Having managed to cripple PCs on more than one occasion
over the last decade, viruses, worms and trojans are now heading
for mobile phones. And while many experts worry they could be as
malicious as their PC predecessors, some fear they could be a whole
lot worse.
Consider the following facts. First, the planet is already
populated with substantially more mobile phones than PCs, with the
gap between the two steadily increasing. Second, many mobile phone
customers plan to use their devices as electronic wallets to pay
for goods and services. And third, mobile phone makers have opened
their once tightly controlled operating platforms to third parties
to develop new applications that often link to the public
internet.
Put all that together - millions (and some day billions) of
mobile phones with sophisticated banking functions, open interfaces
and internet capability - and it's not difficult to understand why
hackers, who have honed their skills on PCs over the past decade,
are now setting their sights on mobile devices.
"Not fun or fame but money will be the main motive for writing
mobile viruses, just as it has become in the PC world," said
Andreas Lamm, a manager for anti-virus company Kaspersky Labs.
So far, the attacks on mobile phones have been few (around 10)
and relatively harmless. Hackers have targeted primarily, but not
exclusively, the new smartphones that use open platforms such as
Microsoft's Windows Mobile or the Nokia Series 60 interface running
a Symbian OS.
Smartphones offer lots of functions, such as e-mail with
attachments, game downloads or Bluetooth wireless networking - in
other words, an environment full of potential for viruses, worms
and trojans.
In July, Kaspersky Labs found the first-ever worm capable of
spreading to mobile phones. Cabir is a proof-of-concept worm that
uses Bluetooth to copy itself onto devices running the Symbian OS
up to 10 metres away. It is transmitted as a Symbian installation
system (SIS) file and disguised as a security utility called
Caribe. When the infected file is launched, the mobile phone's
screen displays the word "Caribe" and the worm modifies the Symbian
OS so that Cabir is started each time the phone is turned on. An
infected phone sends the worm to the first vulnerable phone it
finds.
In August, smartphones were attacked by another trojan,
Mosquito, which hides in a game with the same name. Once installed,
it sends SMS text messages to premium-rate numbers in several
countries without the user's approval or knowledge.
And last month, mobile phone viruses surfaced once again, with
two related trojans. The first, Skulls.A, deactivates all links to
Symbian system applications, such as e-mail and calendar, replacing
their menu icons with images of skulls. Users of affected phones
can only send or receive calls.
The more recent strain, Skulls.B, incorporates the Cabir.B worm
and, unlike Skulls.A, can spread to other phones within Bluetooth
range. Skulls.B is otherwise similar to its predecessor, using
Symbian default icons, which look like jigsaw puzzle pieces,
instead of skulls to render applications unusable.
Even though these viruses are few in number, what worries the
mobile phone industry is that they're happening - and with
increased frequency.
"We aren't panicking; we're still at a stage where there aren't
enough platforms out there for viruses to spread easily," said
Steve Babbage, security director at Vodafone. "But that won't
protect us for long."
Vodafone, the largest mobile operator in the UK (and Europe),
has reason to be concerned. It is one of many now offering 3G
high-speed services to smartphone users. Vodafone and many other
British and European operators paid exorbitant prices for 3G
licences. The last thing they want is for a swarm of viruses to
undermine that investment.
Although enterprise customers are also becoming concerned about
mobile viruses, they're far from paranoid.
"We're only now beginning to see some mobile viruses, and these
are quickly being hyped by suppliers of anti-virus software," said
the IT security director of a blue chip European consumer goods
company with more than 200,000 employees worldwide. "There is still
a bit of a wait-and-see attitude at our company, but this could
change quickly if we ever get hit by a virus. And then, of course,
it's too late."
The door to mobile viruses was opened when phone makers, led by
Nokia, decided a couple of years ago to open their platforms to
third-party developers and encourage them to develop applications
for new smartphones. The decision was prompted by the industry's
push beyond pure telephony into mobile data, requiring the
expertise of developers trained in PC applications.
"We are very interested in promoting third-party applications to
create greater choice for users," said Eero Kukko, marketing
manager of technology platforms at Nokia, which is giving
developers more architecture guidance and access to design
libraries and APIs. "At the same time, we're enabling developers to
develop security software to protect these applications."
Anti-virus companies applaud the move.
