Hackers' next target? Cell phones

[InfoSec News <isn () c4i org>]

http://www.siliconvalley.com/mld/siliconvalley/2833740.htm

Posted on Sun, Mar. 10, 2002     
By Jim Krane
Associated Press

For malicious computer hackers and virus writers, the next frontier in
mischief is the mobile phone.

A phone virus or ``Trojan horse'' program might instruct your phone to
do extraordinary things, computer security experts say.

``If a malicious piece of code gets control of your phone, it can do
everything you can do,'' said Ari Hypponen, chief technical officer of
Helsinki-based F-Secure, a computer security firm. ``It can call toll
numbers. It can get your messages and send them elsewhere. It can
record your passwords.''

As cellular phones morph into computer-like ``smartphones'' able to
surf the Web, send e-mail and download software, they're prone to the
same tribulations that have waylaid computers over the past decade.

``We should think of cell phones as just another set of computers on
the Internet,'' said Stephen Trilling, director of research at
anti-virus software maker Symantec. ``If they're connected to the
Internet they can be used to transmit threats and attack targets, just
as any computer can. It's technically possible right now.''

In Japan, deviant e-mail messages sent to cell phones contained an
Internet link that, when clicked, caused phones to repeatedly dial the
national emergency number -- equivalent to 911. The wireless carrier
halted all emergency calls until the bug was removed.

In Europe, handsets' short message service, or SMS, has been used to
randomly send pieces of binary code that crashes phones, forcing the
user to detach the battery and reboot. A new, more sinister version
keeps crashing the phone until the SMS message is deleted from the
carrier's server.

In the United States, relatively primitive cell phone technology keeps
users immune from such tricks, for now.

Phone hacking is nothing new. In the 1970s, so-called ``phone
phreakers'' made free phone calls -- and even gained control of major
phone trunk lines -- by whistling certain tones into the receiver.

``It was easy,'' said John Draper, 58, of Stockton. Draper, now a
designer of computer security software, is still known as Captain
Crunch for pioneering the hacking of phone networks with the help of a
plastic whistle that came in a box of the eponymous breakfast cereal.

``You could control the entire network, do anything an operator could
do,'' Draper said.

Now, at least three software companies have released personal security
software for emerging smartphones, girding for a new wave of phone
viruses and Captain Crunch-style tricks.

Hypponen's F-Secure is one such firm, selling anti-virus and
encryption software for smartphone operating systems made by Palm,
Microsoft and the Symbian platform common in Europe.

Thus far, there have been no publicized reports of phone hacking or
viruses, although viruses have attacked handhelds running the Palm
operating system. Microsoft predicts deviant code will soon emerge for
handhelds running its Pocket PC software. Both operating systems are
expected to be used increasingly in smartphones.

A virus is a piece of malevolent code that self-replicates, while a
Trojan horse does not but can be just as destructive. The pranks in
Europe and Japan created virus-like havoc, but did not propagate like
a full-fledged virus.

For virus writers who crave notoriety by wreaking maximum havoc, there
are still too few smartphones, and no widespread software platform to
attack, Hypponen said.

That is starting to change.

Until recently, cell phone operating systems were ``closed,'' unable
to download software. But new smartphones -- like the Nokia
Communicator, Handspring's Treo, Motorola's Java Phone and
Mitsubishi's Trium-Mondo -- are open to such third-party downloads.

At the same time, software developers' tools available for designers
of such programs as games and currency converters can also be used to
create malicious applications, Hypponen said.

``It's possible for anyone to make custom software for this
platform,'' he said. ``Teens can download development tools and write
their own software.''

It's these third-party programs that worry experts. If one is
disguised as a Trojan horse, an infected phone could make some calls
on its own.

In a speech at a cell phone conference in France last month, Hypponen
cited a Slovak Web site, virus.cyberspace.sk, that posted a bulletin
exhorting readers to create phone viruses.

`` `We are starting Cell Phone Virus Challenge. Any contribution
welcomed,' '' Hypponen quoted the notice as saying. The page has since
been taken down.

Soon, mobile phone owners will be obliged to install security software
like ``personal firewalls'' that used to be reserved for Internet
servers, said Prakash Panjwani, a senior vice president at Certicom, a
computer security firm in Hayward.

``That's where things are going,'' said Panjwani. ``It's the same
threat as the wired world: people posing as you, stealing your
identity or your personal information, and using your information for
malicious purposes.''

Cell phone users can avoid this, of course, by sticking with their old
``dumb'' phones, said Alan Reiter, a wireless consultant in Chevy
Chase, Md.

``There are trade-offs,'' said Reiter. ``Do you want a phone with a
tiny monochrome screen where you can only make phone calls? That's
much more secure.''
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.