Government split over mobile threat

Summary:While one government agency has warned that mobile devices could be used to cripple critical infrastructure, another has downplayed the likelihood of a successful attack

The government organisation that provides security advice to organisations that operate critical national infrastructure has said it is "very concerned" about possible attacks launched using mobile devices.

The Centre for the Protection of Critical National Infrastructure (CPNI) claims organisations in the UK critical infrastructure, which includes power utility companies, health, and financial services, face possible attacks launched en masse from compromised mobile phones.

"We are very concerned about the effects of mobilisation," Andrew Powell, manager of advice delivery at CPNI, told ZDNet.co.uk at Infosecurity Europe 2008 on Thursday. "There's a range of devices being connected to the internet which have differing levels of security."

Powell said that while the CPNI had "yet to see a successful mobile-phone virus," it expected one would come due to "the flat memory structure of mobile phones". In a flat memory structure, the CPU uses linear addressing, and memory is not segmented, which Powell claimed would make it easier to attack the devices.

CPNI said there was a danger of distributed denial of service and targeted virus attacks against critical infrastructure organisations from a "botnet" or compromised network of mobile devices.

"This is an underdeveloped attack vector, and one which the community and vendors need to work to secure," said Powell, who added that VoIP telephony was less of a threat due to "reasonable standards."

However, a security expert source from the Cabinet Office, who did not want to be named, said the likelihood of a successful mobile device attack was being overplayed by CPNI.

"If we only listened to CPNI comments we would be wondering why the world hadn't ended yet," the source told ZDNet.co.uk. "We've seen some attacks, like the Australian kid [in the year 2000] who opened up the sewerage outlet, but not much [from mobiles]. You try bringing down the traffic light network, which runs on SMTP. You hack into it, and see if you know what's going on. Nothing's labelled."

The source added that hackers could cause "general mischief", but would find it hard to cause "specific mischief". However, that this did not mean other information security threats to CPNI weren't serious.

"The flipside is that some of the router-based botnets have had a phenomenal impact," the source added. "Code Red brought down the Bank of America ATM network — the code was unbelievably virulent, and somewhere the ATMs were connected to the outside world."

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.