Cell phones and other mobile devices are becoming more powerful, more functional and more indispensable in many people's lives. But these same qualities also make them tempting targets for criminal hackers—and at the moment, there's little to stop the damage they could do.

Jon Giffin and Patrick Traynor are assistant professors at the College of Computing's School of Computer Science who are tackling the security problem from complementary angles with a grant from the National Science Foundation. Giffin's background is in software for mobile devices, while Traynor is concerned primarily with cellular networks. They share a philosophy about security that defies conventional thinking.

"The attackers will ultimately figure out how to hack in and start using phones in malicious ways," says Giffin. "We believe this is a reasonable assumption because that's what we've seen in the desktop world. Expecting that the attackers will not succeed is not realistic."

Handheld devices are turning into pocket-sized computers with nearly all of the capabilities—and all the security vulnerabilities—of a desktop. The latest "smart" phones can send e-mail, allow users to conduct banking online and manage other kinds of sensitive information.

Hacking medical records through cell phones?

Traynor predicts that within the next five years, cell phones will provide access to an individual's health care records—a plus in most respects, but also another security concern.

"As with a desktop, you could have malware that waits for you to log into your bank account, then steals your account number," Giffin says. "Or perhaps the malware turns your phone into a bug by turning on the microphone, or uses your phone to attack the cellular network."

Mitigating viruses, worms and other malware in mobile wireless devices presents unique challenges. Handhelds are battery operated, so anti-virus software that continuously monitors a device's activity would deplete battery power more rapidly than users would find acceptable. In addition, these devices employ different kinds of connectivity—Bluetooth, wi-fi, cellular—each of which offers a path for attackers.

Computer Science assistant professors Jonathon Giffin (left) and Patrick Traynor believe mobile devices could be the next big target for hackers and cyber criminals.

Cellular networks themselves are disturbingly vulnerable. "When the phones themselves become malicious, there are certain nodes within the cellular network that become very susceptible to attack," says Traynor. "If you increase certain kinds of traffic through them slightly, problems arise fairly rapidly."

In one of his most publicized tests, Traynor showed that with a single cable modem, "I could send text messages into a cellular network and knock out all the voice and text messaging for Manhattan."

If criminal hacking can't be stopped, what can be done? The researchers are developing a suite of software tools called Caegis to conduct ARM code analysis and over-the-air cell phone vulnerability testing to help manufacturers improve the resistance of their device software to malware.

Emphasis on detection, remote repair

More important, the Tech researchers say, is to focus on data recovery through remote repair, which they call bringing a device back to a "safe state." According to Traynor, A smart network could detect when something is amiss with a particular device and, even without identifying the problem precisely, trigger the device to reset itself to a point prior to when the problem started.

"It's a way of restoring a phone's correct functionality after an attack has taken place, without throwing away everything that the user had already been doing with the device," Giffin explains. Various remote repair strategies and software will be tested using a small-scale cell network set up on the Tech campus.

Although the reported incidents of cell phone hacking have been few, "as more of these devices have access to the Internet, that means attackers can access these devices," Giffin notes. "So security is important—now."