Friday, March 03, 2006

Dean Bubley: Firewalls and antivirus on dual-mode phones?

Dean Bubley at his Disruptive Wireless blog writes about the security implications for dual-mode phones. He notes a lot of the current focus (and hype) is centered around anti-virus, and points out recent viruses that can infect handsets via a variety of methods such as USB to PC, Bluetooth, "WAP initiated via circuit-switching and so on." Bubley then states:

Now consider what happens when phones have "native IP" connections. Like WiFi, for example. Couple this with an expanding number of bits of software on the phone that can download and execute new functionality - the OS, Java, maybe XML or JavaScript in the browser. Even MMS has been discussed as a possible "vector". Yes, there are various signing and certification programmes intending to lock down the software added to the phone... but will these programmes be able to catch all the malware? And yes, BREW is a "managed" application environment - but maybe loopholes exist?
Bubley thinks there are a lot of questions to be answered, such as whether to manage security on the handset, centrally or both. He believes that" over time, the uncertainties will grow. And these uncertainties will be multiplied by a "wireless IP" connection, especially one hooked into a customer's broadband at home." He ends with:
I see firewalls and anti-virus becoming mandatory on WiFi-enabled cellphones, in particular. The FMCA already recommends this, and discussions I've had with carriers indicate that they are moving towards the same position - although some seem happy that basic non-smartphone UMA phones are "immune" . I wonder what their thoughts are, now that Java virus has been spotted?

Well, it could be argued that featurephones are more secure, so maybe not. But now it looks like some featurephones may be vulnerable anyway, because of Java, MMS, browser etc, which can also support malware. But if you want to add firewall/AV, it will probably need a smartphone OS, or maybe some other multitasking embedded platform.....