Mobile Virus! [Archive] - PPRuNe Forums

Feline

9th Jun 2000, 01:15

New York Times - June 8, 2000

Viruses Could Have Your Number

By ANNE EISENBERG

Just as the world is learning to cope with computer viruses and worms, sophisticated cell phones have become a target of malicious, or at least mischievous, computer code.

This week in Spain, some people looked at their mobile phones and found a message protesting the policies of a Spanish telecommunications operator, Telefónica. The message they saw began life as an e-mail attachment on a computer. Once the message was opened, it sent itself to everyone in the address book of the computer owner, and the cycle repeated over and over again.

But the Spanish message had a second, unusual aspect: it made its way not only to address books, but also to a phone gateway in Spain, then to some cell phones, which displayed the text message. The incident was reported on Tuesday by F-Secure Corporation, a company based in Espoo, Finland, that provides security for cell phones, personal digital assistants, laptops and other computer devices.

"Many cell phones are capable of receiving short text messages, here as well as in Europe," said Dr. Steven M. Bellovin, a network security researcher at AT&T Laboratories in Florham Park, N.J. The phone was not taken over by the virus; the only result was an annoying message. "It's not doing anything to the phone," Dr. Bellovin said. "It's just doing something to the user."

But more serious viruses affecting cell phones and P.D.A.'s may well emerge. Most mobile phones sold in the United States today are fairly simple devices that offer no home for a serious virus. But as more phones become programmable and capable of communicating with the Internet and downloading information, there will be more opportunities for computer viruses and worms to erase or steal telephone numbers and cause other damage.

Dr. Bellovin said that with more advanced phones, "any kind of 'malware' -- malware is a slang expression in computer security for malicious code -- can be injected into the phone to alter or destroy its functions." Malware can strip the owner's conversations of privacy, Dr. Bellovin said. "It strikes me as entirely possible to use the virus to bug people," he said, sketching a future in which a hacker could silently reprogram a person's phone to dial a set of numbers, turning that phone into an open mike without the user' knowledge.

Even simpler, Dr. Bellovin said, would be injecting programs into the phone that would locate the last few phone numbers dialed because those numbers would still be sitting in memory. "The program can gather that information up and send it back on the Internet to anyone who wants to spy on your list of last calls," he said. P.D.A.'s may be even more vulnerable to viruses, some researchers say. "P.D.A.'s are closer to the edge," said David M. Chess, a member of the research staff at I.B.M.'s Thomas J. Watson Research Center in Yorktown Heights, N.Y. He pointed out that while most programming in cell
phones was fixed in read-only memory burned in at the factory, making it harder for viruses to find places to live, "P.D.A.'s do have RAM, and you could in theory get a virus."

Theory has become fact for one university researcher, Dr. Simon Foley, a senior lecturer in computer science at University College in Cork, Ireland. He has shown in recent experiments that viruses can be created in P.D.A.'s.

Dr. Foley and his group looked specifically at how easy it would be to create and propagate malicious code with one type of P.D.A., a Palm organizer.

"We concluded that within the Palm handheld itself, there is no defense against malicious attack," he said. Dr. Foley presented his conclusions at the Institute for Electrical and Electronic Engineers' Symposium on Security and Privacy, held in Oakland, Calif., on May 16.

The attack could be as simple as changing telephone numbers or making the device stay on continuously, Dr. Foley said. "We found that it is easy to create a catastrophic failure where the virus destroys all the data," he said.

But Dr. Foley also found that it was more difficult to propagate a virus from one Palm device to another.

"As you make it easier for people to share data between Palms," he said, "then of course the potential for the viruses and descendants of viruses increases."

Gabriel Acosta-Lopez, senior director of platform alliances and partner services at Palm Inc., pointed out that "there is no known virus anywhere reported so far for Palm." If one appears, the company will be ready to respond, he said.

As P.D.A.'s become as capable as the current generation of desktop computers and cell phones become as capable as the current crop of P.D.A.'s, users will inevitably confront viruses.

"It will be up to the owners," said Rick Kemper, director of wireless technology and security for the Cellular Telecommunications Industry Association in Washington. "Owners will need to do good detective work at the front end as the messages are coming through."

To keep P.D.A.'s from infection, Dr. Foley suggested that users avoid direct exchanges of data between handheld devices and make regular backups on desktop computers.

Are manufacturers' aware of the dangers? "Often people release their systems," Dr. Foley said, "get people to adopt them and then worry about security."

Ericsson is one cell phone manufacturer that says it is aware of the problem of infection.

Jan Dellmark, the company's solutions product manager in Stockholm, said, "We will build security into the models that will come."