Slashdot Mirror
Cell Phones Responsible For Next Internet Worm?
nitsudima writes "The mobile devices you know and love are great for productivity, but they have completely changed the vulnerability state of our networks. Norm Laudermilch tells you why you should be afraid, very afraid." From the article: "The new and largely unexplored propagation vector for malicious code distribution is mobile devices. With 802.11, Bluetooth, WiFI, WiMAX, MMS, Infrared, and cellular data capabilities on almost all new models, these devices provide a wealth of opportunity for the transmission of data. With no notion of user access levels in the compact mobile operating systems, a lack of effective authentication, and no data encryption, these environments are prime targets for the incubation of malicious code."
No, seriously, what aren't they thinking of using cell phones for these days, except maybe making reliable, clear, and simple phone calls? Seems like the piling on of more non-cell-phone features on cell phones is not very well thought out. Couple the lack of security design in these added networking features with the possibility/probability more mobile phones are moving to embedded Windows (at least that's what I've read), potential for network compromise and disaster increases non-linearly (upward).
What I find annoying and intrusive about this is I'm sitting here in my (our) internet universe working hard to make it reasonably sound, and these entrepreneurs trump that work with their one-off, disposable technology. So, I (we) eventually take the big hit for their irresponsibility. Sheesh, in every major park I've visited there's a requirement for pet owners to clean up after their pets, it'd be nice to see similar structure here.
When they're designing these phones, and these networks, and what and how the phones work, does anyone in the room bring up the notion these phones first and foremost should be phones?
In haste to be the first with the new features it seems the ramifications of what and how they add are considered little, if at all. It's money grabbing, and let the chips fall where they may, as long as the manufacturer is first and fastest with the latest new features. Sick.
I find it ironic, paradoxical(?), one of the features so darling and network centric is text messaging. I've referenced this before the T-Mobile Sidekick got written into an episode of Gilmore Girls where Rory carried on a "conversation" with Daddy about arrangements to attend a function. I'm waiting for the next great headlines where someone discovered the newest and fastest way to communicate with one of these devices -- you can actually dial a number and talk to the other person!!!
As for the "The mobile devices you know and love are great for productivity" statement, give me a break. Firstly I don't "love" them, and if by "great for productivity" you mean: great for interrupting the social flow of interaction; great for rude behavior; great for ignoring real world, then, okay, great! Not.
(And, for those who feel they must beat me with their clue sticks, no thanks on advice about how to get phones that are just phones -- been there, done that... I know how to get around the system, I just don't think I should have to.)
Yeah, if I was a virus-writer, I'd definitely bank on infrared to distribute my malware. psha!
I remember how SARS almost killed of the human race too. And remember Y2K? I'm glad I had a bunker for that one! Oh, and West Nile! And remember how sick we all got from Mad Cow Disease? I'm just glad I have my duct tape and plastic bags.
With no notion of user access levels in the compact mobile operating systems, a lack of effective authentication, and no data encryption
Absolute bollocks. The extreme majority of cell phones are running closed operating systems, and the only exposed APIs are Java (Java ME, MIDP). They are a lot MORE secure than anything else we're currently using - even on our PCs. They contain access levels (only signed applications can access certain APIs without needing to prompt the user), and they store their data encrypted if it's on an exchangable memory card or else it's stored in the phone's own secure flash.
The extreme _miniority_ of phones so far running less secure operating systems are rapidly shifting in the same direction - look at the latest Symbian version as an example.
Nothing to see here - move along.
it's in my head
Norm Laudermilch tells you why you should be afraid, very afraid.
I realize the submitter was probably joking, but has anyone else noticed that the same sentiment is exactly what comprises 90% (number pulled out of thin air) of media stories these days?
When I look at how people allow their focus to be interrupted by mobile devices I'm not so sure that they are really helping people's productivity.
