With the first recorded mobile phone virus recently discovered, the mobile industry is facing up to a potential future of phishing and spamming, as David Adams finds out.
More bad news. In June, a group of virus writers created Cabir, the first mobile phone virus. In this case one that uses Bluetooth to spread between phones running on the Symbian operating system. Spam is already making its way from email to SMS and now here’s more confirmation that when it comes to irritating by-products of messaging technology, where the PC leads the mobile will follow.
“Some useful citizen has written a virus which targets mobile phones,” wrote IT website The Register, with customary sarcasm. But, in fact, Cabir might turn out to be quite useful, as a means of concentrating minds in the mobile industry on the long battle against viruses and other electronic threats that lies ahead.
Cabir itself is not dangerous. It is merely a ‘proof of concept’ virus. But it shows mobiles are vulnerable to the same security problems that have dogged the computer industry in recent years, and the struggle to contain and repel those threats might have unpleasant knock-on effects. If phones have to contain anti-virus technology, how will that affect the delivery of other services? And how can the industry adequately secure the huge range of handsets, networks and services now in operation or due to be launched in the next few years?
Making use of connectivity
“The significance of Cabir is that it’s designed to make use of connectivity between mobile devices,” says David Emm, senior technology consultant at Kaspersky Labs. Phones with the virus attempt to contact and infect other phones using Bluetooth, but can succeed only if the users of uninfected phones accept both an unsolicited message from an unknown Bluetooth sender and an invitation to launch an application about which they know nothing. All the virus then does is bring up a message on the phone that says “Caribe” (and start looking around for new targets). There is no malicious payload attached. But there could be, and it has to be assumed that viruses which come later on might not be so harmless.
Even though viruses that need this much human intervention to spread are a few steps down the evolutionary ladder from the self-propagating nasties now familiar in the computer world, there is plenty of evidence that viruses which rely on human weakness can thrive. For example, the Love Bug, which required people to open an attachment, caused havoc around the world in 2000 by playing on our innate curiosity and gullibility. And assuming mobile viruses evolve along similar lines to their computer counterparts, it won’t be long before mobiles face threats that are much harder to spot. This could lead to real trouble if these are used for the same sorts of nefarious purposes as have some of the virus and spamming campaigns observed in the computer world.
Little criminal intent
Back in the early 1990s, Emm used to compare virus writing and hacking to vandalism. “At that point there was little real criminal intent,” he says. “That’s no longer the case. Now you’ve got people using these techniques to perpetrate fraud and phishing scams, with spamming techniques used to seed machines to pass on spam afterwards.” Indeed, recent research from network management firm Sandvine suggests that up to 80 per cent of all spam is now sent from these ‘zombie’ PCs. Something similar happening to phones, without their owners’ knowledge and at their expense, is not a pleasant prospect.
“There’s no reason why these things couldn’t happen in the mobile world,” says Emm. “I think we’ll see everything from the trivial to the serious. You may have harmless viruses that make messages pop up on your screen, or some that delete or corrupt your contact information or any other data you have stored on the phone. If you use it for email then maybe, as happens with computers, there will be things that harvest your contacts and then infect them.”
Phones or PDAs that are hooked up to computers in the workplace by business users might also offer viruses a route into corporate networks, which won’t please business users, many of whom remain dubious about using mobile devices anyway. Viruses might also be programmed to lie undetected in phones for long periods, during which they could be infecting hundreds of other devices around them. “I’m sure virus writers will want to take advantage of the fact that people move around in close proximity to other mobile users,” says Emm. “If you had something that was lying low for three months before it was activated it would have had time to infect a lot of phones.” Nor will it please consumers if unsavoury spam of the type seen in email accounts starts appearing on more mobiles, including those used by their children.
Virus writers may also benefit from more phones being based on open Java technology, suggests Trevor Brignall, director of business development in consulting services for telecomms, media and entertainment at Cap Gemini. He believes the continued growth in the number of Java-based handsets (from around 100 million now out of 1.5 billion handsets — to half a billion in the next 18 months or so) will have unfortunate side-effects. “Most of the new devices coming out in the next two years are likely to be Java-based, and that will make the market very attractive to hackers and fraudsters because of the openness of the platform,” he says. “An open system brings great opportunities for people trying to develop content and applications for the phones, but although I’m sure we’ll see some great content that also means more opportunities for virus and Trojan writers.”
