Infectious Fear
By David Pescovitz, Thu Jul 15 18:00:00 GMT 2004

Mobile phone viruses, the fear of infection and the reality of protection.


"Mobile phone virus sounds alarm in Moscow!" "World's First Mobile Virus is Not Lethal, Yet!" While the exclamation points are mine, the words are actual headlines from, respectively, The Guardian and Reuters articles published June 16. A proof-of-concept worm had been demonstrated that infects Symbian-based mobile phones with Bluetooth. The wireless public gasped. Computer security experts yawned.

"These devices aren't phones," says Bruce Schneier, author of the classic text Applied Cryptography and the more recent Beyond Fear: Thinking Sensibly about Security in an Uncertain World. "These are computers running cell phone software. And like all computers, they're vulnerable to malicious code."

Of course, the Cabir virus was benign. The worm is transmitted over Bluetooth, but for your phone to become infected, you must accept and install the transmitted file. If you agree to install the code, the phone then displays the word "Caribe" and automatically looks for nearby Bluetooth devices to propagate onto.

Coded by a member of European virus writer collective 29A Labs, Cabir was apparently a "zoo worm," meaning it exists only in a research laboratory. 29a has a long history of firsts--they're credited with creating the first Win64 and .NET viruses. They do it to prove it can be done. In the case of Cabir, an anonymous source -- most likely a member of 29a -- sent the code to Moscow-based antivirus firm Kaspersky Labs as well as Symantec in the US. While there's no evidence of a Cabir epidemic, the antivirus companies and Symbian have preemptively posted directions on how to remove the mal-ware.

Cabir may be interesting as a "first-of-its-kind" milestone, and of course, it's an easy headline for mainstream media. But from a technical perspective, Cabir is just an incremental step. Not only are mobile-phone viruses unsurprising, Schneier says, "they're 100 percent inevitable." He points out that more than 15 years ago, computer scientist Fred Cohen -- who first used the term "virus" in print in a software context -- mathematically proved that it's impossible to write an operating system that's completely immune to viruses.

Indeed, Palm viruses and Trojan horses, malicious code that doesn't automatically reproduce, first appeared several years ago. The security software companies were already ready with products, but victims seemed to be few and far between.

"The anti-virus companies were way ahead of the game," says Rob Rosenberger, founder of the Vmyths.com clearinghouse of computer virus information. "And most of the these threats end up running with their brothers in the land of obscurity anyway."

Of course, the difference though between then and now, Rosenberger says, is the proliferation of wireless-data technology and services. Future smartphone functions, he explains, require a wide variety of devices to speak the same language, at least at some level. A certain degree of homogeneity is essential for the sharing of data, but it also makes it harder to secure the systems.

"Commonality is the real threat," he says. "It's not the Symbian operating system I'm worried about, it's that people need to be able to connect regardless of what operating system their device runs."

Still, viruses don't write themselves. (Not yet, anyway.) Even the most inventive virus writer needs access to the device's operating system. The fact that third-party developers can write applications for smartphones is what makes the devices so powerful. But it also opens smartphones up to any code jockey with the appropriate software developer's kit, including virus writers.

"The downside of openness is the probability of malicious code," Schneier says.

Dumbing down next-generation mobile devices to protect them from viruses would be a step backward to the days when our phones' capabilities were controlled by our carriers. And the benefits of smartphones, Schneier says, far outweigh the risk of infection. Especially when there's an entire industry dedicated to keeping our devices disease-free.

The best advice then? When the time comes, and it will, make sure you have protection for that thing in your pocket.