Mobile Security Thoughts
Om points out the real issue that underlies T-Mobile's security problems:
Laugh as we may about the Paris Hilton and her hacked SideKick, one thing is clear: it is a wake-up call for the entire wireless world. I think the device makers and others need to start taking wireless security more seriously. Bob Metcalfe, in a chat told me that wireless was the new platform, and like all platforms we need to make it secure. Bill Day recently pointed out that there are 30 known viruses that are targeting the mobile phones (versus 112,000 PC viruses.) [A lot of people are talking about Cabir now, but I had blogged about it earlier. ] With more than a billion users using phones as their primary connection - data and voice - and m-commerce becoming more of a reality, expect more attacks. As an aside, RIM's new servers have features that allow phone operators to turn-off and wipe out the devices "over the air."
I'd like to expand on that a bit more.
Anyone who's heard me talk in person about long-term strategy for mobile products and services knows that I've mentioned security quite a bit. I haven't written about it here as much, but let me just point out there could've been more damage done from the Paris Hilton hack than just some copied photos and address book info. If a hacker had actually gotten access to Danger's back end system, they could've found the *location* of any Sidekick user. Danger has an internal application which shows the general location (based on cell towers I think) of all the HipTops in use. In other words, if some nutty hacker had full access to T-Mobile's system, they could've have easily stalked Paris in the real world. I'm sure this didn't happen, but that's really the potential here. I think the name of the company that makes the Sidekick is quite apt in this regard.
Having spent some time at a Location Based Services company, I can tell you from experience the reaction of many people when I talked about the cool new functionality that LBS will enable on the mobile phone. Services like keeping track of your friends' locations, or monitoring the where-abouts of your kids. But the first reaction from almost everyone (usually Soccer Moms first) is, "Who's going to have access to that info?" and the response is, "Well, just you and the people you give permission to," and they always respond with, "Can you guarantee that?" And the answer is, "We have to."
As mobiles start to become our portable data repository, our wallets and a location device, it's going to be of the utmost importance to secure this system for both hacks on the server side and loss of the device (a more common experience) on the handset side. Carriers right now all want to become uber-portals, owning the user, providing all the services and controlling all the data. But you know what? They suck at it. As this T-Mobile fiasco is showing - starting with last year's hack of the entire Sidekick system and now with the publishing of Hilton's Sidekick contents.
This is where the traditional Web companies in the Valley (like my employer... putting on the corporate hat for a sec) can play the biggest role in the mobile world. You can't see my Yahoo Address Book or read my Yahoo Mail can you? It's because Yahoo knows a bit about securing data for their 170 million subscribers (they've been doing it for a while). As more mobile users start to come online, I can see most carriers being completely overwhelmed trying to keep up with their subscribers' needs, security being one of the most important, and I can see them starting to rely more and more on the big Internet companies to provide those services. Or, if nothing else, PR-nightmares like the Hilton thing is going to push more mobile users towards companies they trust, like Yahoo or eBay or MSN or whoever.
Om's right though, this is a wake-up call to the entire industry, and maybe the consumers as well. Mobile data is sensitive data, and security should be foremost on everyone's minds.
-Russ