Will Google Phones Need a Firewall?

What happens when you go from a "closed" network where all unauthorized applications are disallowed (e.g., today’s wireless phone or cable TV networks) to one that’s "open" to any software written to a set of low-level protocols (i.e., the Internet)?

According to Google CEO Eric Schmidt, nothing but goodness. "Industries develop with some amount of proprietary technology… The best model to get volume is to be open," he said on Monday. "That’s what the Internet has taught us."

Google, of course, is hoping to nuke the closed-network model of the wireless carriers with its plans to provide open-source software for mobile phones. The search giant’s Open Handset Alliance – whose 34 members include Sprint Nextel, T-Mobile, Motorola, Samsung Electronics, HTC and Qualcomm – will release an integrated "software stack," code-named Android, that consists of an operating system, middleware, user interface and applications.

Verizon Wireless, as you might imagine, has a different perspective on the question of closed-versus-open handsets.

"Viruses and Trojans are part of the unlocked handset experience. Just imagine children’s mobile phones receiving some of the indecent messages that come into e-mail boxes everyday. ‘Open’ devices simply lower standards," Verizon Wireless vice president of corporate communications Jim Gerace wrote in an Oct. 24 blog post (opens in new tab), responding to a Wall Street Journal opinion piece about opening up mobile handsets.

Unlike the "open" phones provided by European carriers, Gerace wrote, "handsets provided by U.S. carriers have software that protects consumers from fraud and theft."

It’s interesting to note that the Open Handset Alliance’s site mentions "security" or "secure" only in its terms of service and privacy policy. The main points in the Android overview are that it’s "open," "all applications are created equal," and that it enables "breaking down application barriers" and "fast & easy application development."

There’s a parallel to this issue in the cable TV world.

The Consumer Electronics Association has proposed "DCR+" (which stands for "digital cable ready plus") as the preferred means of TVs and other devices accessing a limited set of interactive cable services including VOD, pay-per-view channels or on-screen program guides. 

Cable thinks DCR+ is a billion-dollar disaster waiting to happen. Among the cable industry’s numerous objections is that DCR+ opens up a security risk to cable networks.

The National Cable & Telecommunications Association, in an Oct. 30 letter filed with the FCC, said DCR+ would expose cable networks "to hacking, denial of service attacks, theft of service, and weakening the security of voice and data, opening up the Internet to criminals who could operate under the veil of anonymity."

That’s because, according to the NCTA, the CEA’s DCR+ proposal disregards the security features in the DOCSIS Set-top Gateway (DSG) spec. Unless communication is protected by "specialized code signing and software validation required by the by the DSG specification, it can be modified by hackers to talk through unsecured DCR+ software directly to the headend… In attempting to break the totality of the cable solution into component parts, CEA would expose the cable network to the threat of non-secure return channel communications."

Not to oversimplify, but closed-and-secure is the way network operators like things, since it limits their risk.

I imagine that getting tons of spam on your TV or viruses that wipe our your mobile phone’s memory might dampen the enthusiasm for completely "open" architectures. But, as Google’s Schmidt might point out, the Internet hasn’t exactly been knocked off the rails by security issues so far.