Arresting an airborne virus: the mystery of the mobile virus hides inside the ‘perfect storm’ of wireless and internet convergence
The rampaging worms and viruses in the computer world that cause billions in damages may soon spread to the wireless industry as more sophisticated Internet-enabled devices enter the market and customers begin using them the way mobile operators have long hoped for: to surf the Web, download sophisticated applications and send and receive email messages along with their associated attachments.
Security experts say damaging viruses passing to Web-enabled mobile devices and even between computers and mobile devices are not a question of if, but when.
“It’s going to happen,” says Sam Curry, vice president of eTrust Product Management for Computer Associates, a software security provider to enterprises. “More PC-like functions will lead to the opening of threats. New applications and features let us do new things, but they also give the bad guys more hooks to put in more malicious codes into phones.”
Mobile operators have long awaited the arrival of wireless Internet capabilities to save the industry from flattening ARPU resulting from a flattening voice services market. The critical enablers are finally in place. Operators have deployed next-generation high-speed data networks capable of delivering feature-rich applications, phone makers are flooding the market with data-ready devices, developers are recognizing the value of wireless applications and end users have a growing appetite for “always on” wireless connectivity and functionality.
These enablers also make the wireless industry ripe for the same type of virus and worm destruction plaguing the PC world. The doomsday scenarios could leave any wireless executive awake at night. The desktop PC represents the largest security risk for every enterprise today, and mobile phones will clearly become another important target as enterprises rely on them more for critical business functions. The costs, which could reach billions in just two years by some estimates, could come in the form of network fixes, customer care costs, lost service revenues and even churn.
“There are many interesting opportunities for virus writers,” says Jerry Brady, managed security services chief security officer for VeriSign, which has been working with operators to find vulnerabilities within embedded devices. “This convergence with the Internet is creating the perfect storm.”
Hackers could write malicious programs and code to attack networks on many levels. Viruses and worms corrupting call set-up data could disable about one-third of a given carrier’s handset base, permanently destroying the phone or prompting droves of customers to call customer care lines or visit their nearest retail store. Customers unwittingly opening up email attachments in the future or downloading a new game from the Internet could launch a virus with enough bandwidth to take down portions of a carrier’s network. A hacker with a vendetta could program text messages to spam users or automatically dial 911. Malicious software, known as malware, might corrupt enterprise user devices and begin disclosing confidential files or render firewalls useless.
Even more dangerous is the potential for blended threats, says Curry. A worm or virus could spread through multiple platforms, for instance, spreading from an email box to a Linux operating system to an OS platform on a mobile device.
But don’t panic yet. When anti-virus software companies in 2000 discovered rather benign malicious codes targeting Palm devices, many security experts believed that 2001 would emerge as the year of the mobile virus. But they have yet to materialize. During the last four years, mobile viruses have been few, having no material impact on end users or networks. But they have demonstrated that it is possible to create malicious codes for mobile platforms.
NTT DoCoMo, Japan’s largest mobile operator, was caught off guard in 2001 when users complained they were being sent messages that froze their screens and automatically dialed 1-1-0, the emergency number in Japan. Last year, SMS messages targeted at certain Siemens handset models disabled the devices if end users opened them. Researchers have also found a host of security vulnerabilities in a variety of OS platforms, including Palm, Pocket PC and Symbian, say security experts.
The million-dollar question is: When will the wireless industry begin to see a material impact from mobile viruses?
“That is hard to predict,” says Laura Garcia-Manrique, group product manager for wireless security with anti-virus company Symantec, which has been monitoring the mobile space for viruses. “There really isn’t anything preventing malicious code writers from creating a virus today.”
Hackers are primarily interested in writing code that creates widespread damage, says Curry. Devices using more complicated OS platforms such as Palm, Pocket PC and Symbian haven’t proliferated to date.
“Virus writers want victims,” adds Curry. “The hooks are in there and the applications are available, but no one is going to write a virus that will hurt only 2,000 people.”
According to Garcia-Manrique, the mobile industry’s vulnerability to viruses will depend on the answers to these three questions: How big is the installed base of users of sophisticated Internet devices? How connected is the platform? And how open are platforms to third-party developers?
For the first time, mobile devices with complex OS platforms are reaching mass market, enabling enterprise customers to begin looking at mobile devices as business-critical devices, said Garcia-Manrique. In addition, wireless data connectivity is increasing, with more PDAs supporting various flavors of wireless communications, including Wi-Fi and high-speed data networks. Those two triggers are likely to come to fruition within the next 12 to 24 months, she said.
According to research firm International Data Corp., the converged mobile market is expected to increase by more than 800% in worldwide shipments through 2007.
The fact that third-party developers can write applications for mobile platforms creates vulnerabilities to so-called proprietary systems, says Garcia-Manrique. For instance, VeriSign’s Brady says anyone can write a virus or Trojan for a Pocket PC device given the fact that Microsoft began giving away third-party developer kits three years ago.
“The real novelty here is that anyone could write a virus for multi platforms on a variety of networks because of third-party developer kits,” adds Brady.
Fortunately, folks in the mobile world have taken their cue from the vulnerabilities hackers have used to exploit the weaknesses of systems in the computer industry.
Symbian is providing infrastructure to allow network operators and manufacturers to use application signing and revocation for applications downloaded on Symbian devices. This verifies the integrity of applications before allowing their use on handsets, says a Symbian spokeswoman.
Cingular Wireless, set to become the largest mobile operator in the U.S. once its merger with AT&T Wireless is finalized, declined an interview, but released a statement saying that the company has ways to authenticate handset applications.
Java 2 Micro Edition (J2ME) application download technology was designed around security, says David Rivas, chief technology officer for the consumer mobile systems group with Sun Microsystems.
