When open phones meet closed minds

Opening up mobile networks and devices should go hand in hand with an overhaul of mobile security thinking

One of the discrepancies in the reputation the US has as a tech innovator is the perception that it has lagged behind Europe when it comes to mobile telephony.

The extent to which this still rings true is debatable, but US carriers' control of devices allowed onto their networks has certainly contributed to this view. As one critic said rather sarcastically about this lack of progress: "Ten years and all we have to show is ring tones." Well, the network operators have given us camera phones too, and GPS services are now beginning to appear.

However, that cynical comment about ring tones is largely accurate; indeed, the list of new innovations fostered by the current business and regulatory environment for mobile phones is a short one.

That situation is changing, as regulators come under increasing pressure to ease the tight constraints on how new and existing spectrum is used. Take the example of the Federal Communications Commission (FCC) in the US, which is opening the gate to a new generation of service providers with a wireless spectrum auction in January next year. Companies such as Google are studying whether to throw their hats into the ring for a slice of spectrum that has traditionally been off limits to all but the established clique of operators.

The first sign of this change was the 31 July announcement by the FCC that licensees will be required "to allow customers, device manufacturers, third-party application developers and others to use or develop the devices and applications of their choosing... so long as they meet all applicable regulatory requirements and comply with reasonable conditions related to management of the wireless network" (that is, do not cause harm to the network). Open devices may finally be coming to American mobile networks.

The American network operators, notably Verizon Wireless, made some telling legal arguments to the FCC against this openness. Verizon even claimed such openness would be an infringement on the US constitution's First Amendment — that Verizon's commercial free speech would be impaired. Translation: any communication to the customer other than that allowed by Verizon is unacceptable. What is clearly unacceptable to consumers, however, is the network operators' domination of their mobile-phone experience, plus high prices — together with arrogance, poor customer service and a lack of innovation.

Consumers are already taking matters into their own hands. A 17-year-old high school student in New Jersey published details recently on his website about hardware changes to Apple's iPhone to unlock it from network control (that is, currently restricted to use on AT&T's network in the US only, and launching in Europe before Christmas based on similar exclusive contracts). Similar unauthorised (by network operators) iPhone-unlocking techniques have been announced by the iPhoneSimFree group and a Czech company, Bladox.

The second aspect of this change is the availability of open phones. Not only are the phones open, but their operating systems are open too, running Linux. One of the world's first open-source mobile phones, First International Computer's (FIC) Neo1973, is due to be launched in autumn 2007 — costing much less than an Apple iPhone. Others will follow as open development environments for Linux, such as Qtopia Greenphone, become available. Additionally, some of the major network operators are hedging their bets on this trend, with involvement in either the LiMo Foundation (NTT DoCoMo, Vodafone) or the Linux Phone Standards (LiPS) Forum (Orange / France Telecom, Telecom Mobile Italia).

Network operators are hedging their bets because, with the FCC order, the network operators in the US have fallen back on a media and lobbyist campaign invoking FUD (fear, uncertainty and doubt). Yes, that old security industry selling technique of inducing FUD is now being used by non-security-industry companies. The network operators are now arguing that US national security will be harmed by the threat open devices pose to this piece of critical infrastructure.

While the shrill tone of this FUD campaign is exaggerated, the operators are correct that open devices could allow for greater exploitation of security vulnerabilities in new applications (and in the devices themselves) due to weaker security architectures and testing.

Network-operator FUD is based on grafting the current Microsoft Windows PC paradigm onto the mobile phone market and claiming that an escalation of exploits against security vulnerabilities will occur. Witness the first hack of the Apple iPhone less than one month after its official release. If extrapolated, then such exploits would in turn provoke an escalation in the availability of security products available (and necessary) for mobile phones. This is today's (in)security model for the PC ecosystem, and it is the model that established security vendors are following in the mobile phone market — for today. For example, companies such as Symantec, McAfee and Sophos have all introduced antivirus products for mobile phones.

To break this arms race, a new paradigm for securing open devices is needed, and this will probably involve hardware-based solutions, such as the Trusted Computing Group's mobile trusted modules. Whether or not that new security paradigm emerges, open devices are coming, and hopefully the industry will respond by learning from the mistakes made in the PC world rather than simply repeating them, as the FUD suggests.

Tim Mather is chief security strategist for RSA Conferences.

RSA Conference Europe will be held in London's ExCel conference centre on 22-24 October.