CELLPHONE SCOURGE It's not a question of whether but when viruses come calling - Yet wireless providers say they'll be ready Rachel Ross – Toronto Star The infection has spread.
Viruses are no longer relegated to traditional computers. Cellphones are targets too.
So far, the attacks have been minimal. But cellular companies are preparing for a full-scale assault.
"We're quite concerned about it," said Todd Tomkinson, director of product development and management for Canadian wireless carrier Microcell Telecommunications Inc. "It's very likely it will become a bigger issue over time. That's why you see a lot of the anti-virus software companies getting into the mobile arena."
The rise of the cellphone virus will mean many things to many people: new revenue streams for anti-virus software firms, new headaches for the cellular industry, and new-found pride for hackers who are up for the challenge.
According to the anti-virus firm Symantec Corp., the world's first cellphone virus appeared in July 2004. The virus's self-proclaimed author, who goes by the hacker name Vallez Zallev, said he wrote the virus partly for the glory.
"It's rewarding to be first one in the world," wrote the 24-year-old in an email interview from his home in Spain. "In addition to that, I liked the idea of a virus (that was) able to infect when a human was near (another), (like) a real virus."
Much like a biological, airborne virus, Zallev's mobile phone virus spreads via Bluetooth: a short-range wireless system that sends data directly from one phone to another using radio waves. Infected phones scan the surrounding area for other Bluetooth devices before transmitting the virus wirelessly to the target phone.
Zallev's virus, known as Cabir, didn't really do much except spread and drain the phone's battery in the process.
Both Zallev and the anti-virus community describe Cabir as a "proof-of-concept" virus, written and released solely to prove that it could be done. Zallev is part of 29a, a loosely organized, international virus writing group. According to the group's Web site, they generally try to avoid writing harmful code and consider themselves researchers.
"They never attempt to steal any information or spread the viruses themselves," said Ero Carrera, an anti-virus researcher for F-Secure Corp. in San Jose, Calif.
It didn't take long, however, before other hackers were tweaking Zallev's code. Ultimately, Cabir became part of something far more malicious: the Skulls program.
Skulls is a kind of Trojan: malicious software that masquerades as something harmless. In this case, the software was supposed to provide new background images and icons for a cellphone display.
It wasn't until Skulls was downloaded and installed that users realized they'd infected themselves with some damaging code.
In addition to installing several variants of Cabir, the Skulls Trojan makes all the software programs on the phone inaccessible. Once infected, a multipurpose cellular device with text messaging, a calendar, camera and address book becomes little more than an old-fashioned cellphone.
A call can be placed, but that's about it. The Trojan would then try to infect other phones, using code from the Cabir virus to spread.
A report on malicious software released today by Symantec states there are unconfirmed reports of Cabir variants "in a variety of Southeast Asian countries, including Singapore and the Philippines." But, in general, cellphone viruses haven't really hit the masses yet.
None of the Canadian cellphone carriers said they'd received complaints about any cellphone virus, in fact.
Why haven't viruses wreaked the same kind of havoc on cellphones that they have in the PC world?
"Fortunately, we're not as attractive a target as PCs," said Peter Barnes, president and chief executive of the Canadian Wireless Telecommunications Association (CWTA).
According to Barnes, the cellular industry also has one major advantage: when it comes to phones, there's no obvious target.
Hackers typically want to make a big splash with their code, but a virus made for one operating system won't work on another. That's why hackers will often write PC viruses for one of the popular Microsoft operating systems. The more people use an operating system, the bigger the target and the greater the potential for chaos.
But Barnes notes that there's no dominant operating system for cellphones. The spread of Cabir and Skulls, for example, was limited because these viruses could only infect certain phones that use the Symbian operating system.
(Symbian Ltd. declined requests for an interview.)
"There are so many types of phones on so many networks, it's not really appealing to attack because they are just not going to have the same impact as they would if they sent (their virus) over traditional email," said Microcell spokesperson Rebecca Catley.
The industry isn't just relying on software diversity to protect against viruses, however.
David Neale, vice-president of new product development for Rogers Wireless Inc., said the company was working on ways to protect their cellular customers long before Cabir came calling.
Viruses can infect cellphones in many ways.
"The key is making sure as many of the holes as possible are blocked," said Neale.
Rogers scans all text messages, for example, to check for suspect code. Anything that doesn't follow the usual format for Short Message Service (SMS) text messages is filtered out.
"We throw them away if they look even vaguely odd," he said, adding that he's confident the company can keep viruses out of the text message stream.
Tomkinson said Microcell also filters suspicious messages from the Fido network. (Spokespeople for Bell Mobility and Telus Mobility said they also take a proactive approach to thwarting viruses but neither would get specific about it.)
The Multimedia Messaging Service (MMS), which is intended as a way for users to exchange large files, is another possible entry point for viruses. Malicious software can be disguised as a picture, video or audio file and transmitted via MMS. Fortunately, MMS messages have to pass through a gateway before they reach the phone. Neale said Rogers monitors messages for signs of infection thereby stopping viruses from passing through the gateway to a phone.
Many people also enjoy downloading games and ringtones to their cellphone, but viruses could be lurking in these files too. That's why cellular carriers recommend you only download files from their Web site, instead of games that you happen to find on some random Web site.
With the Cabir virus, the industry was alerted to another vulnerability: Bluetooth. Unfortunately, Bluetooth messages travel directly from phone to phone, so there's no easy way your cellular provider to filter malicious transmissions.
Carrera said Bluetooth is actually very well-designed in that it alerts the owner to any incoming files and always asks for approval before any software is installed.
Keith Nowak, a spokesperson for cell-phone maker Nokia, suggested people use a little common sense: never accept files from someone you don't know.
"You wouldn't install a random piece of software from an unknown source on your computer. You shouldn't do it on your phone either."
Nowak and Tomkinson both believe public education is a critical part of the solution. According to Tomkinson, Microcell plans to launch a public awareness campaign and provide tips on the Fido Website describing how to avoid infection.
The Canadian government has not yet committed to a plan to combat the emerging problem.
Zuwena Robidas, media relations officer for Public Safety and Emergency Preparedness Canada, said the government agency — which is charged with ensuring public safety and security— is monitoring the cell-phone virus situation.
"But we don't see it as an immediate threat so we're not actively addressing the issue," she said.
Anti-virus experts said that while we've been relatively unaffected it's essential to remain vigilant; we have not seen the worst of it yet, because cellular technology is still developing. The number of cellular virus writers will grow with the complexity of our phones.
"When a platform gets enough features, there's always someone developing viruses," Carrera said.
Several cellphone companies are developing phones with a payment function, for example. Tying the phone to your credit card or bank account would certainly up the ante for virus writers, according to Carrera. At that point, writing viruses wouldn't just be about fun and fame. It could also be a way to make money.
Neale said the wireless industry has learned from the mistakes of the PC world. That's why the text messaging system, for example, is designed so that it's easy to oversee traffic.
"You never want to boast and say nothing will happen," said Barnes.
Boasting might attract the unwanted attention of hackers, eager for a new target.
"But we've not have any report (of cellphone viruses) to date in Canada and we hope that continues to be case. We remain vigilant," Barnes said. "We're working to keep ahead of the viruses."
Zallev, the hacker, isn't convinced that cellphones will be spared the endless barrage of viruses that attack PCs. They might have learned from the past, he wrote, but nothing is completely secure.
"I think they will be a problem in the future," Zallev wrote. "And (anti-virus) and security companies will gain lot of money with it."
Zallev hopes to write another cellphone virus, as soon as he finds the time. |