UNIX/Linux Consulting
So now the obnoxious windbag annoying everyone on the bus can also be transmitting virii to everyone, too! Yet another victory for the annoying.
If brevity is the soul of wit, then how does one explain Twitter?
Says somebody who has clearly never programmed a mobile phone.
The vast, vast majority of consumer phones are not the so-called "smartphones" that run traditional operating systems like Symbian or Windows, they run proprietary operating systems that have no publically known names and do not export any APIs, except for J2ME or possibly BREW.
As an aside, J2ME consumer phones are often just as "smart" as larger, more powerful phone/PDA hybrids ... my own does calendaring, web access, has an IMAP client built in, is themable, plays music and videos, and has a 500mb flash storage facility amongst other capabilities. Yet by the standard definition it is not "smart".
Anyway, J2ME has many flaws, but security is not one of them. If somebody finds a programmatic way to compromise a J2ME phone in the next 5 years then I will be very surprised. These things have no concept of processes or users, which is great, because this sort of security confuses the crap out of pretty much anybody who isn't steeped in UNIX security lore. Instead they rely on constructing (with a bit of help) a mathematical proof that the Java programs they're running don't compromise type safety, and then either interpret them or on Jazelle-based phones run them direct on the chip. This is safe and allows for a very flexible and intuitive form of security.
The absolute best you can do on these things is social engineering or exploiting piss-poor UI (which is what Cabir does). To claim you could "infect a cafe full of phones" is ludicrous: most people don't even have Bluetooth switched on as many phones disable it by default.
...if the Antivirus companies are to be believed.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Assumption failure at line 1.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
http://www.technewsworld.com/story/49559.html
a se_id=103461
http://www.marketwire.com/mw/release_html_b1?rele
Pretty easy to transfer money if you can p0wn a phone...
I'd better get started right away!
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
So in the future when I dial a phone number, all of a sudden I will be sent to a phishing device asking me for my credit card and social security number?
The future is looking up!
He who knows best knows how little he knows. - Thomas Jefferson
So what if phones do more?
One of the biggest problems in the PC world with respect to virus propagation has been the homgenous nature of desktop PCs. 90%+ of the desktops in the world (and a decent percentage of servers, especailly a very high percentage of servers in small businesses) are running one software architecture (Win32) on one hardware architecture (x86). This means that viruses don't encounter compatibility problems when trying to propagate.
In the mobile phone market, this is not the case. There are at least three major smartphone software architectures (PocketPC/Windows Mobile, Symbian, PalmOS) each of which run on multiple hardware architectures. (PalmOS is only on ARM machines unless you count old m68k PalmOS smartphones, but I'm positive PPC/Windows Mobile supports at least 2-3 different CPU architectures and I believe Symbian does too.) Let's not forget the huge variety of "dumb" phones out there, where every manufacturer has their own custom OS and chances are that even compatibility of malware between a manufacturer's phones isn't guaranteed.
Yes there are hardware/software abstraction layers such as J2ME and (to some degree) BREW which allow an application to run on multiple manufacturer's phones, but both have varying degrees of sandboxing for those abstracted applications, and in the case of J2ME, compatibility STILL can't be guaranteed. (Look at the sites that offer Java games for mobile phones - Many of them have a slightly different download for every phone!)
Even if the phones didn't have ANY security features built into them at all, the heterogenous software/hardware environment that phone malware would have to live in presents large barriers to malware propagation.
retrorocket.o not found, launch anyway?
"I've spent a lot of time, money, and effort to build and acquire devices that make it so I don't have to talk to other people. Actually talking is for sales people and MBAs."
And IT, whose counterpart is in India.
Lets explore cell phones for viruses. How about we clean up the 100k viruses on windows. Sounds like someone is getting free marketing for thier new startup.
It's sad so many retards get all worked up over something so insignificant. 58 million people die every year. That number will only go up unless we're dying as a species. When a disease or natural disaster or attack approaches 1/100th of this is the time to freak out. Not at 1/1,000,000.
