Is your cell phone at risk?

Not at the moment, although new strains of viruses that infect smartphones pose yet another network security problem that you'll have to worry about in the future.

Recent headlines such as "Cabir worm wriggles into U.S. mobile phones" conjure up the image of old tabloid headlines touting killer bees heading to the U.S. from South America. The latest buzz is that your cell phone could be infected with a nasty virus and you might not even know it.


Protective action

Spam that follows you and makes you pay


Granted, your chances of infection are probably less than getting stung by killer bees, but mobile threats are only in their infancy and will continue to grow in sophistication, making the problem something IT staff should get on their radar early.

There are several mobile phone viruses in the wild at the moment, including Skulls, Cabir and Fontal. And, like many PC-based viruses, each has its own set of variants aimed at keeping users and security vendors on their toes.

Skulls spreads by hiding in what looks like a harmless application for your mobile phone, be it a "theme" manager application or simple game. It replaces system icons with a picture of skull and cross bones and makes it difficult to access phone functions. Cabir variants - there are roughly 20 - use Bluetooth wireless technology to spread between phones in close proximity. And Commwarrior uses the Multimedia Message Service (MMS) to send infected files that look to be important security updates between devices. Commwarrior also will reset the device on the 14th day of the month, thus deleting all settings and data, if the virus is not removed in time.

Fortunately, the number of reported infections of each variant of Cabir, Commwarrior and Skulls fall in the 0-to-49 range, according to Symantec's virus threat database. Removal of the viruses is relatively easy, usually involving the deletion of infected files. In rare, more severe cases, the device might need to be reset to the original factory settings.

Vulnerable devices

The current slate of viruses all target the Nokia Series 60 smartphones running the Symbian operating system . A smartphone combines phone and PDA functions into one device. The good news is that 96% of the phones sold last year are not smartphones, use an operating system other than Symbian and are, therefore, completely immune to existing mobile threats.

Symbian holds the biggest share of the smartphone operating system market, with 13.65 million units shipped in 2004. Other operating systems such as palmOne and Windows Mobile accounted for another 6.6 million units, according to In-Stat/MDR. By comparison, the total number of worldwide mobile phones sold in 2004 was 678.9 million, says Neil Strother, a senior analyst at In-Stat.

Of the major wireless providers in the U.S., only T-Mobile and Cingular offer Symbian-based phones. Verizon Wireless and Sprint don't carry any Symbian devices.

Even if one does have a Nokia Series 60 device, it takes some effort to catch the virus. Unlike many of today's network-based worms that can spread between PCs and servers without any end user interaction, mobile viruses are far less sophisticated. With Cabir, users must have Bluetooth turned on and visible to nearby phones that are similarly equipped. An infected phone will constantly search for other Bluetooth devices to which it can pass its payload. The target machine will get a message asking the user to accept and install a SIS file (a Symbian file format) being transmitted via Bluetooth wireless. Users would have to accept both the transfer and installation of application to get infected.

How a cell phone virus spreads
1.A phone infected with the Cabir virus uses Bluetooth to continuously search within a 32-foot range for other devices to target. It attempts to send infected SIS files to the first Bluetooth-enabled device it can find.
2.The worm arrives at the target device, which must be running the Symbian OS and have Bluetooth turned on in “discoverable” mode. The targeted device will prompt its user to receive a message from the infected device.
3.If the user chooses to accept the message, her phone will issue a security warning. Disregarding the warning, she opts to proceed.
4.The user then will be prompted to install the virus, which also goes by the alias “caribe.” The user chooses yes.
5.The Cabir infection takes hold. The cycle repeats when the worm in the original phone and newly infected device start looking for new devices to infect via Bluetooth.

Commwarrior works in a similar fashion, except it uses an MMS message that claims to be delivering an important Symbian security or application update, says Travis Witteveen, vice president of American operations at anti-virus vendor F-Secure. Targeted users still have to accept the download and install the file to be infected. Commwarrior does add a bit of nastiness in that it embeds itself into application files on the device, making it more difficult to disinfect.

"Consumers have to go through hoops to get the virus," says Laurie Armstrong, a spokeswoman for Nokia, which has a large financial stake in Symbian. "These are not crazy, freely spreading viruses."

There's no inherent flaw - such as a buffer overflow or missing security feature - that virus code writers are exploiting in the Symbian operating system or Nokia's implementation of it. "The threats are targeting high-end phones that have fully functional operating systems and have the ability to download and install arbitrary applications," says Oliver Friedrichs, senior manager at Symantec Security Response.

Symbian offers a signed application service that digitally certifies the author of an application and that the application has not been changed since certification. When non-signed applications are installed, users get an additional "do you really want to do this?" warning.

