[ISN] Hackers' next target? Cell phones

From: InfoSec News (isnat_private)
Date: Mon Mar 11 2002 - 01:05:13 PST

  • Next message: InfoSec News: "[ISN] Enron: Security Woes, Too?"

    http://www.siliconvalley.com/mld/siliconvalley/2833740.htm
    
    Posted on Sun, Mar. 10, 2002     
    By Jim Krane
    Associated Press
    
    For malicious computer hackers and virus writers, the next frontier in
    mischief is the mobile phone.
    
    A phone virus or ``Trojan horse'' program might instruct your phone to
    do extraordinary things, computer security experts say.
    
    ``If a malicious piece of code gets control of your phone, it can do
    everything you can do,'' said Ari Hypponen, chief technical officer of
    Helsinki-based F-Secure, a computer security firm. ``It can call toll
    numbers. It can get your messages and send them elsewhere. It can
    record your passwords.''
    
    As cellular phones morph into computer-like ``smartphones'' able to
    surf the Web, send e-mail and download software, they're prone to the
    same tribulations that have waylaid computers over the past decade.
    
    ``We should think of cell phones as just another set of computers on
    the Internet,'' said Stephen Trilling, director of research at
    anti-virus software maker Symantec. ``If they're connected to the
    Internet they can be used to transmit threats and attack targets, just
    as any computer can. It's technically possible right now.''
    
    In Japan, deviant e-mail messages sent to cell phones contained an
    Internet link that, when clicked, caused phones to repeatedly dial the
    national emergency number -- equivalent to 911. The wireless carrier
    halted all emergency calls until the bug was removed.
    
    In Europe, handsets' short message service, or SMS, has been used to
    randomly send pieces of binary code that crashes phones, forcing the
    user to detach the battery and reboot. A new, more sinister version
    keeps crashing the phone until the SMS message is deleted from the
    carrier's server.
    
    In the United States, relatively primitive cell phone technology keeps
    users immune from such tricks, for now.
    
    Phone hacking is nothing new. In the 1970s, so-called ``phone
    phreakers'' made free phone calls -- and even gained control of major
    phone trunk lines -- by whistling certain tones into the receiver.
    
    ``It was easy,'' said John Draper, 58, of Stockton. Draper, now a
    designer of computer security software, is still known as Captain
    Crunch for pioneering the hacking of phone networks with the help of a
    plastic whistle that came in a box of the eponymous breakfast cereal.
    
    ``You could control the entire network, do anything an operator could
    do,'' Draper said.
    
    Now, at least three software companies have released personal security
    software for emerging smartphones, girding for a new wave of phone
    viruses and Captain Crunch-style tricks.
    
    Hypponen's F-Secure is one such firm, selling anti-virus and
    encryption software for smartphone operating systems made by Palm,
    Microsoft and the Symbian platform common in Europe.
    
    Thus far, there have been no publicized reports of phone hacking or
    viruses, although viruses have attacked handhelds running the Palm
    operating system. Microsoft predicts deviant code will soon emerge for
    handhelds running its Pocket PC software. Both operating systems are
    expected to be used increasingly in smartphones.
    
    A virus is a piece of malevolent code that self-replicates, while a
    Trojan horse does not but can be just as destructive. The pranks in
    Europe and Japan created virus-like havoc, but did not propagate like
    a full-fledged virus.
    
    For virus writers who crave notoriety by wreaking maximum havoc, there
    are still too few smartphones, and no widespread software platform to
    attack, Hypponen said.
    
    That is starting to change.
    
    Until recently, cell phone operating systems were ``closed,'' unable
    to download software. But new smartphones -- like the Nokia
    Communicator, Handspring's Treo, Motorola's Java Phone and
    Mitsubishi's Trium-Mondo -- are open to such third-party downloads.
    
    At the same time, software developers' tools available for designers
    of such programs as games and currency converters can also be used to
    create malicious applications, Hypponen said.
    
    ``It's possible for anyone to make custom software for this
    platform,'' he said. ``Teens can download development tools and write
    their own software.''
    
    It's these third-party programs that worry experts. If one is
    disguised as a Trojan horse, an infected phone could make some calls
    on its own.
    
    In a speech at a cell phone conference in France last month, Hypponen
    cited a Slovak Web site, virus.cyberspace.sk, that posted a bulletin
    exhorting readers to create phone viruses.
    
    `` `We are starting Cell Phone Virus Challenge. Any contribution
    welcomed,' '' Hypponen quoted the notice as saying. The page has since
    been taken down.
    
    Soon, mobile phone owners will be obliged to install security software
    like ``personal firewalls'' that used to be reserved for Internet
    servers, said Prakash Panjwani, a senior vice president at Certicom, a
    computer security firm in Hayward.
    
    ``That's where things are going,'' said Panjwani. ``It's the same
    threat as the wired world: people posing as you, stealing your
    identity or your personal information, and using your information for
    malicious purposes.''
    
    Cell phone users can avoid this, of course, by sticking with their old
    ``dumb'' phones, said Alan Reiter, a wireless consultant in Chevy
    Chase, Md.
    
    ``There are trade-offs,'' said Reiter. ``Do you want a phone with a
    tiny monochrome screen where you can only make phone calls? That's
    much more secure.''
     
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Mar 11 2002 - 04:27:39 PST