Crimeware

Free iPhones … then what?

Consider a world in which increasingly advanced and impressive consumer electronics are free to the consumer. For example, the electronics might be subsidized by service providers in the business of understanding consumer behavior – purchase preferences, location, activities – in order to provide better search, advertising and fraud detection. It is not so hard to believe that we will be there in just a few years. Then what?

The assumption that hardware is free – or remarkably inexpensive – immediately leads to an interesting but undesirable situation. Consumers will become less risk averse, having nothing to lose by not being careful. They will be increasingly willing to install and run just any application. So what if they unwittingly install a terrible Trojan? What would their reaction be? Maybe “No problem, I have a backup.” Or perhaps “Big deal, I’ll get a new phone.” Is this so bad? The problem gets taken care of, and the consumer is one experience wiser, and who suffered? Nobody, you say? Not so.

If phones are more prone to being infected by crimeware, and if at any point in time an increasing number of phones were to be infected, what would be the consequences? Here is one: There are very clear trends in Internet fraud, pointing to the increased risk posed by botnets -- large numbers of compromised computers. These are computers under the control by an aggressor who may use them to blackmail large organizations, paralyze governments, and host fraudulent applications that collect user credentials on a large scale. Not to talk about spamming you and me, of course. But what makes phones more desirable targets to criminals than than traditional computers are? First of all, there are more of them. Recent statistics suggest that there are already more phones than people in as many as thirty countries! Second, phones are almost always connected. Accessible, available. Maybe not to send or receive huge documents, but that is not necessary to wreak havoc. And finally, phones are very much social enablers, and may be easier to corrupt than regular computers as a result. You got a funny little movie sent over by your friend? You probably will watch it while you wait in line at the supermarket. But what if it really was not from your friend, but from the crimeware residing on your friend’s phone? That’s really too bad. For you. Now, you have it, too, or your phone does, at least. A recent academic study suggests that more than 50% of people would be willing to run an executable endorsed by a friend -- this corresponds to the potential for a catastrophic epidemic just waiting to happen.

So, to take a step back and look at the big picture, the problem is as follows: If smartphones become much less expensive, then consumer attitudes towards security might change -- at the same time as the market penetration of these devices increases dramatically. As a result, the pressure from crimeware would increase at the same time as the defenses may not keep pace. Apart from resulting in a large number of infected phones, there would be secondary effects due to what these infected phones could be commanded to do -- to monetize the attacker’s presence. We all would suffer.

Clearly, something has to be done, and it might involve drastic changes of how we manage information and access. And it all starts with the question: "Free iPhones … then what?" What are the other possible scenarios, and what would be their implications? It is time for us to start thinking of security consequences of seemingly trivial trends -- before it is too late!