"A Symbian-signed application [or any signed application in general] is a measure of certain standard of application," says Simon Garph, vice president of marketing at Symbian. "You know where it comes from and that it's been through a certain series of tests."

The mobile-oriented viruses are not designed to do much more than spread, although they might mess up a device enough that it has to be reset to the original factory settings or drain the battery because an infected unit constantly searches the airwaves for a new target.

"Right now they're more proof-of-concepts," Friedrichs says. "People are writing them to show that something can be done or that the phone platforms can be impacted by threats, just like the PC is."

The Windows operating system on the desktop offers enough low-hanging fruit for attackers to go after. The smartphone market has not reached critical mass yet, so it's not as attractive a target for the would-be virus writer. When a smartphone operating system grabs at least 20% of the market, it will become a better target, says Patrick Hinojosa, CTO at anti-virus vendor Panda Software.

"How many Amiga viruses are there? You could write a virus for it, but how is it going to spread [efficiently]?" Hinojosa asks.

Although more smartphone operating systems could be similarly susceptible to such worms, none have been found yet.

"I am not worried about it right now," says Roald Haugan, global telecom manager for Artesyn Technologies, a power conversion equipment maker in Boca Raton, Fla. "I've got other balls on the court to worry about."

Haugan says that only a few his users actually have Bluetooth technology running - mostly Research in Motion BlackBerry devices.

Future threat

Although today's mobile virus threat might not be much of a worry - the equivalent of the early "Stoned" virus that infected DOS-based PCs - the threat will grow as the devices become more PC-like.

Smartphones do have an upward growth path over the next few years. "In five years, we won't think of it as a 'smartphone,'" Strother says. "The phone in 2010 will be pretty sophisticated and handle a lot of data and heavy traffic."

Caleb Sima, founder and CTO of SPI Dynamics in Atlanta, sees a number of potential issues as smartphone technology lands in the hands of more mainstream users.

Bluetooth is a security challenge on a few fronts. For one, an attacker doesn't have to be that close to its target. A typical Bluetooth signal can travel about 32 feet, but there are people who have developed antennas to increase the range to almost 1 mile. That signal can be used to gather information from a phone (a practice known as bluesnarfing), make calls on the device or to transmit malicious code - as Cabir does.

"You could sit in an airport or mall with a laptop and pick up tons of stuff and junk from people's cell phones," Sima says. Vendors now are disabling Bluetooth by default, but as more devices - such as cars - use the technology, it will need to be enabled more often, opening another attack vector.

The mobile device might even carry a virus back to a PC when the two devices synchronize. A road warrior may pick up a virus outside a network perimeter on his mobile device, bring it back inside the firewall and synchronize with his work machine, spreading the virus on the LAN. The potential of this is more limited because anti-virus software on the PC should catch the infected file before it wreaks havoc.

Sima says he's heard rumblings of a Trojan horse application that could be installed on a device through memory cards, infrared file transfer or synchronization. An attacker could send a special text message to the infected phone, signaling the Trojan to send the last 5 minutes of recorded phone conversation. "It could send it as a message attachment without the user knowing," Sima says.

Buffer overflows, a common problem with PC-based applications in which too much data is received and not properly handled, let an attacker ultimately run his own code on the affected machine: This could crop up in the mobile world. There's currently not enough of an incentive (financial or otherwise) to look for such issues in a mobile application, but there will be when consumers start using their phones to pay for items at a vending machine or to extract cash from an ATM, as they do in Japan.

It was a buffer overflow exploit that led to one of the hacks of T-Mobile accounts. However, the phone was not the problem. A non-patched Web application server looked to be the weak point, Sima says.

Even today, one could use text messaging to launch a denial-of-service attack against a phone, Sima says. An attacker could run a program on his PC that sends thousands of text messages to a phone number. The flood would render the phone's interface useless. Even if the phone doesn't freeze up, many service providers limit the number of text messages an account holder can send and receive before incurring extra charges. Thousands of text messages could result in an unexpectedly large bill for the victim.

F-Secure's Witteveen worries that as more people become dependent on their mobile phones as their only phone, 911 emergency calls could become a problem should a phone be attacked.

There's also the issue of fixing devices that have been compromised. "We need to have a centralized service provider take care of problems," he says. "An 18-year-old working at the phone kiosk at the mall would get bombarded if anything big hit."

However, mobile devices will continue to flourish despite the increased risk of future infection. "As the handsets get more sophisticated and computer-like there is a greater potential, but that hasn't stopped the computer business from expanding to the masses," Strother says. These threats "will be another modern day digital hassle that people will have to live with."

1 2 Page 1
Page 1 of 2
IT Salary Survey 2021: The results are in