Slashdot Mirror
Viruses Find A New Host: Cell Phones
An anonymous reader writes "A NYTimes article (free reg) describes the dangers posed by viruses as 3G and text-messaging become more common, inluding an incident in '01 where numerous phones in Japan began calling 110 (equivalent to 911 in the U.S.). Wired mentions 13M vulnerable phones in Japan alone." (And that was a few years ago.)
nothing is safe in this world anymore!
the big AV companies are behind it all....
as mobile phone technology advances. Mobile phone manafacturers need to remember security, and possibly send out fixes for vunerabilities that are free to download.
When anger rises, think of the consequences.
Confucius (551 BC - 479 BC)
After the recent use's of in vehicle mounted cell phones for surveillance I would how long it will be before they (they being anyone legal or not who has a reason to listen) infect your cell phone with snoop and control software.
*chuckle* The next couple of decades are going to be interesting.
Ward
. Silence! Be thankful thy species is unpalatable! .
New York Times Article Registration Free
They are Virii
The internet wasn't designed with security in mind , but these new 3G/4G phones can be.
Isn't this a chance to do things right , rather than repeat the design oversights of the past?
The fact that no one understands you doesn't mean you're an artist.
There should NEVER be an api to mess with the phone numbers and dialing.
keep them seperate from your applications. otherwise you have these silly problems.
--
"I'm not bright. Big words confuse me. But Wanda loves me and that should be enough for you." - Cosmo
Japan should charge the phone company for each fake call to recover costs.
If companies are held financially liable it will force them to do a better job of programming and testing software.
I don't see why the protocol for text messaging can't be set so that only ASCII text is sent and received, making any kind of embedded script pointless. Then again, I don't know that much about cellphone protocols to begin with. It just seems as if it SHOULD be easy to prevent.
This is inevitable. As people buy more and more stupid gadgets, their lives become geometrically more complicated. Personally, I have a cell phone and I use it for... making telephone calls! No stupid wireless web, messaging, taking pictures, or whatever in the hell people are doing with phones these days. You want the stupid gadgets? You're going to pay for it up front in cash, you're going to pay in time to figure everything out, and you're going to pay in headaches. Rarely are new technologies worth the trouble. A computer is good in it's most basic uses, and a phone is good. All of those stupid ipods/pdas/superphones/etc aren't worth it.
Antivirus software makers did this
New year Resolution: Don't change sig this year
Maybe it will stop that idiot from yakking away while swerving at 105 mph on the slow lane
After thinking for a while I guess that phone viruses can be as dangerous as computer viruses, imagine a virus that sends itself to every phone in the address book, calls expensive/international numbers, spams a number till it can't be used any more...
And I think phone viruses are becoming more and more possible through out the advances in phone technology.
The IT section color scheme sucks.
As cell phones became more powerful (and more like PDA's and computers) this was bound to happen. Unfortunately, with the adoption of GSM in the United States, that means the virus in question can be spread to US phones with the same vulnerability, as 911 is equivalent to 110 and 08 on most GSM carriers.
This is also a small part of the reason that the push was made for Java enabled phones, as there is less of a security risk (albeit still a small one) in running Java apps due to the construction of the language.
There is a somewhat heartening end to this story though. Sprint and other wireless carriers provision signed updates to phone firmware all the time over the air. Most times these updates include communications updates for new versions of software running in the MTSO or in the towers, but this sets a welcome precedent: Security updates can be pushed out to all phones of a particular model when they are first released. This way, a carrier will have no customers lingering months or years behind on updates (a la Windows XP and Windows Update) because the customers do not have to have the presence of mind to update manually, nor do they get to pick and choose what updates they want and what updates they don't.
If a virus can make a phone dial the emergency services, it can presumably also make the phone call the premium-rate phone number the virus writer set up in a foreign country. This could get nasty.
Absolutely. It's not a matter of if they can do it, but when they will do it.
Hell, people have had their dial-up sessions hijacked because they were fooled into clicking something that disconnects them from their ISP and redials to an offshore number silently.
Join the TWIT army now!
Who keeps on modding Pingular up?
If this isn't the most blatant karma whoring there is, I dont know what is!
It doesn't even make sense!
Modern IT works like a natural system.
As soon as there is a host that can be infected, in quantities of relative interest, viruses will evolve that can parasite it.
Mobile phones are safe only so long as they are too stupid to act as carries for self-reproducing code.
A good reason IMHO to spurn "smart" phones.
Ceci n'est pas une signature
DoCoMo blocks about 55 percent of the one billion text messages that reach its servers each day because of suspicious return addresses or attachments. Another 26 percent of those messages are blocked by DoCoMo users who have programmed their handsets to turn back unwanted mail or spam.