"We're glad that mobile phone suppliers have opened their
platforms," said Matias Impivaara, business manager for mobile
security services at F-Secure. "The benefits users have from open
platforms are much larger than the problems they face on the
security side. Security is just something we have to prepare
for."
You might expect to hear that from a company peddling anti-virus
software, but Impivaara has a point: Nobody really wants to abandon
new mobile data services and return to voice-only because of the
security implications.
But as mobile phone makers and operators open the gate to the
global internet, they will need to get much tougher on security
than when they enjoyed the protection of closed proprietary
systems.
The good news is that plenty of security activity is under
way.
At the client software level, for instance, Nokia responded
quickly to attacks on its new smartphones by signing deals with
F-Secure and Symantec for anti-virus subscription services.
For the Nokia 6670, F-Secure provides on-device protection,
similar to PC protection programs, with automatic over-the-air
anti-virus updates for a monthly fee.
Symantec has made its Client Security software available for the
Nokia 9500 Communicator and 9300 smartphone, which run
Symbian. Anticipating problems, NTT DoCoMo signed a contract last
year for anti-virus software from Network Associates, the maker of
the McAfee product line.
At the hardware level, a security platform called TrustZone,
from the UK's ARM Holdings, could become a standard since ARM's
core processor technology powers most mobile phones and newer
handheld computers on the market. Texas Instruments is building
TrustZone into its next-generation mobile chips, following the
introduction of hardware-based security in Intel's next-generation
XScale chips.
Leading mobile chipmakers plan to introduce hardware-based
security similar to the one pioneered by Microsoft in the PC world:
the Next Generation Secure Code Base, formerly known as Palladium.
Schemes put forward by Intel, Texas Instruments and ARM call for a
protected portion of memory - separated from the rest of the
processor - in which applications can be verified and then run
securely.
At the infrastructure level, operators have been installing a
wide range of equipment to monitor and filter corrupt downloads and
spam. These new messaging and content delivery servers are at the
edge of their networks, where gateways open to the internet. Other
new virus detection and repair technology is also being deployed
deeper inside the network.
All these new systems come on top of the authentication and
control systems already in place in mobile phone networks that
require users to log on and identify themselves via the SIM card in
their mobile phone.
"It's really important to defend the network at the edge and not
let spam viruses in the front door," said David Staas, director of
the anti-virus team at Openwave Systems, which provides mobile
phone software and messaging technology. "But some will still
trickle through. Here is where a second line of defence is
necessary."
Openwave has developed a new system that secures a messaging
network at the instance of an attack, preventing spammers from
exploiting vulnerabilities while they are being eliminated.
Nokia's infrastructure arm also provides a range of security
equipment to operators beyond basic firewall systems. Its Message
Protection Server, for instance, filters out potentially harmful
e-mail, while its Operator Delivery Server inspects all downloaded
content. The Finnish manufacturer is also offering additional
security through its mobile VPN client and SSL encryption for
web-based applications.
As for downloads - a prime source of viruses - two new
application certification programmes aim to ensure quality and
trustworthiness.
The Java Verified programme was launched earlier this year by
several suppliers, including Motorola, Nokia, Siemens, Sony
Ericsson and Sun, to provide a unified process for testing and
certifying Java-based applications for mobile phones. Orange and
T-Mobile have since adopted the plan.
The Symbian Signed programme provides a service for testing and
certifying Symbian-based applications. The initiative, which
includes Nokia, Sendo and Sony Ericsson, aims, among other things,
to ensure a thriving market for trusted applications.
In addition to these initiatives several other bodies are
developing standards for security systems in mobile devices,
including the Trusted Computing Group, the Open Mobile Alliance and
the European Telecommunications Standards Institute.
How effective these efforts will be remains to be seen. For one,
users will need to cooperate and should be given the tools to do
so.
"They should have the ability to set preferences, like their own
block list, for instance," said Staas. "They should also be able to
set their sensitivity level for spam, say, for high, medium and low
control."
For another, operators shouldn't wait for a virus to bring down
their network or allow abusive spam to scare away customers.
"The chief executive of a big mobile operator with many
businesses customers got a call from the chief executive of one of
his customers," said Staas. "The night before, this business
customer received a text message at 2am. His wife thought it was
urgent so she got up and read what turned out to be a sexually
explicit text. He was furious.
"The mobile phone executive turned around the very next day and
told his team to make security a top priority."
Sometimes, a little spam can go a long way.
John Blau writes for IDG News Service