U.K. government split over mobile threat

Published 28 April 2008

U.K. agencies divided over the scope and imminence of wireless systems which control the nation’s critical infrastructure

The U.K. government organization which provides security advice to
organizations that operate critical vnational infrastructure has said it is
“very concerned” about possible attacks launched using mobile
devices. The Center for
the Protection of Critical National Infrastructure
(CPNI) claims organizations
in the U.K.
critical infrastructure, which includes power utility companies, health, and
financial services, face possible attacks launched en masse from compromised
mobile phones. “We are very concerned about the effects of mobilization,”
Andrew Powell, manager of advice delivery at CPNI, told ZDNet.co.uk.
“There’s a range of devices being connected to the internet which have
differing levels of security.” Powell said that while the CPNI had
“yet to see a successful mobile-phone virus,” it expected one would
come due to “the flat memory structure of mobile phones”. In a flat
memory structure, the CPU uses linear addressing, and memory is not segmented,
which Powell claimed would make it easier to attack the devices. CPNI said
there was a danger of distributed denial of service and targeted virus attacks
against critical infrastructure organizations from a “botnet” or
compromised network of mobile devices. “This is an underdeveloped attack
vector, and one which the community and vendors need to work to secure,”
said Powell, who added that VoIP telephony was less of a threat due to
“reasonable standards.”

A security expert source
from the Cabinet Office, who did not want to be named, said the likelihood of a
successful mobile device attack was being overplayed by CPNI. “If we only
listened to CPNI comments we would be wondering why the world hadn’t ended
yet,” the source told ZDNet.co.uk. “We’ve seen some attacks,
like the Australian kid [in the year 2000] who opened up the sewerage outlet,
but not much [from mobiles]. You try bringing down the traffic light network,
which runs on SMTP. You hack into it, and see if you know what’s going on.
Nothing’s labeled.” The source added that hackers could cause
“general mischief,” but would find it hard to cause “specific
mischief.” This did not mean other information security threats to CPNI
were not serious. “The flipside is that some of the router-based botnets
have had a phenomenal impact,” the source added. “Code Red brought
down the Bank of America ATM network — the code was unbelievably virulent, and
somewhere the ATMs were connected to the outside world.”