Government split over mobile threat

The government organisation that provides security advice to organisations that operate critical national infrastructure has said it is "very concerned" about possible attacks launched using mobile devices.

The Centre for the Protection of Critical National Infrastructure (CPNI) claims organisations in the UK critical infrastructure, which includes power utility companies, health, and financial services, face possible attacks launched en masse from compromised mobile phones.

"We are very concerned about the effects of mobilisation," Andrew Powell, manager of advice delivery at CPNI, told ZDNet.co.uk at Infosecurity Europe 2008 on Thursday. "There's a range of devices being connected to the internet which have differing levels of security."

Powell said that while the CPNI had "yet to see a successful mobile-phone virus," it expected one would come due to "the flat memory structure of mobile phones". In a flat memory structure, the CPU uses linear addressing, and memory is not segmented, which Powell claimed would make it easier to attack the devices.

CPNI said there was a danger of distributed denial of service and targeted virus attacks against critical infrastructure organisations from a "botnet" or compromised network of mobile devices.

"This is an underdeveloped attack vector, and one which the community and vendors need to work to secure," said Powell, who added that VoIP telephony was less of a threat due to "reasonable standards."

However, a security expert source from the Cabinet Office, who did not want to be named, said the likelihood of a successful mobile device attack was being overplayed by CPNI.

"If we only listened to CPNI comments we would be wondering why the world hadn't ended yet," the source told ZDNet.co.uk. "We've seen some attacks, like the Australian kid [in the year 2000] who opened up the sewerage outlet, but not much [from mobiles]. You try bringing down the traffic light network, which runs on SMTP. You hack into it, and see if you know what's going on. Nothing's labelled."

The source added that hackers could cause "general mischief", but would find it hard to cause "specific mischief". However, that this did not mean other information security threats to CPNI weren't serious.

"The flipside is that some of the router-based botnets have had a phenomenal impact," the source added. "Code Red brought down the Bank of America ATM network — the code was unbelievably virulent, and somewhere the ATMs were connected to the outside world."