“The virtual machine can be constructed to keep from exploiting bugs or getting at things not meant for general-purpose applications,” he says. “Applications work in a sandbox. We offer signing of applications that guarantee where the applications come from. It prevents rogue third-party developers.”
Sun is in essence testing this concept today, as it monitors the some 250 million J2ME devices for vulnerabilities. “We recognize that at this stage in the game that mobile data services could get a black eye. Handset manufacturers don’t want to see this,” says Rivas.
To say these security measures are foolproof is like “whistling past the graveyard,” explains John Jackson, senior analyst with The Yankee Group research firm. “Unfortunately, there are some bad actors out there. Count on them to look for ways around this.”
And the pressure is on for smart phone designers to continually add greater functionality to devices, increasing the chances of infection. Ultimately, consumers will want their mobile devices to function exactly like their desktop PCs, say analysts. Once customers have the ability to open e-mail attachments and download whatever they want from the Internet onto their mobile devices, they open a new door to potential attacks.
“The more complicated cell-phone operating systems become, the more difficult it will be to test them and find the security holes,” says Anton Zajac, chief executive offer and president of Eset, a provider of antivirus and Internet security software.
Mobile operators can perhaps take solace in the fact their industry is not dominated by one OS platform, creating more challenges for hackers and virus developers, says Andrew Cole, senior vice president with consulting firm Adventis. In the PC world, Microsoft is consistently picked on because it provides the dominant OS, and virus writers want to cause the most damage.
“I expect a lot of stories about a lot of viruses, but the overarching view is that it probably won’t happen as quickly as we might expect in terms of reaching the kind of impact we’ve seen in the wireline side,” says Cole. “That fact that not all of the smart phones are based on Microsoft’s OS platform might make it a bit more difficult for hackers to break.”
Garcia-Manrique agrees, but with one caveat: “Having platforms that are homogenous from an OS perspective makes a difference. Virus writers look for platforms with the most impact. On the other hand, the size of the installed base in the mobile world is expected to surpass the desktop very quickly. It has potential to be very attractive to virus writers.”
Mobile viruses appear to be curse words to a majority of wireless operators and handset manufacturers, all of whom either declined interviews or never responded to requests for information. Security experts say they are clearly concerned, but viruses won’t be top priority until the industry actually sees them.
“There is definitely concern,” says Brady. “Anything that takes away a revenue stream or affects user experience by discouraging them from using fee-based services is a concern for carriers.”
According to some security sources, at least one operator has run a test virus to determine if it could take the network down. It did.
The nature of the wireless industry presents unique challenges to combating mobile viruses, says Brady. Abbreviated user interfaces, multiple OS platforms that range from the very simple to complex and the fact that users don’t manage their devices like computers means carriers must develop proactive methods to combat viruses. Not only must phones incorporate anti-virus software, but carriers should also manage gateways in the network and screen for viruses, he says.
“Phones tend to stay in possession. That means carriers will have to be careful to choose phones from vendors that are security aware,” explains Brady.
Nokia and Symantec recently announced plans to develop a secure client for Nokia’s business devices, beginning with the Nokia 9500 Communicator platform. Symantec plans to offer integrated client solutions for Internet security including anti-virus software, firewall technology, updating services and centralized over-the-air management for Nokia’s mobile devices.
Symantec, Network Associates and other anti-virus software providers already have released products to fight viruses on some of the major smart phone platforms. However, Brady said anti-virus software distribution on handsets would be a tricky process. While desktop users are accustomed to the idea of downloading patches to their computers, mobile users aren’t. “You can’t expect the end user to be part of the security level,” says Brady.
Over-the-air configuration could help solve the problem. Bitfone Corp.’s mProve solution, for example, can modify handset software over the air each time a new software upgrade is available.
The technology is primarily used by vendors such as Motorola to correct software glitches, but is clearly on the radar screens of carriers to deliver updated anti-virus software, said Carla Fitzgerald, vice president of marketing with Bitfone.
Also promising is software developed by mFormation Technologies that allows carriers to watch devices on a network in real time to monitor settings, corrupted files and viruses and send software patches to the devices or lock them to prevent viruses from spreading, says Upal Basu, vice president of marketing with mFormation. The company recently signed a deal with T-Mobile USA, which will use the software to enhance customer service capabilities.
The threat of viruses leaves an uneasy feeling for many in the mobile industry. “Right now, everyone is in unknown territory,” says Janice Baugh, a telecommunications consultant with Dietrich Lockard Group, which makes telecom recommendations to enterprises. “The impact is definitely something that is hard to fathom.”
To catch a hacker
Microsoft recently added a new weapon in its arsenal to fight virus writers. It announced the creation of a $5 million fund to reward people who turn over information leading to the conviction of virus writers.
The operating system giant has already offered rewards of $250,000 each for information leading to the arrest of the authors of three of the most damaging computer viruses in 2003, SoBig, Blaster and MyDoom.
Although two arrests were made in connection with the B and C variants of the MSBlast worm, those responsible for releasing the original worm last summer remain at large. No arrests have been made in connection with the SoBig and MyDoom worms. International law enforcement agencies have difficulty tracing creators of viruses and worms. Few have been caught because the Internet provides anonymity.
Virus writers have many ways to disguise themselves, including spreading malicious programs through unwittingly infected e-mail accounts. Those who are caught, are usually the ones who brag about their accomplishments on the Internet, say experts. Microsoft is hoping this tight-knit community of computer hackers might be persuaded to turn each other in.
Computer Virus/Security Incidents Reported to Computer
Emergency Response Team 2000-2003
Year 2000 2001 2002 1Q-3Q 2003
Incidents 21,756 52,658 82,094 114,855
Source: CERT Coordination Center
COPYRIGHT 2004 Advanstar Communications, Inc.
COPYRIGHT 2004 Gale Group