Looks like the state of the cell phone is getting close to the dire state of the net in Japan.
And the 3G revolution is now coming our way.
Be afraid. Be very afraid. Especially those with a pay-for-incoming-SMS/e-mails (or pay-for-received-data) scheme.
there used to be a hilarious post by you, Pingular, asking mods to mod up your other account posts, Sir Haxalot, so you can post back.
Another proof, how many Google cache posts have you seen lately that use Sir Haxalot style? (Same story text with Google cache instead of links)
And the way you responded to the post, asking for a proof, is a proof in the first place, a non-Sir Haxalot user response would be nothing, or something like "huh, Sir-who?" Note to mods, mod me up please, so everyone gets the chance to know who Pingular is.
nobody cares
meh
http://slashdot.org/~Pingular/fans
http://slashdot.org/~Sir%20Haxalot/journal/
Shouldn't that be viri or virii, or something like that?
if I buy a cell phone then shouldn't it be just that? A cell phone..?
The 3G phones are pretty much going to become the Windows of the cell phone world - Everyone is going to want one because it's pretty and does lots of things... but at a price.
What kind of signs should we be looking for, like when you tell someone not to open .exe's. I wouldn't even know where to begin.
Also, isn't all of the traffic on cell phones documented? Shouldn't the companies be able to find the culprit fairly easily?
Why not allow the five people who actually subscribe to Slashdot review the articles and then note if the article is a dupe or not? This would require the reviewer to actually provide a link to the previously submitted story.
Now the Slashdot staff can remain stupid and come across as being on the ball.
Well, on the bright side, this may be just the shot in the arm Hollywood needs for its horror movies. Now instead of saying "drat, the batteries are dead" when the screenwriters need to get rid of the cell phone for dramatic purposes, they can instead say "drat, my cell phone has a virus!"
Security flaw with MMS discovered - hackers can send you images anonymously and crash your phone!
My phone's gonna crash and the last thing that's going to happen is that I'm going to be Goatse'ed?!
This has already been done. I saw a computer get infected with a virus that did exactly that. It made calls to a computer in Vanitua, I believe.
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
Now we will get virus's that will imitate commercials and everywhere you go there will cell phones saying, "Can you hear me now?" Of course the consumer will not have the know-how to remove a virus and their cell phone is to useful to drop in the trash can.
This also brings up...
"Can you hear me now? GOOD! *CLICK*
...is a phone to make calls!
WTF does this have to do with a virus problem?
Oh, I know it. That lame ass crap I never used on my stupid phone... like games and worse crap they build into phones these days... are the reason.
Maybe if there wouldn't be the *STUPID* need for a fucking OPERATING SYSTEM that can play games and CRAP in your phone you wouldn't have problems with viruses?
As long asd we like to bloat simple things with shit, such stuff keeps happen!
Cell phone viruses? Text-message spam? Never seen on- ... hold on, my phone just beeped ... looks like I've got 53 new text messages...
No, make that 67....
Dialers are already a big problem for conventional computers (in Germany for example). Users connecting through any sort of dial up connection get infected and the computer secretly dials a premium number. Once the phone bills arrives the user is in for a big surprise.
We actually some research at my university with bluetooth devices. It seems that if you send a bluetooth enabled cell phone a packet of data that it does not recognize (picture, text file, anything), it will crash the phone and force a hard reboot. We stumbled onto this while doing security tests on the actual bluetooth signal using a test kit.
Honestly honey, I didn't spend $300 calling those triple-X 1-900 numbers. It was a virus.
I used to work for one of the manufacturers, they knew several years ago that the same problems which affect PCs would eventually make their way down to the phones they produce as they added features and ended up with general purpose operating systems on the phones. The problem is that fixing phones is far more difficult than a PC.
It looks like they've decided it'll be cheaper not to bother making them secure. Now, if there was a case for secure computing anywhere, it'd be phones.
Government of the people, by corporate executives, for corporate profits.
Anyone who claims that the Internet, which started life as ARPANET, was not designed with security in mind.... does not deserve a "Score:5, Insightful", that's for sure. Even e-mail was designed with security in mind, it's just that the masses would still rather take e-mail from anyone rather than whitelist incoming mail from trusted networks only.
After all, it's the other person who wants to talk to you...
Government of the people, by corporate executives, for corporate profits.
Reminds me of today's Dilbert:g es/dilbert2003111108929.gif
http://www.dilbert.com/comics/dilbert/archive/ima
If we take a look at DDOS attacks, we see that any computer or network connected to insecure hosts can be made a target of a massive DDOS; they don't have to be vulnerable to any exploit to be hit.
