So says veteran vulnerability hunter and exploit writer Charlie Miller, who’s an expert at finding new and innovative ways to own people’s Android and iOS devices. At last year’s Black Hat conference in Las Vegas, for example, he demonstrated how a malicious near-field communication (NFC) tag, when brought within a few centimeters of an Android device, could be used to exploit several vulnerabilities and take control of the smartphone.
“Those are real headline-grabbers, but in the real world you don’t really see any of those [mobile] attacks,” Miller told me by phone, speaking in advance of the “Mobile Threats — Hype vs. Reality” talk he gave Thursday at the Hacker Halted conference in Atlanta. “Exploits are harder on mobile devices than on desktops — way harder,” he said. “There are many more defenses, many more ways to get caught, and it’s way harder to get people to your exploit in the first place.”
The message for businesses: Don’t spend too much time worrying about mobile threats. “Don’t completely forget it, but apportion your resources toward the actual risk in the real world, which isn’t very much,” said Miller. Accordingly, do manage and protect mobile devices, and implement and enforce related security policies. But also keep potential threats against Android, BlackBerry, iOS or Windows Phone devices in perspective.
[ Can the iPhone 5s’ fingerprint scanner be hacked? Read Apple Hackers Rate iPhone 5s Security. ]
Of course, every mobile security software vendor’s list of security predictions for the coming year — issued like clockwork every December — forecasts an unprecedented surge in the severity and quantity of attacks being launched against mobile devices. But compared to the quantity of malware being flung at Windows devices, mobile malware remains but a blip.
To date, in fact, mobile malware has done relatively little damage. “If you look at the actual attacks, there’s never been one where the primary vector of attack was mobile,” said Miller, who got his start in information security after being hired as a cryptographer for the National Security Agency, and last year joined Twitter’s security team.
Indeed, just review some of the biggest and most high-profile attacks from the last year, such as the takeover of The New York Times website by the Syrian Electronic Army, which used a spear-phishing attack against a DNS registrar. Alternately, the on-again, off-again disruptions of U.S. financial services websites by the Izz ad-Din al-Qassam Cyber Fighters, a self-proclaimed Muslim hacktivist group which the U.S. government believes is a front for Iran, have involved compromising poorly secured third-party servers.
Another attack campaign, to which Apple, Facebook, Microsoft and Twitter fell victim, used a watering-hole technique and infected visitors to an iOS development site with malware, which then allowed attackers to penetrate victims’ corporate networks.
Finally, when it comes to any list of top online threats facing businesses, don’t forget crimeware toolkits, which continue to target existing vulnerabilities in PCs — most often outdated Java browser plug-ins sporting known vulnerabilities.
None of those attacks — or attack techniques — have involved an employee getting his phone owned, and businesses remain far more likely to get owned by Windows malware than by mobile malware. For example, consider this week’s warning from Microsoft that in-the-wild exploits are targeting a zero-day vulnerability that exists in all versions of Internet Explorer. According to research released by security firm Websense, close to 70% of Windows business users are susceptible to this IE zero-day exploit.
With those odds of Windows exploitation success, why bother with Android? In crime, as in other walks of life, time is money, and that’s one likely explanation for why large-scale attacks have never been seen targeting mobile devices. “There are probably 100,000 pieces of Windows malware for every piece of Android malware, and 100,000 pieces of Android malware for iOS,” Miller said.
Furthermore, even when mobile malware exists, it’s relatively difficult to get it to infect a target. “There are a few ways that a bad guy gets malware on your phone or refrigerator or something. Either it’s malware you downloaded and ran — maybe it tricked you — and the other way is through an exploit, and that requires a vulnerability in your Web browser or something,” said Miller.
Apple users — who haven’t jailbroken their device — in particular face almost no threat of having their device hacked. That’s because attackers would need to find their way past Apple’s walled-garden security model, which involves submitting apps for approval to Apple before they can be distributed via the App Store.
Most developers won’t want to bother or risk potentially burning their precious Apple developer program pass, said Miller, who himself in 2011 was excommunicated from the program for one year after he sneaked a malicious proof-of-concept iOS app past the Apple censors. “You have to pay money to get into the program, and it’s a big hassle to get kicked out — not to mention all the work you put into it is all for nothing,” he said.
Even if an attacker did manage to sneak malware into the App Store, many security researchers suspect — no one knows for sure — that like Google’s kill switch for malicious Android apps, Apple has the ability to remotely remove apps from customers’ iOS devices.
Accordingly, why would any criminal ever bother with iOS? “For example, think about comparing malware between Windows desktop and iOS,” said Miller. “On Windows, if you get someone to download an EXE and they execute it, that thing will probably be on your computer forever.”
Of course, mobile devices can be hacked. But for criminals to achieve any given nefarious goal, mobile devices simply have not been worth the effort. “For people like me who are just trying to show off, it makes sense for us to show off using the new technology,” Miller said. “But if you’re a criminal … it’s way easier to attack desktops, and you get the same result.”
What do security researchers do when they discover a vulnerability that might enable an attacker to compromise one of your organization’s applications or systems? The The Security Pro’s Guide To Responsible Vulnerability Disclosure report looks at the changing nature of vulnerability disclosure and how it might affect the way you seek, identify and eradicate vulnerabilities in your own IT environment. (Free registration required.)