Mobile GPS system virus could infect network

A mobile GPS system shipped with a virus that could infect the corporate network.

A maker of portable GPS devices admitted this week that an "isolated number" of its products may contain malware that could infect the corporate network with a virus.

On Tuesday, the maker of TomTom GO 910s said that a small number of the devices produced in the fourth quarter of 2006 may have been infected with a "low risk" virus. The company said the virus does not affect performance of the GPS device, but when linked to a PC or laptop, the devices could spread the virus onto a corporate network.

According to an announcement on the TomTom Web site, the infected devices were produced between September and November 2006 and were shipped with software version 6.51.

"In the isolated cases that a virus was detected, it was found when the TomTom GO 910 was connected to the computer and, for example, a back-up of the content on the device was being made," the announcement said.

The device makers recommend that TomTom users update virus scanning software and, if a virus is detected, allow the virus scanning software to remove the 'host.exe' file, 'copy.exe' file or any other variants. The company cautions users not to try and remove the malware manually.

But it may not be that simple, according to Dennis Szerszen, vice president of corporate strategy for SecureWave, an endpoint security vendor.

Szerszen said that in this instance, if the GPS device were linked to a corporate PC via a USB plug, the malware on the device could have propagated and spread onto the corporate network.

"Bottom line, plug and play has become just another threat vector -- another way for malware to introduce itself into the network," he said.

According to the Web site, the TomTom device was found to contain the win32.Perlovga.A Trojan and TR/Drop.Small.qp on the satnav hard drive within the copy.exe and host.exe files. The files could prompt Windows to use the AutoRun feature to run malicious software.

William Bell, director of security for CWIE Holding Co., a Tempe, Ariz.-based e-commerce solutions provider, said the TomTom bug is "part of the whole evolution of viruses." He said viruses now are sliding in by the backdoor somewhere, even in places that typically seem innocuous.

For more information
Learn more about SecureWave and mobile policy

Check out our special report on mobile security policies
"The major concern is somebody brings [a TomTom] in thinking, 'Oh, I'm going to update my TomTom with the new software,'" Bell said, adding that the user, even if the intent wasn't malicious, could introduce the viruses to the networks. "Even if it was something that destroyed just the computer it was connected to, that would be bad enough."

Bell said companies need to be protected against unknown viruses, worms and Trojans that may enter through endpoints like the TomTom or other vectors.

"It used to be, 'Oh my God, this is going to crash my computer,'" he said. "That's not what scares me most these days. It's data leakage that really scares me. You have to take every safety precaution to protect valuable assets."

While neither he nor TomTom could say what would happen if this particular virus got onto a corporate network, Szerszen said there are three things that malware tries to do when plugged into the network: breach confidentiality, damage the integrity of data, and make resources unavailable. All three possibilities are likely when malware is introduced via a mobile device or an endpoint.

TomTom said there has been no reported case of the virus spreading, but Szerszen noted that an incident such as this should act as a wake-up call for enterprises and prompt them to reevaluate what types of devices they let link to the network.

"A lot of companies don't pay attention," he said, adding that many organizations allow iPods, USB sticks, cameras and unauthorized cell and smartphones to get onto the network without knowing the risks they present.

"Companies have to educate themselves and learn what their exposures are," he said.

From there, companies need to review their policies regarding what kind of devices can access network resources and what they can do while they're attached.

"There has to be a company policy on what devices can be plugged in and how they're used," Szerszen said.

In many instances, antivirus and other protective software may stop malware from entering the network, but according to recent statistics from Yankee Group, of the 99% of corporations with antivirus or some other protection, 52% still had some sort of viral infection.

"If malware wants to find a way in, it's going to find a path," Szerszen said. "I can't imagine this is going to be the last we'll see of this."

Read more on IT risk management