Fast forward to cell phones and viruses; if an infectious DDOS sleeper trojan that targets cell phones appears, *Anything* which interoperates with the cell phone network can be hit. The article mentions 911 / 110 numbers, but it could be other cell phones, landlines, even sattelites.
I'd hate to see a directed, intentional overload could cause a sattelite to malfunction, but it could happen.
In general for DDOS, it doesn't matter if you have a phone which can't pick up viruses if your neighbor does.
RD
What's next? A firewall for cell phones?
Pelé!
The article isn't very clear about what is actually behind this problem. Over in the UK we've had text messaging (SMS, whatever you want to call it) for as long as I can remember - I was actually shocked to hear that most American mobile phone companies didn't use it. Anyway...
Point is, I don't think text messages are really the problem here. I've never heard of anything like this happening in text messages. A text message is a text message - a bunch of text. The cleverest thing I've ever seen done with text is being able to send messages that appear in flashing text, and even that only works on Nokia handsets. The only other remotely clever thing you can do with text messages is ASCII art, and we all know how clever that is.
I can imagine it being more of a problem when you get on to the idea of sending more sophisticated stuff, like video or more complex data. Hence I'm not surprised this has already been happening in Japan, as they are miles ahead of everyone on the mobile phone front.
The way I figure it, is there should be no means for a message to do anything remotely clever to your phone. In the same way that a properly set up mail client won't execute any old attachment, but merely present it to the user, a phone should present data or messages and have some means to keep them away from more sensitive parts of the phones software.
The way I see it, mobile phones have got too complicated for their own good. If you want a phone to make calls (remember the days when that was what a phone did?), then buy a phone. If you want to pick up your e-mail, send files to people, or surf the web, buy a PDA for pity's sake. At least the software for PDAs (Windows CE and it's more recent brethren) has been written with a decent knowledge of OS security in mind.
There's been a couple of murderers and rapists and the like in the UK lately who have been caught based on mobile phone records. A murder trial - two young girls, very nasty - that's currently taking place involves the evidence that one of the victim's mobile phones was switched off outside the suspect's house the evening that the girls went missing.
It's all fairly simple stuff at this stage, though it's kinda the stuff we've been seeing in films for years and scoffing at on the basis that it's "so unrealistic". Just the idea of being able to track where a phone signal for a particular phone number is coming from, and tying that to GPS and the like.
There's also the idea that they keep track of what you talk about on the phone - they start recording if you say bomb or president or whatever, that kind of thing.
It is only going to get worse though, as you say. When phones start doing more interesting stuff, there'll only be more for them to watch you do...
Now why am I not surprised this happened?
[rant]
When you take a device that was originally designed to perform ONE function -- in this context, to be a good portable communications tool -- and you start loading it up with all kinds of useless bloat that is completely UNRELATED to being a communications tool, this is exactly the kind of crap you're going to run into.
Contrary to popular belief, not everyone thinks highly of downloadable ring tones, color screens, web access, gaming capability, or text messaging. I know, because I'm one of them. I would be perfectly happy with a simple, rugged, and RELIABLE mobile phone that was exactly that: A mobile phone, perhaps with the voice-activated calling feature, a good-sized speed dial directory, and the ability to snap into a fixed-mount handsfree cradle in the car.
The last thing I need is a ton of "features" that I don't want, don't need, and DON'T want to have to pay extra for just because they're present. Don't even get me started on the insane "Smaller is Better!" craze. It has served only to give us keypads that are so small that Tinkerbell would have problems with them.
[/rant]
Bruce Lane, KC7GR,
Blue Feather Technologies
The internet was designed with reliability in mind , it's meant to route around disasters ( read : nuclear attack ) to keep communication lines up.
If it were designed with security in mind we wouldn't have to bolt - on such additions as SSL or certificates. These are meant to work around the problems that we face now.
Admittedly these wouldn't be such a problem on a purely military network , where every machine has a static IP and a known owner. But that's not the world we live in , is it ?
The fact that no one understands you doesn't mean you're an artist.
This is Slashdot, I thought it was virii around here?
AT&T is launching its mMode service, turning mobile phones into a sophisticated wireless services platform. Their pitch to developers is "XHTML as the mark-up language of choice, more viral marketing tools and better public exposure." (free registration/questionnaire required). Geeks can debate the supremacy of XHTML, and only a prude is against better public exposure. But which marketdroid is pushing "viral marketing" from the technology source to the users? Which developer will publish the innoculation apps to keep us running in place, in the spam race?