Appeals to emotion never enhance the issue, by the way.
Man, you really need that seminar!
So, I (we)
you mean, Wii?
Call me a stickler for semantics, but is it right to suggest cellphones could be "responsible" for the worms? Isn't that a bit like saying cars are responsible for car wrecks? I thought the writers of the worms were the ones responsible for the worms.
"It's sad so many retards get all worked up over something so insignificant. 58 million people die every year. "
Only humanity would see 58 million deaths as "insignificent". No wonder genocide comes so easily to us.
"Appeals to emotion never enhance the issue, by the way."
Appeals to apathy don't work either.
It's really sad how many phones get landfilled, most of them still work fine, even have a good battery. I'd be more likely to consider a phone that was built to last, focused on simple things like being pleasant to use and high voice quality. Oh well, if I won't buy a new phone every few months I'm not who they're designing these things for. Works for me!
Man, you really need that seminar!
So as I scan the responses here the overwhelming message is that cell phones are secure because they are closed-source and their code isn't published anywhere.
/.
That's a new sentiment to hear on
You never really know how close to the edge you can go until you fall off.
Really. This article is just media over-hype. Sould be be afraid? Not really, just concerned. But I don't think anyone should get at all upset about this.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
The quick time to market model necessary to compete in the fast-paced world of mobile phones and the lucrative potential of exploits that call/text premium rate numbers means we're gonna get insecure firmware with plenty of black hat wannabes trying to create exploits.
Before we had internet access universally and virus protection, protecting against floppy disk based viruses was a real issue on vulnerable OSes; you could have an antivirus program but you didn't get the definitions updates or OS/software patches. I suggest that we're at the most vulnerable stage now - we have local technologies like Bluetooth and IrDA in our phones for quick transfer of exploit code and we've got big, complex firmware, without the universal availability of a fast method for delivering firmware updates or other protections such as 3G.
Since I was on an e-mail thread today at work about McAfee antivirus being available for some of the mobile platforms my company provides.
My phone rarely works anyway and if my experience is an indication, any malware that gets through will have to deal static and dropped connections every 20 feet. Nothing to worry about here. Thanks Verizon!
802.11 is the only real threat for now. 802.11 is the only widely adapoted standard. Everything else is niche market or platform specific.
With 802.11 I can take a Nintendo DS with Linux and go to McDonalds, Starbucks, most local libraries and TV stations, and dozens of bussiness and port scan and/or brute force the hell out of the place.
If I find an open platform (it could even be the router) I then have the DS pull every bit of info out of it I can automatically. Then go home and look at my booty, like unencrypted passwords, stored in my handheld. Alterntively, I can inject tojans into the system that I scanning without anyone suspecting.
You say things that offend me and I can deal with it. Can you?
And because of the incompatibility between various phone operating systems, many of these hypothetical phones in cafe will not run identical applications .... or in this case identical viruses and malware.
Because I use cans and a string to talk to people across long distances, and I use pen and paper or playing cards to play games. For music, I sing, and for moving pictures I draw flipbooks!
Web 2.0 == Giant Blogspam Circle Jerk
With the capability model, apps have to be signed to use potentially dangerous APIs.
What is the process for a legitimate hobbyist developer to get his or her application signed?
Can you still talk about your perimeter security with a straight face? If you have even one employee with a mobile device connecting to your network, chances are you answered "No" to that last question? The mobile devices you know and love are great for productivity, but they have completely changed the vulnerability state of our networks. Norm Laudermilch tells you why you should be afraid, very afraid?
Can i even say the words "perimeter security" with a straight face. Ha, no. This is a bunch FUD created by people (or one in particular) who doesn't have enough work to do over the course of a day.
Sure, mobile devices have a number of transmission channels. It makes them useful. The reason why they are not a real tangible risk is that they are incredibly difficult to configure and operate in a networked mode. Getting a windows mobile phone to connect to a network and do something useful takes about three minutes by hand. Not to mention that their programming API's usually contain a much smaller subset of functions than that of a full blown pc.
