Cellular Phones Packing More Punch, Growing More Vulnerable

by Trevor Bauknight

Published on this site: June 15th, 2005 - See more articles from this month...

Monday's news from the UK-based IT-tabloid The Register brought with it a report of a new version of a Trojan-horse program for Symbian OS-based mobile "smartphones"
http://www.theregister.com/2005/06/13/skulls_trojan_f-secure/. Typically, only high-end PDA-like mobile phones, many not even sold in the U.S., run the excellent Symbian operating system, and malware for even these phones is exceedingly rare. As more and more mobile phones pack the capabilities these devices are pioneering, threats of malware will only increase; but for now, at least, most mobile phone users are free to remain blissfully unaware of the dangers flying past them in airports, central business districts, conference rooms and college classrooms.

Is Your Phone Safe?

Probably. It sounds funny, but most mobile phones lack the kind of connectivity that malicious programmers have been using to make their virii spread. The relative handful of Trojans that have appeared have relied upon Bluetooth personal-area networking (PAN) to propagate. Bluetooth is a nascent, but exploding, wireless technology that connects cellphones, headsets, keyboards & mice, printers, desktop computers and even some luxury cars.

Bluetooth operates in a range up to about 30 feet; so, interestingly, like living virii, the few Trojans that have emerged for smartphones rely on proximity to spread to other similarly equipped devices. Even if you're one of the lucky ones to have a Bluetooth equipped phone that syncs its phonebook up with the one on your desktop PC and lets you use a wireless headset without carrying the phone itself around with you, chances are the diversity of operating software running such
phones and the scarcity, or maybe non-existence, of malicious software designed to exploit those operating systems, means that you have nothing to worry about, at least in terms of virus protection.

Bluewhat?

Even still, according to a Tom's Hardware report
http://www.tomshardware.com/business/200408021/defcon-05.html from the Defcon 12 computer security conference last year in Las Vegas, there are three basic kinds of attacks to which most Bluetooth-enabled phones are vulnerable, and they all have funny-sounding names: Bluesnarfing is the obtaining of personal data like phone numbers, calendar data and stored SMS messages from the phone by someone with the skills to take it. Bluetracking refers to the ability of someone who sets up the necessary receiving equipment (antennas and so on) to track your movements using signals from your phone. Bluebugging involves executing commands remotely on the Bluetooth phone, enabling an attacker to turn on your phone to place a call back to another phone on which someone can listen in on you if you happen to be near your Bluetooth-equipped phone.

In addition to the more insidious threats above, one that is more of a pastime called Bluejacking involves a miscreant creating a phonebook entry on her own phone containing a provocative message in the Name field, and then searching for other Bluetooth phones and sending the "contact" anonymously to them, causing the provocative message to pop up on the screen of the target.

The best way to guard against these attacks is to make sure that your Bluetooth-equipped phone does not advertise itself to the outside world. There should be some sort of Bluetooth connectivity option such as a checkbox making your phone "Visible To Others" or "Discoverable". At this point, and even going forward, I don't see much of a use for this to be on, other than having your phone bombarded by ads and business cards while you're walking down the sidewalk. So after you've set up your PAN (you may need your phone to be discoverable during that process), you should turn off this option or turn off Bluetooth temporarily in public places if you don't need it for your headset or some other reason. My Siemens S56 allows me to turn it off and on by holding down a hotkey for a few seconds, and your phone probably has a similar feature.

But What About the Virii?

Most, if not all, the malicious software designed to actually run on your infected phone and spread itself to other phones has been written for the Symbian OS, and that means that they simply aren't a problem for the great majority of us who aren't yet blessed with such devices. They tend to disguise themselves as useful software and are released initially through sites that specialize in the piracy of such programs. Once "in the wild", they install themselves with the user's
kind permission and then propagate via Bluetooth to other discoverable phones.

The first one, Cabir, was created by a group called 29A that specializes in the creation of proof-of-concept malware. It disguised itself as a Symbian utility called Caribe and carried no malicious payload, at least initially. Its chief effect was to drain your phone's battery while looking for other Bluetooth-enabled phones. Since then, however, several malicious Trojans have been released using the same "engine" and the latest one, Skulls-L disguises itself as F-Secure's mobile anti-virus program and deletes key smartphone apps like messaging, net access, and others that can be difficult to restore.

F-Secure is a company that specializes in computer security software from the enterprise down to the mobile phone, and its products are well-received. In response to the news of Skulls-L, the company gives good advice to those seeking to obtain its software, and this principle applies to all software from all vendors: Get it straight from the source. If you have a smartphone that runs Symbian OS, you may wish to obtain the F-Secure anti-virus products, and if you do, the company advises getting it straight from the F-Secure website http://www.f-secure.com or from its mobile-friendly link at
http://www.phoneav.com. To its credit, Symbian
http://www.symbian.com seems keenly interested in making its platform the OS of choice for advanced mobile phones, and is responsive to threats such as these.

The Emerging Threat

While threats to mobile phones from malware are, at the moment, isolated and rare, they will only grow. Anti-virus software makers are already hyping the danger, hoping to sell more software, and as long as there are still people out there making money off of ever-increasingly annoying advertising, there will be a profit-motive in defeating your personal security measures.

Mobile smartphones are getting smarter and are being asked to do more and more things, from acting as your personal secretary to enabling your videoconferencing and keeping you connected to important information when you're away from your computer. As these phones begin to take advantage of always-on Internet connections like GPRS and such services increase in speed and drop in price enough to make them attractive for more people, malware will begin to exploit those connections instead of relying on the relatively short-range Bluetooth transmissions.

Going forward, all you can do is try to keep aware of the both the hype and the potential of real threats. We maintain a a collection of computer security resources at CafeID http://www.cafeid.com and we will be watching developments in issues of mobile technology security very closely in the coming months. Watch this space for more information, and most importantly, make sure you're familiar with the technology you carry on your belt and what it's doing while you're having your morning coffee.

Trevor Bauknight is a web designer and writer with over 15 years of
experience on the Internet. He specializes in the creation and maintenance of business and personal identity online and can be reached at [email protected]. Stop by http://www.cafeid.com for a free tryout of the revolutionary SiteBuildingSystem and check out our Flash-based website and IMAP e-mail hosting solutions, complete with live support.