Cellular Phones Packing More Punch, Growing More Vulnerable
by Trevor Bauknight
Published on this site: June 15th, 2005 - See
more articles from this month...
Monday's news from the UK-based IT-tabloid The Register brought
with it a report of a new version of a Trojan-horse program for
Symbian OS-based mobile "smartphones"
http://www.theregister.com/2005/06/13/skulls_trojan_f-secure/.
Typically, only high-end PDA-like mobile phones, many not even sold
in the U.S., run the excellent Symbian operating system, and malware
for even these phones is exceedingly rare. As more and more mobile
phones pack the capabilities these devices are pioneering, threats
of malware will only increase; but for now, at least, most mobile
phone users are free to remain blissfully unaware of the dangers
flying past them in airports, central business districts, conference
rooms and college classrooms.
Is Your Phone Safe?
Probably. It sounds funny, but most mobile phones lack the
kind of connectivity that malicious programmers have been
using to make their virii spread. The relative handful of
Trojans that have appeared have relied upon Bluetooth personal-area
networking (PAN) to propagate. Bluetooth is a nascent, but
exploding, wireless technology that connects cellphones, headsets,
keyboards & mice, printers, desktop computers and even
some luxury cars.
Bluetooth operates in a range up to about 30 feet; so, interestingly,
like living virii, the few Trojans that have emerged for smartphones
rely on proximity to spread to other similarly equipped devices.
Even if you're one of the lucky ones to have a Bluetooth equipped
phone that syncs its phonebook up with the one on your desktop
PC and lets you use a wireless headset without carrying the
phone itself around with you, chances are the diversity of
operating software running such
phones and the scarcity, or maybe non-existence, of malicious software
designed to exploit those operating systems, means that you have
nothing to worry about, at least in terms of virus protection.
Bluewhat?
Even still, according to a Tom's Hardware report
http://www.tomshardware.com/business/200408021/defcon-05.html
from the Defcon 12 computer security conference last year in Las
Vegas, there are three basic kinds of attacks to which most Bluetooth-enabled
phones are vulnerable, and they all have funny-sounding names: Bluesnarfing
is the obtaining of personal data like phone numbers, calendar data
and stored SMS messages from the phone by someone with the skills
to take it. Bluetracking refers to the ability of someone who sets
up the necessary receiving equipment (antennas and so on) to track
your movements using signals from your phone. Bluebugging involves
executing commands remotely on the Bluetooth phone, enabling an
attacker to turn on your phone to place a call back to another phone
on which someone can listen in on you if you happen to be near your
Bluetooth-equipped phone.
In addition to the more insidious threats above, one that
is more of a pastime called Bluejacking involves a miscreant
creating a phonebook entry on her own phone containing a provocative
message in the Name field, and then searching for other Bluetooth
phones and sending the "contact" anonymously to
them, causing the provocative message to pop up on the screen
of the target.
The best way to guard against these attacks is to make sure
that your Bluetooth-equipped phone does not advertise itself
to the outside world. There should be some sort of Bluetooth
connectivity option such as a checkbox making your phone "Visible
To Others" or "Discoverable". At this point,
and even going forward, I don't see much of a use for this
to be on, other than having your phone bombarded by ads and
business cards while you're walking down the sidewalk. So
after you've set up your PAN (you may need your phone to be
discoverable during that process), you should turn off this
option or turn off Bluetooth temporarily in public places
if you don't need it for your headset or some other reason.
My Siemens S56 allows me to turn it off and on by holding
down a hotkey for a few seconds, and your phone probably has
a similar feature.
But What About the Virii?
Most, if not all, the malicious software designed to actually
run on your infected phone and spread itself to other phones
has been written for the Symbian OS, and that means that they
simply aren't a problem for the great majority of us who aren't
yet blessed with such devices. They tend to disguise themselves
as useful software and are released initially through sites
that specialize in the piracy of such programs. Once "in
the wild", they install themselves with the user's
kind permission and then propagate via Bluetooth to other discoverable
phones.
The first one, Cabir, was created by a group called 29A that specializes
in the creation of proof-of-concept malware. It disguised itself
as a Symbian utility called Caribe and carried no malicious payload,
at least initially. Its chief effect was to drain your phone's battery
while looking for other Bluetooth-enabled phones. Since then, however,
several malicious Trojans have been released using the same "engine"
and the latest one, Skulls-L disguises itself as F-Secure's mobile
anti-virus program and deletes key smartphone apps like messaging,
net access, and others that can be difficult to restore.
F-Secure is a company that specializes in computer security
software from the enterprise down to the mobile phone, and
its products are well-received. In response to the news of
Skulls-L, the company gives good advice to those seeking to
obtain its software, and this principle applies to all software
from all vendors: Get it straight from the source. If you
have a smartphone that runs Symbian OS, you may wish to obtain
the F-Secure anti-virus products, and if you do, the company
advises getting it straight from the F-Secure website http://www.f-secure.com
or from its mobile-friendly link at
http://www.phoneav.com.
To its credit, Symbian
http://www.symbian.com
seems keenly interested in making its platform the OS of choice
for advanced mobile phones, and is responsive to threats such as
these.
The Emerging Threat
While threats to mobile phones from malware are, at the moment,
isolated and rare, they will only grow. Anti-virus software
makers are already hyping the danger, hoping to sell more
software, and as long as there are still people out there
making money off of ever-increasingly annoying advertising,
there will be a profit-motive in defeating your personal security
measures.
Mobile smartphones are getting smarter and are being asked to do
more and more things, from acting as your personal secretary to
enabling your videoconferencing and keeping you connected to important
information when you're away from your computer. As these phones
begin to take advantage of always-on Internet connections like GPRS
and such services increase in speed and drop in price enough to
make them attractive for more people, malware will begin to exploit
those connections instead of relying on the relatively short-range
Bluetooth transmissions.
Going forward, all you can do is try to keep aware of the
both the hype and the potential of real threats. We maintain
a a collection of computer security resources at CafeID http://www.cafeid.com
and we will be watching developments in issues of mobile technology
security very closely in the coming months. Watch this space
for more information, and most importantly, make sure you're
familiar with the technology you carry on your belt and what
it's doing while you're having your morning coffee.
Trevor Bauknight is a web designer and writer with over
15 years of
experience on the Internet. He specializes in the creation
and maintenance of business and personal identity online and
can be reached at [email protected].
Stop by http://www.cafeid.com
for a free tryout of the revolutionary SiteBuildingSystem
and check out our Flash-based website and IMAP e-mail hosting
solutions, complete with live support.
|