Cell phones, other wireless devices next big cybersecurity targets

Mobile computing products are the source of a "coming tsunami of insecurity" as hackers develop ways to exploit the airwaves and their applications, security expert says.

Cell phones and other mobile devices that provide access to the Internet will be the source of a "tsunami of insecurity" that will leave computer networks vulnerable to cyberattacks because manufacturers have not considered protecting the equipment, security professionals told Congress on Wednesday.

Concern over the vulnerabilities has increased as more users worldwide shift to mobile devices in favor of desktop and laptop computers. More than 3.5 billion cell phones are now in use, vastly outnumbering traditional Internet users, said Seymour Goodman, professor of international affairs and computing at the Georgia Institute of Technology. He predicted that within the next five to 10 years, powerful mobile devices could supplant desktop and laptop computers as the primary form of access to the Internet.

"The ubiquitous spread of cell phones and other small, increasingly powerful computers with wireless connections is likely to result in unprecedented opportunities for criminals, hackers, terrorists, industrial spies [and] foreign intelligence agencies," he told the House Subcommittee on Research and Science Education.

Alan Paller, director of research at the security SANS Institute, a cybersecurity research and education group in Bethesda, Md., said mobile devices could become a target for hackers, although computer networks remain the subject for traditional cyberattacks. "It's true that we all carry these devices, and I see a rapidly increasing number of attacks against these devices, particularly to make them zombies to complement the PC bots," which spam or send viruses to other computers on the Internet, he said.

Goodman argued that mobile computing devices contain the same vulnerabilities as laptops and desktops, but they also contain other vulnerabilities such as using airwaves instead of wires to connect to the Internet, denial of services attacks specifically designed for wireless devices and new custom financial applications like digital wallets and pocket ATMs that are particularly attractive to hackers.

But manufacturers avoid incorporating security functions because they use up the devices' limited battery power, he said.

"Everyone thinks it's not their problem -- individuals or industry," said subcommittee Chairman Daniel Lipinski, D-Ill., who noted that Microsoft issued updates to fix 31 vulnerabilities in its software applications this week. "How do we better incentivize these companies" to better secure mobile devices?

Stricter regulations also may be necessary, Goodman said. "For a variety of reasons, cybersecurity has not been taken as seriously as it should be," he said. "It has not been a major design consideration, and when things go wrong, no one faces consequences. I am a believer that some requirement needs to be made on those in the best position to mitigate risk, and that may require regulation such as heightened liability [for product manufacturers]. Too much responsibility is pushed on the end user, and we are increasingly incapable of defending ourselves."