Did the Job of Security Software Just get Bigger?
Well, it looks that way. We are only just into the second month of 2010 and yet we can now see, in prospect, a whole new raft of innovation coming our way. At CES a lot of the attention was with respect to eBook readers and new slate/tablet based PCs. These new devices are squarely focused on digital content. The success of Amazon and Apple in the digital content arena clearly shows that there is a big market for digital content and that money can be made as a result. We have seen a lot of activity in the eBook reader market, with many companies starting to launch products. Amazon, with the Kindle, has very much been the vanguard of showing how this can all come together.
CES also witnessed a range of announcements with respect to tablet computers. We saw products from HP, Lenovo (interesting cross-over laptop/tablet device), Sony, Archos, etc. Many of these products will start to come to market mid-point this year. Some people commented that these CES announcements were a pre-emptive strike to gain interest and profile ahead of the long and much anticipated Apple tablet device. And so, last week, Apple finally took the wraps off of the iPad. The headlong rush into the brave new world of digital content devices is now on. What are the security implications of all this? That’s a good question.
In all of the product announcements, a picture was painted of us having almost constant and ubiquitous access to digital content, be that websites, books, news, music, videos, or pictures, to name but a few. That content will be accessed, managed, and—most importantly—paid for from these new devices. The devices themselves, when you strip them back, all have an OS, a browser, storage, and some means to connect to the Internet. At the end of the day they are PCs—of a sort. Hence, from a security perspective they all face the same challenges. We all (regrettably) know that hardware and software inevitably have vulnerabilities and that hackers and cybercriminals live off these flaws. I predict that in the coming months we will see proof-of-concept-type announcements that a particular device or OS used in any one of these devices can be compromised. Consider the iPad that has just been announced. It uses the iPhone OS, and just this week Apple released a patch to block remote code execution on the iPhone, and therefore by default, the iPad.
This will spook many people and will no doubt garner many more headlines; however, that does not mean that users will be directly impacted—not in the short term. Why? Well, as ever, it comes down to money. Hackers and cybercriminals, in theory, now have a fertile new segment to exploit and pillage. These new devices will hold digital content that has a real value attached to it: our online “identities.” To transact and procure this content on these devices, we have to use our online identities and these quickly attract the attention and focus of cybercriminals.
However, their focus on our online identities as associated with this brave new world will be checked not by technical considerations, but rather economic ones. Cybercriminals need to have a large addressable market, to adopt the parlance of marketeers, before they will really focus on it. For the moment the hottest product in town is the Apple iPad. I’ve read that some analysts are predicting that up to six million of these devices could be sold this year. That seems to be a big number, but if you think that the installed base of Windows PCs stretches into the billions of units, and that even the Mac installed based stretches into the hundreds of millions, then it still is relatively small. The numbers and economics suggest that the average cybercriminal would still do better to focus on the existing, large, and established Windows and Mac markets.
This new segment of digital content devices will also get some protection from it still being a nascent market. At the moment there is not much commonality with the products that have been announced—everyone is off and doing it their own particular way—not unlike the mobile phone market. Heterogeneity is not the ideal bedfellow for hackers and cybercriminal. It can force them to have to create different versions of malware and that all takes time and effort, resulting in greater costs and therefore less profit. So, again it is the economics that dictates where the cybercriminals zero-in their focus.
Remember the past experience is always instructional in shaping the reality of today. This new category of digital devices is going to be huge. It will grow quickly, but it will not necessarily happen overnight. The heterogeneity of the nascent market will afford some protection, but as the number of people buying and using these new devices grows and as people start to converge upon the winning products, we will then start to see real attacks that impact many people and which will yield real revenue and reward for the cybercriminals. Hence, the perimeter that we as a security community have to patrol will get bigger and a bit more complex.