--
make install -not war
most providors require you to turn on international dialing first. Also, if you haven't had your service for more than 4 or 5 months, they also usually require a hefty deposit till you reach that time too.
The Adult Happy Meal - "I'm lovin' it!"
So does this make Nokia the next Microsoft for releasing an insecure OS for cell phones? After all, Nokia's only giving their customers what they want, right?
Their phones and the games that run on them are becoming ubiquitous. Does this sound familiar to anyone? Come on, this HAS to sound familiar. And I'm led to understand that some non-Nokia phones can run Nokia software.
I guess their customers, like Microsoft's customers, have little or no regard for security. I suppose we'll start seeing McAfee for cell phones soon, and it will only be able to catch new cell phone viruses after the fact. But that doesn't matter because McAfee will continue to get fat from selling update subscriptions, and carriers will get fat from the extra air time used to download them. Everyone wins... except the hapless customer. But hey, it was what the hapless customer wanted, right?
Use Evolution instead of Outlook? Bewa
In Japan, it's not 110 for emergencies -- it's 119. Since I'm living in Tokyo right now (actually Saitama, but most people don't know where that is), and I have a page on my wall with a picture of people calling for a fire or a medical emergency, I think I can be trusted.
Or not. My mainboard doesn't have a DRM chip...
- Cloud
Not exactly, but then they don't have any incentive to wipe out viruses permanently, either...
Ph-nglui mglw'nafh Gates M'dna wgah'nagl fhtagn.
have you seen the quality of new homes these days, mine does this all by itself.
There's at least several years before people will be able to write a virus for your mare!
oh my goodness!!!! does it freeze the battery in it's slot too?!!
hold on, it doesn't.
They could do that, but it would be like putting up a big flag saying, "Arrest me!"
Someone, at some point, has to collect the money from that account, and you can bet that no civilized country will be friendly to that sort of scamming.
I found the meaning of life the other day, but I had write-only access.
This is what happens when you make a technology Garden of Eden. Compared to a computer, a cell phone is a paradise: everything is, on the whole, much closer to perfect. Nearly no errors; hardly any bugs.
Cell phones are largely the domain of Joe Sixpack types. And they could fool Joe Sixpack into thinking all technology was as lacking in bugs as cell-phone software.
Luckily, this potentially dangerous belief is soon to be broken... I always thought text-messaging should be punishable by death, so I say let them have it.
The world can be wrong today for once.
Your point? If you WANT a mobile, buy a mobile.
If you WANT a 3G enabled mobile, buy a 3G mobile.
No one is forcing you to use 3G, it is an option, it is a choice, the more choices the better.
If you dont like that choice, dont choose it, simple.
Since newer generations of phones, with new features, are just being made with upgrades to the old OS, that means new bugs and security holes are just being layered on top of older ones...
Anyway, it will probably be for the best when 'standard' phone OS's become mainstream; I would be all for being able to upgrade security/functionality on my phone. IMO, Palm messed up HUGE time on this one- they could have literally owned the small device market.
Manipulate the moderator system! Mod someone as "overrated" today.
The Siemens S55 asks for permission the first time a Java application tries to dial out/make an Internet connection/and so on after running. There's no way around it.
I haven't seen a Symbian mobile in action but I imagine it'll be something similar.
Now Windows Smartphone I'm not so sure about...
Seems to me theres a simple solution to the virus problem on mobiles so heres a few guide lines to who-ever designs phones and software:
1. Dont fucking allow simple text messages or emails to be parsed by any interpreter (microsoft outlook vb *cough*)
2. Do not allow any simple text messages or emails ways to access the phones API, this can be avoided by, for example by removing the line of code in the phones' software that says "if a text message or email contains a command, exicute it"
3. Text messages and emails contain data, this data is to be outputted onto the screen. That is all, do not parse it, do not look for scripts in it, do not do anything with it just put it on the fucking screen.
And finally
4. If you absolutely have to use some sort of scripting language or something similar, make sure it does not have access to any of the phones functions that could potentially do things the user does not want to do, if your not sure what those things are i will give you a clue: anything that could be used against the user do you not understand how simple it is? its not rocket science its not bank vault design its not brain surgery its just simple security fundamentals and common sense and if you cant handle it dont design phone software!
This comment does not represent the views or opinions of the user.
Ref: UTexas
Q.
Insert Signature Here
In the US, a LOT of people can't get cell phone service. Now this issue just takes resources away from the rollout.
Did you ever stop to think that when a company says their network covers 200 million people in the US, they're leaving 100 million people out???