Colleges have tracked a dramatic increase in smart phones on campus.
Could the size of a smart phone’s screen cause nightmares for campus IT officials? Yes, according to a Georgia Tech study outlining smart phone vulnerabilities that could make campus computer infrastructure vulnerable to hackers.
The comprehensive look at how mobile devices and applications are exploited by hackers has grabbed educators’ attention during a semester that has seen an explosion in the number of smart phones and tablets inundating campus networks.
The report, written by Mustaque Ahamad and Bo Rotoloni of the Georgia Tech Information Security Center and the Georgia Tech Research Institute, charges that small smart phones screens makes it more likely that students and faculty could be infected with malware and viruses on their iPhones, Androids, Blackberries, and other devices.
When using a mobile web browser, users will see the device’s web address bar disappear to provide more screen space to peruse the page.
“But this also removes many of the visual cues users rely on to confirm the safety on their online location,” Ahamad and Rotoloni wrote. “If a user does click a malicious link on a mobile device, it becomes easier to obfuscate the attack since the Web address bar is not visible.”
The smart phone user, in other words, won’t see that she has been directed to a malicious site because the smart phone doesn’t automatically display the address.
Computer hackers use colorful, eye-catching displays and graphics to “lure” smart phone users into clicking on an image that has a malicious link hidden underneath, out of the user’s sight, according to the Georgia Tech report.
“The way elements are laid out on a page and the actions that take place when a user touches something are all opportunities to embed an attack,” the researchers wrote, adding that once the user has clicked on that malicious link posing as an legitimate image, hackers and botnets can “spy” on the smart phone and redirect the user to a “malicious payload,” where sensitive personal information – including passwords, banking information, and documents – can be accessed by outside machines.
IT officials at Washington and Lee University (WLU) in Virginia are among campus technologists who have tracked a mobile device boom that began last year and continued into the fall 2011 semester.
Two years ago, four in 10 university WLU freshmen owned a smart phone. By 2010, 60 percent of freshmen owned iPhones, Droids, and other popular mobile devices.
Now three in four WLU freshmen own a smart phone, said Julie Knudson, the school’s director of academic technologies.
The near ubiquity of smart phones on college campuses could complicate IT staffers’ attempts to protect school networks against attacks via social media websites, which are now commonly accessed via mobile device.
Social networking attacks accounted for about 20 percent of all phishing scams in January 2009, according to a report from Microsoft Security Intelligence. By July, that number had risen to more than 70 percent of all phishing attempts.
About 20 percent of Facebook users have some sort of virus or malware in their profile’s news feed, according to antivirus security company BitDefender.
A popular Facebook phishing scheme that surfaced last year brings users to a Facebook login page that looks identical to the real page. If a user name and password are entered on the fraudulent site, a hacker can gain control of that person’s Facebook account.
Without seeing the URL listed atop a smart phone screen, students won’t be able to stop the phishing attack before it poses a threat to the campus’s internet infrastructure.
Smart phones’ small screens aren’t the only feature that makes the devices a potential harm to campus networks.
Mobile internet browsers rarely – if ever – have updates or patches that shore up security holes discovered when hackers identify and attack vulnerabilities in popular mobile devices.
“One of the biggest problems with mobile browsers is that they never get updated,” Dan Kuykendall, co-CEO and chief technology officer for NT OBJECTives, said in the Georgia Tech report. “For most users, their operating system (OS) and mobile browser is the same as it was on the phone’s manufacture date. That gives the attackers a big advantage.”
Desktop computers can have security gaps patched within days, whereas mobile devices might not receive a critical security update for months, the researchers wrote.
“The software industry needs to modify the current patch and update model to integrate mobile devices for more complete coverage,” Ahamad and Rotoloni wrote.