really, really good at making a big splash. (They do get paid for this type of work, after all.) Or perhaps Apple was working all along on a fix and only got it straight now. In the end, the phones will be patched.

Until the next time, when there might not be a warning, and millions of phones go dead at the same time. Good luck calling tech support when that happens. And too bad you cancelled your landline, oh, three years ago, and all the phone booths have dissappeared from street corners. New game, new rules, folks.
Read Full Story