As servers and desktops become too tough to crack, malicious hackers will turn their attentions to smart phones such as the iPhone, former Microsoft security officer Howard Schmidt told a gathering of security professionals in Sydney today.
Speaking to the Australian Information Security Association annual seminar day, Schmidt (pictured) said the recent exploit from 21-year-old Wollongong hacker Ashley Towns was the "tip of the iceberg".
Towns achieved international infamy last month when he exploited the fact that many iPhone users who "unlock" their mobile devices to run unsanctioned applications don't change their default passwords.
But Microsoft's former digital sheriff, himself an iPhone user, said the security industry wasn't doing enough to harden from attack mobile devices, expected to touch two billion by 2012.
"Wth the proliferation of mobile devices, they're [malicious hackers] attacking the servers, and the servers we start to harden and do a better job and then they start attacking the desktop and attacking applications and web applications and browsers and stuff," said Schmidt, who was president of the Information Security Forum and was a special adviser to the White House.
He said that for many users, their mobile phone was becoming their information appliance of choice, especially when they were away from their desktop or usual operating environment.
"And so what happens is you will probably do what you do best on some sort of mobile device whether it's email, web browsing or whatever.
"You look at the applications coming down to the mobile device; we're doing online banking with them, so on my iPhone I probably have 30 applications to kill time on an airplane to where I log on to eBay and do online transactions, my online banking, my airlines, my hotel."
The "normal progression" was for attack vectors to migrate from data centres and desktops into people's pockets, he said.
"If it's more difficult to attack servers on the network and to attack desktops what's the next logical target? It's the mobile device."
He said that Towns' iPhone exploit was a "real eye-opener" but that security experts had predicted mobile malware for "quite a while".
"Now, granted a couple of the ones [viruses] that we've seen were people who have modified or unlocked the ability [to replace the operating system] on particularly the iPhone, but that's just the tip of the iceberg."
Schmidt said it wasn't sufficient to tell people to stop fiddling with their iPhones because "they're unlocking these things on a regular basis and as soon as you tell them you should not do that, they will".
Schmidt called on the security industry to protect users from themselves using available technology.
"The next big challenge we have to face is to start looking at mobile devices and particularly their relationship to the cloud," he said.
"We have the ability to do two-factor authentication, build that into the system so that we get away from static user ID and passwords. We have the ability to use end-to-end encryption on end-point devices, in transit, on servers.
"We can't stop bad guys from stealing the data but with encryption we can stop them from having any value [from it]."