Reading through the article there are more outlandish claims such as "The native security features of today's mobile devices are not capable of protecting against attacks like [mobile to mobile propagation], so it would be trivial to infect, say, an entire coffee shop full of Bluetooth phones in just a few minutes."
Right, and monkeys might fly out of my butt. The mobile device market is incredibly diversified. There are so many phones and capabilities that the notion of One Worm to rule them all is preposterous. This also assumes that everyone in the coffee shop has their phone in whore mode, accepting connections from any shiny device that walks by.
He goes on to suggest that "The mobile devices then walk out of the coffee shop and in the front door of corporate offices all over the world, past the perimeter security devices and all other network security protections, cradle to the desktop, and infect organizations in the worst possible spot: at the heart of the network, where security controls are the thinnest."
How? Almost every desktop PC in a corporate network has AV software on it. Any malicious code coming from the handheld would be detected by the AV software. Not to mention that the desktop sync software would ALSO need to be vulnerable.
Lets also examine the likelihood of this occurring: It would require the following scenario: the handheld device has a flaw that allows the transfer and execution of malicious code, the infector and the infected must be of the same type, they would also both need to have BT or Wi-Fi enabled, though I suspect that BT is much more a risk than wi-fi (most mobile devices don't provide services via wi-fi, but they do via BT). The virus would also need to behave itself such that the OS won't crash. Usually upon infection there are obvious signs of corruption. Slow downs, crashes, restarts. Then corporate man/woman would need to plug his/her device into his PC. From here the handheld may, or may not have a bridged connection directly to the network. Alternatively the handheld might be able to exploit a hole in the sync software such that it can remotely execute code on the host desktop. Finally, the handheld would execute a PC based worm that would not be in an up to date virus def. file.
Is it just me or does it seem like the planets need to align nicely for this work?
I find it ironic, paradoxical(?), one of the features so darling and network centric is text messaging.
Text messaging is the equivalent of someone coming to you and telling you to give them money for something you've already paid for. What people don't understand about this technology is that they are getting nothing for something. In the time it takes for you to utter "Hello World!" with your voice, you could send hundreds of text messages in the same data stream. So text messages are essentially "free" from the cell providers point of view, yet they are charging us extra for it.
It seems these days that people understand less and less about how technology works and companies are able to take advantage of that fact. In fact there is a fair amount of downright "confusion marketing" going on so that the consumer can never be knowledgeable about what they are actually getting for their money. If I can charge you $40 for the basic service and $10 more for an added service that doesn't require any more technology than the basic service (or less in the case of text messaging), then consumers are getting ripped off.
I'm actually dumbfounded as to why no one seems to care about things that are going on in the world these days. Oh sure, gas is above $3.00 a gallon, but that is a highly visible and tangible substance. What about the price of bottled water, or sugar water for that matter? No one seems to care. In fact, the business of selling so called "energy drinks" is escalating out of control.
If you actually care about the price of gas, then you should be downright "ticked off" that you are being charged extra for text messaging.
In fact, why in the world don't prices drop further for established services? Why do all your typical monthly bills seem to bottom out at around $20 to $30 (a single person, living alone). Why are they all about the same, even for completely differing services. Ever notice that you will never get an electric bill for less than $30 dollars? Why doesn't a land line phone only cost $5.00 a month in 2006? If I get a bill for $30 dollars a month, and so do 100 million other people, then that's 3 billion dollars a month going somewhere? So where?
Over the past 20 years we've seen technology prices tumble. A PC that once cost $5000 now costs $400, and it can process 10,000 times more information. Fiber can now support millions of connections at data rates hundreds of times greater than 20 years ago. Yet, our bills seem to keep going up. Why?
