Mobile phones the biggest target for hackers

Having managed to cripple PCs on more than one occasion over the last decade, viruses, worms and trojans are now heading for...

Having managed to cripple PCs on more than one occasion over the last decade, viruses, worms and trojans are now heading for mobile phones. And while many experts worry they could be as malicious as their PC predecessors, some fear they could be a whole lot worse.

Consider the following facts. First,  the planet is already populated with substantially more mobile phones than PCs, with the gap between the two steadily increasing. Second, many mobile phone customers plan to use their devices as electronic wallets to pay for goods and services. And third, mobile phone makers have opened their once tightly controlled operating platforms to third parties to develop new applications that often link to the public internet.

Put all that together - millions (and some day billions) of mobile phones with sophisticated banking functions, open interfaces and internet capability - and it's not difficult to understand why hackers, who have honed their skills on PCs over the past decade, are now setting their sights on mobile devices.

"Not fun or fame but money will be the main motive for writing mobile viruses, just as it has become in the PC world," said Andreas Lamm, a manager for anti-virus company Kaspersky Labs.

So far, the attacks on mobile phones have been few (around 10) and relatively harmless. Hackers have targeted primarily, but not exclusively, the new smartphones that use open platforms such as Microsoft's Windows Mobile or the Nokia Series 60 interface running a Symbian OS.

Smartphones offer lots of functions, such as e-mail with attachments, game downloads or Bluetooth wireless networking - in other words, an environment full of potential for viruses, worms and trojans.

In July, Kaspersky Labs found the first-ever worm capable of spreading to mobile phones. Cabir is a proof-of-concept worm that uses Bluetooth to copy itself onto devices running the Symbian OS up to 10 metres away. It is transmitted as a Symbian installation system (SIS) file and disguised as a security utility called Caribe. When the infected file is launched, the mobile phone's screen displays the word "Caribe" and the worm modifies the Symbian OS so that Cabir is started each time the phone is turned on. An infected phone sends the worm to the first vulnerable phone it finds.

In August, smartphones were attacked by another trojan, Mosquito, which hides in a game with the same name. Once installed, it sends SMS text messages to premium-rate numbers in several countries without the user's approval or knowledge.

And last month, mobile phone viruses surfaced once again, with two related trojans. The first, Skulls.A, deactivates all links to Symbian system applications, such as e-mail and calendar, replacing their menu icons with images of skulls. Users of affected phones can only send or receive calls.

The more recent strain, Skulls.B, incorporates the Cabir.B worm and, unlike Skulls.A, can spread to other phones within Bluetooth range. Skulls.B is otherwise similar to its predecessor, using Symbian default icons, which look like jigsaw puzzle pieces, instead of skulls to render applications unusable.

Even though these viruses are few in number, what worries the mobile phone industry is that they're happening - and with increased frequency.

"We aren't panicking; we're still at a stage where there aren't enough platforms out there for viruses to spread easily," said Steve Babbage, security director at Vodafone. "But that won't protect us for long."

Vodafone, the largest mobile operator in the UK (and Europe), has reason to be concerned. It is one of many now offering 3G high-speed services to smartphone users. Vodafone and many other British and European operators paid exorbitant prices for 3G licences. The last thing they want is for a swarm of viruses to undermine that investment.

Although enterprise customers are also becoming concerned about mobile viruses, they're far from paranoid.

"We're only now beginning to see some mobile viruses, and these are quickly being hyped by suppliers of anti-virus software," said the IT security director of a blue chip European consumer goods company with more than 200,000 employees worldwide. "There is still a bit of a wait-and-see attitude at our company, but this could change quickly if we ever get hit by a virus. And then, of course, it's too late."

The door to mobile viruses was opened when phone makers, led by Nokia, decided a couple of years ago to open their platforms to third-party developers and encourage them to develop applications for new smartphones. The decision was prompted by the industry's push beyond pure telephony into mobile data, requiring the expertise of developers trained in PC applications.

"We are very interested in promoting third-party applications to create greater choice for users," said Eero Kukko, marketing manager of technology platforms  at Nokia, which is giving developers more architecture guidance and access to design libraries and APIs. "At the same time, we're enabling developers to develop security software to protect these applications."

Anti-virus companies applaud the move.

