New Holes for Hackers

Are businesses prepared for the digital demons about to be unleashed by smart phones and PDAs?

February 18, 2005, CNET News.com: A version of the Cabir virus has turned up in two Nokia 6600s on display in a California cell phone store, in what is believed to be the first “on-the-ground” sighting of the virus in the United States.

In a month filled with front-page stories about breached databases and purloined Social Security numbers, the news item above went unnoticed by most. But experts in the U.S. computer-security industry paid attention—and were alarmed. Created as a test by a Spanish computer researcher, the Cabir virus was designed to infect, via Bluetooth, other smart phones only in close proximity to the original infection. Consequently, many experts doubted that the virus would even reach these shores.

But this new strain was different. Upon reboot, the infected Nokias sought out and contaminated all the compatible phones within range. Thus, users of infected cell phones spread the virus as they moved through airports in large cities. “It was like a digital version of SARS,” says Vincent Weafer, senior director of Symantec Security Response, an information-security and threat-intelligence company based in Cupertino, California.

While the initial damage from the original Cabir virus was minor (it drained the batteries of infected phones), a later virus family called Skulls, which carries Cabir, destroyed some files on infected phones. Ominously, some security experts see this viral outbreak as the opening salvo in a new assault on corporate networks. In the past few years, businesses have gotten reasonably good at defending their networks from traditional E-mail attacks. But hackers may be moving to a mobile battleground—of cell phones, smart phones, personal digital assistants (PDAs), and other portable devices.

Last year, 15 percent of surveyed companies in the United States reported cases of abuse of their wireless networks. To date, more than 9 million people in this country have reported receiving unsolicited commercial text messages on their cell phones. This first wave of wireless intrusions has been relatively benign; viruses have typically been of the harmless, smiley-face variety that PC users first encountered years ago.

But in Japan and Europe, where smart phones are widely used, wireless-borne viruses have gone on the attack. Security vendors have reported cell-phone-launched denial-of-service attacks, “phishing” (tricking consumers into revealing personal information by routing them to a fake Website designed to look like the home page of a reputable company), and browser redirections. “These wireless devices often contain [corporate] passwords and user IDs,” notes Weafer. “The attackers are already getting interested.”

Policy Gap

Meanwhile, consumers are getting nervous, thanks to recent data thefts at companies like ChoicePoint and Lexis-Nexis (see “Take My Life, Please,” at the end of this story). Experts say people will be less likely to conduct business with a company over cell phones or PDAs if they’re worried about the security of such transactions. And there is good reason to worry. Symantec, for one, has already identified more than 22 strains of malware (malicious software) designed to attack mobile devices.

Discuss

Your email address will not be published. Required fields are marked *