Slashdot Mirror
Mabir.A Virus Targets Symbian Phones
adennis writes "Exploiting bluetooth and weaknesses in the OS, the Mabir.A virus, like its predecessor, targets the version of the Symbian operating system running on Nokia Series 60 handsets. Since Symbian is the dominant smartphone OS, found on phones made by Motorola, Siemens, Sony Ericsson Panasonic and Nokia, this virus could have great impact. Will mobile OS companies, like desktop OS makers, have to start an automatic update system, or will the OS creators have to start making their software secure?"
I wonder if the fact that the recent OS X vulnerability still unpatched after more than 2 months with the symbian component of iSync is related to this? would it be possible for an infected mobile phone to use the exploit in the mrouter code on OS X to infect the OS X machine remotely?
So, I guess this is becoming more and more ordinary, writing secure code is not going to happen, and with new ways in (bluetooth, browsing with the phone, wireless access via phone in the future?) and so on I think we just have to rely on autoupdates for every os with no exception of PAN-devices. Just like we humans have constant amount of bacteria in our mouths we have to get used to having a constant flow of viruses through our computers/phones/pda's etc.
A lot of people already have to update their roaming info. Why cant this stuff be updated at the same time? Current phones wouldnt be able to, but Im sure cellular providers would rather do that than suffer the wireless version of a DOS attack (you know it will happen).
No. It means that the software company doesn't have to put so much effort into security, because they can go back and fix problems afterwards with an update. .. patch .. new virus .. new patch ... and many people have viruses all the time. Look at Windows for an example of this.
So they get into a cycle of virus
Of course you need an update system, because you can't guarantee to find every possible security hole before you issue your code, but it's no substitute for good quality code.
Bluetooth is used commonly for things like headsets nowadays, which is particularly useful when driving of all things.
It's kind of like saying that a system is "waiting to be hacked" by having its firewall turned off. A firewall is just one layer of security that's used in order to secure a computer.
Phones are computers nowadays. The phone manufacturers simply cannot use bluetooth being left on as an excuse.
Anyway, I imagine virii like this over the next few years will spark a much greater concern for security within nextgen phones.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Viruses are going to be a problem on Symbian Phones sooner or later, all the manufacturers can do is to make it impossible to run without user stupidity. But now, smartphones users may not think about these risks, because they do not yet acknowledge they own a PDA that can make phone calls as well, not a phone.
What would be useful is to make the users aware of this problem, but this could harm the sales of this relatively new product (i wouldn't be going to buy it knowing of this risk).
"Please execute this program to destroy your system" is what the approach would have to be and doing a hard reset of all of the memory and hotsyncing it would completely wipe the thing out of the system. This is where volatile memory and a somewhat restrictive setup will benefit the user.
I'm am an experience commercial software developer on the Symbian platform. I have a strong background in many other platforms and i the context of this message, my anonyminity is important since my company can be sued by Symbian just for a biased negative opinion of Symbian made publicly.
Symbian OS is the most expensive platform to develop on. This means more expensive money and time wise. It takes 3 times as many developers to deliver the same product in twice the time as on comparible platforms (brew, iTron, etc...) as for platforms with real development tools such as Windows Mobile, we use ten developers on Symbian to every one on Windows Mobile to produce a lesser product.
Symbian has limited hardware level debugging support (if any at all), they lack so much as a command prompt to log to.
They lack decent compilers and you're stuck with GCC or ARM Realview (neither are that good, satisfactory at best on ARM).
Documentation is aweful at best.
A simple program requires you to just through hoops, more complex sets the hoops on fire.
The emulator environment emulates nothing and simply tries to implement the Symbian UI APIs on Windows and all system level stuff is just layered on Windows. That's fine if you don't need to do anything at the system level.
The development environment is heavily based on CodeWarrior these days. I find this funny since every other company (Nintendo, Sony, Be, Apple, etc..) where Metrowerks had a good footing, the companies found it more profitable to dump CodeWarrior and do it themselves instead. Symbian is the only company stupid enough to choose to rely on Metrowerks, especially with their pathetic resume.
As for security, the fact that anyone could possibly ship a product based on Symbian is a miracle in itself. As for securing it as well, I think you're just asking too much.
I will turn off bluetooth or set my phone's visibility to off.
Setting your phone's visibility to off is not enough to stop attacks.
There are already tools out there that find non-discoverable bluetooth devices. A worm might use the same technique.
"I'd rather have a full bottle in front of me than a full frontal lobotomy"
Just as the predominant, most accelerated technology growth comes out of human conflict (ie. war), computer security evolves fastest when it is forced to react to real-world situations.
There is no point in asking what their motivation is; heck, I was 16 once too. Plus, nowadays many virus writers are actually commissioned by greater evils, like spam/malware/etc.. comprimised (zombie) machines (of any type) can be misused in a variety of ways..
Am I the only one that misses some of the great cell phones that were actually designed specifically to be the best form of wireless voice communication? I sure wish I could buy a new manufacture Motorola StarTac today!! Black-on-green screen - NO crappy color screens. No stupid ring tones. No photo album. No crappy camera. Two-WEEK standby time!! Just a damn good PHONE...nothing else.
/rant
Yes, it is possible. But once your code base grown past the very simplest of functions it becomes very, very difficult.
How difficult? I'm not really sure, to be honest, but I picture a mathmatical equation with as many variables as the code itself.
I know there is a branch of programming that says programs can be checked mathmatically to "prove" that they will have no bugs, but my understanding is that they've only been able to produce very simple programs relative to your average OS.
TW