"We're glad that mobile phone suppliers have opened their platforms," said Matias Impivaara, business manager for mobile security services at F-Secure. "The benefits users have from open platforms are much larger than the problems they face on the security side. Security is just something we have to prepare for."

You might expect to hear that from a company peddling anti-virus software, but Impivaara has a point: Nobody really wants to abandon new mobile data services and return to voice-only because of the security implications.

But as mobile phone makers and operators open the gate to the global internet, they will need to get much tougher on security than when they enjoyed the protection of closed proprietary systems.

The good news is that plenty of security activity is under way.

At the client software level, for instance, Nokia responded quickly to attacks on its new smartphones by signing deals with F-Secure and Symantec for anti-virus subscription services.

For the Nokia 6670, F-Secure provides on-device protection, similar to PC protection programs, with automatic over-the-air anti-virus updates for a monthly fee.

Symantec has made its Client Security software available for the Nokia 9500 Communicator and 9300 smartphone, which run Symbian. Anticipating problems, NTT DoCoMo signed a contract last year for anti-virus software from Network Associates, the maker of the McAfee product line.

At the hardware level, a security platform called TrustZone, from the UK's ARM Holdings, could become a standard since ARM's core processor technology powers most mobile phones and newer handheld computers on the market. Texas Instruments is building TrustZone into its next-generation mobile chips, following the introduction of hardware-based security in Intel's next-generation XScale chips.

Leading mobile chipmakers plan to introduce hardware-based security similar to the one pioneered by Microsoft in the PC world: the Next Generation Secure Code Base, formerly known as Palladium. Schemes put forward by Intel, Texas Instruments and ARM call for a protected portion of memory - separated from the rest of the processor - in which applications can be verified and then run securely.

At the infrastructure level, operators have been installing a wide range of equipment to monitor and filter corrupt downloads and spam. These new messaging and content delivery servers are at the edge of their networks, where gateways open to the internet. Other new virus detection and repair technology is also being deployed deeper inside the network.

All these new systems come on top of the authentication and control systems already in place in mobile phone networks that require users to log on and identify themselves via the SIM card in their mobile phone.

"It's really important to defend the network at the edge and not let spam viruses in the front door," said David Staas, director of the anti-virus team at Openwave Systems, which provides mobile phone software and messaging technology. "But some will still trickle through. Here is where a second line of defence is necessary."

Openwave has developed a new system that secures a messaging network at the instance of an attack, preventing spammers from exploiting vulnerabilities while they are being eliminated.

Nokia's infrastructure arm also provides a range of security equipment to operators beyond basic firewall systems. Its Message Protection Server, for instance, filters out potentially harmful e-mail, while its Operator Delivery Server inspects all downloaded content. The Finnish manufacturer is also offering additional security through its mobile VPN client and SSL encryption for web-based applications.

As for downloads - a prime source of viruses - two new application certification programmes aim to ensure quality and trustworthiness.

The Java Verified programme was launched earlier this year by several suppliers, including Motorola, Nokia, Siemens, Sony Ericsson and Sun, to provide a unified process for testing and certifying Java-based applications for mobile phones. Orange and T-Mobile have since adopted the plan.

The Symbian Signed programme provides a service for testing and certifying Symbian-based applications. The initiative, which includes Nokia, Sendo and Sony Ericsson, aims, among other things, to ensure a thriving market for trusted applications.

In addition to these initiatives several other bodies are developing standards for security systems in mobile devices, including the Trusted Computing Group, the Open Mobile Alliance and the European Telecommunications Standards Institute.

How effective these efforts will be remains to be seen. For one, users will need to cooperate and should be given the tools to do so.

"They should have the ability to set preferences, like their own block list, for instance," said Staas. "They should also be able to set their sensitivity level for spam, say, for high, medium and low control."

For another, operators shouldn't wait for a virus to bring down their network or allow abusive spam to scare away customers.

"The chief executive of a big mobile operator with many businesses customers got a call from the chief executive of one of his customers," said Staas. "The night before, this business customer received a text message at 2am. His wife thought it was urgent so she got up and read what turned out to be a sexually explicit text. He was furious.

"The mobile phone executive turned around the very next day and told his team to make security a top priority."

Sometimes, a little spam can go a long way.

John Blau writes for IDG News Service

Read more on Mobile networking