Phone makers need to step up. I personally believe that cellphone code has more exploit vectors per line than today's normal computer code and fewer built-in default protections. It seems as if every popular cell model has a sneaky way around the PIN logon page. Usually it involves hitting the emergency dial button, choosing Contacts, and punching a few other keys. When was the last time your PC allowed you to bypass the password logon screen? There are plenty of other holes. In general, cellphone code isn't as secure as other code.
I haven't discussed the gorilla in the room: the ease of creating malware for mobile platforms. It's exceedingly simple. Most phones allow an installed program to access the user's contact list and to initiate messages. It's been a problem for over a decade. The first major cellphone SMS attack, the DoCoMo worm that impacted Japan in a big way, struck 10 years ago. The world has had plenty of warning, and strangely, most cellphone vendors still don't stop these types of attacks. Cellphone platform vendors should threat model their environments, perform secure code reviews, and implement defenses.
But carriers can do more, such as by requiring voicemail passwords to be stronger than four characters. How much of the recent tabloid hacking could have been stopped by slightly longer passwords and account lockouts? I'm thinking most of it.
I don't want to say that all vendors are getting it wrong, but in general, most vendors have at least a few weak areas that could stand improvement. It would be nice if we could expend the effort to try to minimize how many duplicate lessons we all have to live through.
This story, "Mobile security fails the history lesson," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.