Sandia National Laboratories in Livermore, Calif., is planning to attack some 300,000 smartphones and other mobile devices, destroy a bunch of cell towers, and possibly hack into cellphones and tablets to implant corrupt software.
And then see what happens.
The network, of course, isn’t real. It’s a virtual system created with some 500 computers to simulate a real-world environment of interconnected, Android-based handheld devices.
Call it high-tech consumer research designed to better protect increasingly vulnerable smartphones and other mobile devices around the globe.
Sandia spent $270,000 to create the simulation system through its Laboratory Directed Research and Development Program, a discretionary fund for special projects.
Researchers want to see how the system responds to protect networks in the future against potential large-scale problems, Sandia computer scientist John Floren told the Journal.
“There’s been lots of efforts to study individual cellphones and operating systems, but not much looking at large-scale networks,” Floren said. “Our idea is to emulate a full cell network and then cut things off or destroy several cell towers and see what happens to all the phones and software running on the system. It’s critical that we do this, because mobile devices are gaining such dominance in today’s computing environment.”
While the lab’s newly constructed testing environment, called MegaDroid, is just a simulation, such projects are important due to the explosion of smartphones, tablets and other handheld devices around the globe – and the increased threats to such devices.
Cybersecurity experts are scrambling to develop safeguards against vulnerabilities to protect consumers and businesses. It’s a race against time, because cyber criminals are beginning to attack mobile devices on a massive scale.
“We’re seeing an explosion of viruses and criminal activity targeting mobile devices, similar to what we saw with personal computers in the late 1990s and early 2000s,” said Jared Logan, president of Sage Technology Partners in Albuquerque, which provides secure information management services to small businesses. “It’s rapidly escalating because of the immense growth in the use of mobile devices to access the Internet and share data.”
The cybersecurity industry has been anticipating a shift in cybercrime from desktop computers to mobile devices for years, given that handheld technology is beginning to rival the use of personal computers, Logan said.
The World Bank estimates there are about six billion mobile subscribers worldwide today, representing 87 percent of the world’s population. That includes over one billion smartphones, a number the bank says will double by 2015.
More devices than people
“We have more mobile devices in the U.S. connected to the Internet today than there are people, and the forecast is that connected mobile devices will outnumber people worldwide in a short time, perhaps by the end of this year,” Logan said. “It’s a new interconnected world where mobile devices function as personal computers that people use for everything from social media and accessing personal and business email to checking bank accounts and buying things.”
Overall, the number of attacks on mobile devices and the distinct types of criminal software, or “malware,” targeting them is still small compared to the hundreds of millions of personal computers that fall victim to hackers annually. But the rate at which mobile-directed cybercrime is expanding is alarming.
A new report from the security firm NQ Mobile, for example, estimates that 33 million Android devices were targeted by malware in 2012, representing a 200 percent jump from 2011. In addition, global IT security vendor Kaspersky Lab says it detected more than 30,000 types of mobile malware in 2012, up from just 6,000 in 2011.
The growth is fueled by lack of adequate security applications for mobile devices, which provides fertile ground for cyber criminals. In good part, that’s because mobile computing technology is developing faster than industry’s ability to protect it.
“Industry is taking steps to tackle these problems, but it’s just getting started in the mobile environment,” said Anand Paturi, head of the research division at Computational Analysis & Network Enterprise Solutions (CAaNES), a network security firm in Albuquerque. “In that sense, it’s like in the 1990s, when security for PCs was just beginning.”
Some mobile technologies create particularly serious vulnerabilities, such as the emerging use of “near field communications,” which allows users to exchange information by bumping phones, or to pay for things with a swipe of their device like a credit card.
“Malware can be installed on phones to take advantage of NFC technology that could turn an airport, a concert or anyplace where people are in close proximity into danger zones, where outbreaks of mobile malware spread faster than the Spanish flu,” Logan said.
That’s why Sandia created the MegaDroid simulated network, to help industry analyze such problems and develop solutions, Floren said. The lab will use its testing environment to build software for industry to independently do simulation and resolution work.
Seeking better protection
“We’re creating a tool for people to test applications to make sure they’re relevant at scale,” Floren said. “We want to get it out there and let people go wild on it.”
Cybersecurity firms are also developing new techniques to protect mobile users. CAaNES, for example, has developed a system to rapidly screen applications for viruses before downloading them to devices by comparing the code in those applications with known malware already circulating on networks.
That’s important, because a huge percentage of device infections come from users installing apps that cyber criminals have altered.
“Malware hackers take apps from websites, change them and then re-post them for people to download,” Floren said. “Or they send a message for users to update their apps with more cool features and instead people end up installing malware.”
Still, the real key to protecting mobile devices is by educating users. People need to take basic precautions, such as installing anti-virus software when available, using pass codes to activate phones or tablets, being cautious about downloading apps from unknown sources and not clicking on dubious email or text messages that could route a user to malware-infested websites.
“People need to be cautious about what they do, just like with a PC,” Logan said. “Don’t just click on any link you see, because a lot of them will take you somewhere malicious. And don’t open every email you get, because if the IRS or UPS is saying they owe you money or something, it’s probably a scam with imbedded malware. Be smart.”