Oh No, "Another" Mobile "Virus"
By Carlo Longino, Thu Feb 24 00:30:00 GMT 2005

Or, how to bluesnarf a phone that doesn't have Bluetooth.


Evidently mobile viruses make great stories. Combine the supposed invasion of America by the Cabir virus with Paris Hilton's latest misadventure and you've got enough FUD to keep the average tech writer busy until summer. Just to reinforce the point, there's nothing to worry about. Particularly for those people getting most worked up about these things.

First, it looks like Paris' problem is that the "secret" password to her Sidekick's Web account may not have been so secret. It's highly unlikely her device itself was hacked, and never mind that her Sidekick -- or anyone else's -- doesn't have Bluetooth: that hasn't stopped some reporters from insinuating or outright blaming her problem on bluesnarfing, with The Guardian even citing a security "expert" boasting how he could use the technique to get Paris' info from outside a restaurant she was in. Just to repeat for the expert's benefit: no Bluetooth. Probably no point in trying to explain it's not a Symbian device either.

Second, it's pretty clear that somebody walked into the store in California where Cabir was "found", and infected its demo phones. It's merely a more modern equivalent of breaking a dummy display model.

No matter how much reporters want it to be the case, there's no story here. Russell Buckley at the Mobile Technology Weblog does a good job of explaining why. highlighting the two most salient points: somebody's got to have a Symbian/Series 60 phone, and one running Bluetooth to have anything to worry about. This rules out most people, and there's still the fact that users have to OK the installation of an unknown application three times, giving a reasonably intelligent user the chance to stop it in its tracks.

Anti-virus companies' PR people have undoubtedly had a busy week, phoning reporters to offer up their experts for quotes on how we need to lock up our children and batten down the hatches. Though these stories don't do anyone any good, the public's familiarity with viruses, thanks to Windows, makes them big news (regardless of their accuracy). Fact of the matter is, the relevant parties are on the case. New versions of both the Symbian operating system and Nokia's Series 60 platform feature significant security enhancements, and the central role of the mobile operators gives it a much better position from which to attack malware than a wired ISP.

The real story here is just how far carriers will ride this horse to lock down their networks and devices, limiting all sorts of things in the name of security. In this regard, it's sort of ironic that the Sidekick was "hacked", since it's about the most locked-down, carrier-controlled GSM handset in existence. Some are even surmising carriers are happy to see these scares since it gives them a reason to cripple Bluetooth on handsets. How long will it be before we hear a carrier say if you're using Bluetooth, you've let the virus writers win?