Why don't MMORPGs cost only $1.00 a month? Why do most subscriptions to almost any service all range from $10 to $40? Why do we pay around $1.00 for 3 Meg of compressed audio file (just bits) when we don't get anything at all material?
Companies are making more these days, and squeezing more out of consumers than ever before and few seem to care. So in this respect I'm quite happy to see the price of gas rise. Serves us right.
Just my 2 cents.
I think it's completely retarded. But I'm in a tiny minority in the US.
Man, you really need that seminar!
that is funny because paid engineers have enough trouble getting all of these protocols and devices working, what makes you think a phisher/hacker has a chance of getting something working on all of these protocols and the 1000's of phone models out there?
When I read this phrase, it was pure sarcasm. Maybe my attitude colored my interpretation, but I was sure of its humor.
Man, you really need that seminar!
I'm not even worried about cell phones transmitting virii - I'm far more concerned with how slow current cell phones are. My *OLD* Nokia phone from six years ago dialed numbers far faster, responded the very moment I pressed a button on the phone, and there was no perceptible lag at all. Change providers, "upgrade" to a Kyocera Phantom, it takes at least four seconds after hitting the call button to actually see the screen shift, THEN see it try to connect, generally making the attempt to dial out take upwards of half a minute. Very disappointing. Older cell phones were faster, far more secure (namely because of the lack of "features") and were far less of a hassle. I want to see a cell phone company that does nothing but cell phones, for nothing but calling. No camera, no MP3 player, no stupid annoying bleep-bleep walkie-talkie (Real people get a GMRS License for that,) and by far no loud annoying polyphonic ringtones. Plain, simple, easy, fast SERVICE.
Sadly the norm for most companies these days is to whore themselves out to the "must have it" minded people.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
The problem is, you would have had a lot of trouble typing that message if computers didn't have keyboards added to them (instead of just punched tape), or VDUs instead of just a printer... I imagine that there were people in IBM who'd just thought 'Christ, we've shipped 12 of these buggers, that's twice as many as we thought we would', and never thought we'd ever get rid of tables and slide-rules. Some pieces of technology gets used in different ways as new uses are found, until the barely resemble their ancestors.
;)
;)
So, exactly how much code-breaking is your computer doing at the moment?
You should see them as a personal communication device, and stop thinking of them as a phone in your house with a very long cord. A landline is a communication device that is limited to a single location, and so has very different requirements and usage to a mobile.
On your point about text messaging, you're missing one of the key problems of mobile communications, namely that speech isn't always the best method of communication.
A simple example of voice being inferior is in a loud environment, such as a bar, club, etc.
Sometimes it's also easier to type than to talk. Giving a phone number over the phone is a good example of this problem.
Sometimes it's more socially acceptable to send a note than to grab someone's attention. Phone calls interrupt, but messaging doesn't.
People are generally more reactive, but not anymore effective. Things are generally more ad-hoc with far less forethought and planning. Is anyone skilled in the art of writing a letter anymore? Nope, we're the cut'n'paste generation
Anyway, I ramble. Back to the point.
Security is a concern, although it's one that's rapidily being addressed by the networks and manufacturers. There's one take on the problem here
So, while it does need to be addressed, the industry has no desire to have the problems of the PC market, and are working hard to avoid such problems.
Well, that's my tu'pence
Actually, signed apps can't access restriced APIs either without users permission. The difference is that the user can choose "don't ask this question again" if the app is signed.
You are stop on about the story being bollocks though.
In the Philippines, cellphones are God. During my three week trip, I became close to a couple of women, and they both had their Cellphones, and treated them like family members.
People in the upper middle class in the Philippines - that means they earn about 50,000 pesos a month, or $1,000 - thought of their phones as status symbols. They would happily show them off to me, and I was suitably impressed. The technology was much, much nicer than what I saw routinely in the US. Everyone had nice cameras, big color screens and Internet browsing.