Brignall is also concerned that not all the developers working on the games and ringtones exchanged through Bluetooth connections by many mobile users have a complete understanding of how to prevent their applications becoming unwitting hosts for viruses. Unless these problems are solved, Brignall fears mobile services will face severe disruption in the near future. “The industry has got six to 12 months to prepare itself for an onslaught,” he warns.
So what can be done to prevent this deluge of viruses, Trojans, and the inevitable spam? The most obvious first step is to install scanning systems on the networks. Discussions between operators and security companies about how to achieve this are well underway. “I’m confident that the providers will put a layer of protection on their networks in the next few months,” says Matt Piercy, general manager for the UK at F-Secure. “That’s a work in progress and once that’s done it will be a big blow to the virus writers.”
But making the networks completely secure for every messaging type, service, device and application will not be straightforward. “You’ve got to make sure the security can work for all these applications on all these different devices,” warns David Potts, senior vice-president for the embedded division at SafeNet. “With PCs you have ubiquity in operating systems. With wireless you’ve got a much more complex ecosystem.”
The right direction
Brignall agrees that an international, industry-wide approach will be needed, but he believes things are already moving in the right direction. “The industry is trying to address these issues, and is looking at lessons to be learned from the computer industry and from financial services about the problems they have had,” he says. “The mobile industry is actually very good at working in forums to address issues and standards.”
But scanning for viruses at the network level will remain a challenge for operators for many years, especially if — as has been the case with email — spam volumes rise to overwhelming levels. Enforcing rules will entail a degree of international cooperation not yet seen in this industry, however good its players might be at sitting down and talking things over. The results of faltering attempts being made by governments, ISPs and other regulators to control email messaging are not encouraging.
Even if networks are secure, that’s not going to affect viruses passed on by direct device to device interaction. This could be a huge problem, because Bluetooth-enabled phones are now so widespread, with millions of people having activated the technology to allow them to use their phones while driving. There are also plenty of software tools available online to help would-be attackers get around Bluetooth security and encryption — assuming it is switched on, which is certainly not always the case.
Prospect not appealing
So users will have to protect their phones or stop using them for complex applications — a prospect neither they or service providers will find appealing. That means individual phones will need some form of upgradeable anti-virus technology, along similar lines to that used on PCs. Finding anti-virus techniques to protect all the services and applications on all the different handsets and devices is not going to be easy, but operators are starting to work out how it might be done.
“I think over the next 12 months operators will either be embedding something on the phones as they ship or providing it as a service afterwards,” says Piercy. “That will help raise awareness and drive adoption at the customer level.” He doesn’t see why anti-virus solutions on phones should slow down or over-complicate the user experience either, with updates delivered through secure, verifiable messaging methods or perhaps downloaded when the phone is hooked up to a computer.
The question of how security is provided on the phone is probably as important as its effectiveness, because educating and protecting the consumer without having a negative impact on their experience of the product will be so essential. “Users want instant gratification,” says Brignall. “If they have to wait a long time for something they’re downloading to be scanned by a security device that will annoy them, and may have one of two possible results. Either they will want to switch off the security device, so end up pulling unscanned content straight onto the phone, or there will be a fall in demand for those services. We need to make sure that they get that instant gratification but that they get it safely.”
Taking security seriously
Above all, Cabir underlines the fact that consumers will need to take mobile security as seriously as computer security. Educating the consumer will surely be the toughest task of all, particularly as it will involve explaining to users that nobody actually knows what sorts of threats are going to appear. If the history of computer viruses teaches us anything it is that every new threat has at least one characteristic that surprises the experts: in the variety of transmission methods, the ways viruses can transform or conceal themselves, or the purpose for which they have been devised. Meanwhile, more convergence between phones, PDAs and PCs will surely lead to the rise of viruses that threaten all these devices simultaneously.
Yet, despite all this, we can also greet Cabir as a piece of good news. “Clearly the fact there’s so much mobile usage now and the fact that the phones have become increasingly sophisticated have made this a more attractive target,” says Emm. “If you look at computer viruses, most target Windows because so many PCs use it. If everyone moved to Linux overnight then that would become the main target. There has to be a certain uptake of a technology to make it worthwhile for the bad guys to target it.” You can see the point. Not much of a consolation, I know, but this is only happening because things are going so well.