One of my favorite people, a banker, had one of these fancy cellphones. It cost her 13,000 pesos (about $260, a fortune in a place where the average income is 200 pesos a month [$4]). She used it to send animated GIF jokes using the multimedia messaging system built into the phone.
Personally, I can't say I like cellphones. They are sometimes useful to have but for the most part they mean annoying interruptions. So the fact that even women who were close to me were tapping away on their phones annoyed me at first. But then I gradually started to see it as part of the culture, and became relaxed about it. I gave the cellphone a name: Celly. I would take pictures of my friends with Celly, and I would ask how Celly was and inquire about her health.
One day my banker friend mentioned that Cellly was not feeling well. Apparently it was sending multimedia messages to everyone in her address book. That wasn't the problem; the phone bill for sending those messages was the problem. She asked me what to do, thinking that she would have to take Celly (a Nokia 6630) back to the store.
I told her I might be able to cure Celly for her. We went to the Internet cafe and I did web searches and in time was able to locate f-secure mobile's tool to eradicate the virus. This worked and the virus has not returned. Of course my friend also started being cautious about multimedia messages too, which helped.
Her bill was about US$300. She could afford it but it would require taking money out of her savings. She is currently battling with the phone company over it, and so far, despite competition in the Philippines way beyond what we see here in the US, they have refused to bend. I know most cellphone companies in the US would have taken those charges off the bill, or at least negotiated most of them away, but hers did not.
I think that's an interesting account of the real-world damage cellphone viruses can do. The messages, by the way, were ads for a pornographic cellphone web site which offended many of the recipients.
Like the Blackberry, my T-Mobile sidekick is virus free because it's a closed, proprietary system. Sometimes closed, proprietary systems are the best way to go.
D
The bigger threats here might be more related to crossover cases, either on the device or the worm itself. The recent Linux/Windows proof of concept is an example of the latter, though in its infancy. For the former though, there is at least one case where a Windows glitch can be exploited in both PCs and mobile devices. SANS story While not common yet, the power of available devices will grow, and costs will decrease. Of course, reasonable policies can help in general; start with trusting nothing, and then make exceptions as needed. The IT folks where I work do have wireless access points set up in the office, but with all available security enabled. Even then, those users are still firewalled off from most of the network. That said, I must say I like my little Palm Treo 650, though I haven't been tempted by Bluetooth yet.
Most of the stuff covering how PlatSec works, and how to handle it is available here
Depending on what you want to do changes what capabilities you require. You might not require any at all, and you can still install unsigned software, you'll just get a nice set of warnings about what features it's trying to access.
Getting is signed is a bit expensive for your average hobbiest, but there is a faq here
A software image is typically around 12-30 Meg instead of 2-4 Meg from 5 years ago...so they're a good couple of million lines these days.
;)
Phone programmers are also more acutely aware of how code bloats (with strict budgets for rom and ram), and write much tighter code than windows programmers.
I'm not even going to start on how you count lines of code though
Right totally stupid; though blutooth is a more reasonable attack vector.. but looking at the technical accuracy of the posting (these comments apply to Symbian phones on GSM and WCDMA networks. IS-95 and other older networks lack some of the security features) ..
Add to that cryptographic software verification by default; overly paranoid application design, and you are more likely to find security too tight than too lose. The main question is whether your cell phone provider will let you install all the software you actually want to install.
You might not require any at all, and you can still install unsigned software, you'll just get a nice set of warnings about what features it's trying to access.
The PDFs on the page that you linked suggest that the warnings for most "unsigned sandboxed APIs" happen at install time, which is better than what I had imagined (every time an unsigned program starts).
Windows Mobile includes a checkbox for a network operator (also called carrier or provider) to turn off execution of unsigned code entirely, and almost the entire North American carrier oligopoly turns it on to preserve the revenue stream of each network operator's own online store. Does Symbian OS have a similar checkbox? Based on this page, it would appear that they do:
Another non-surprise, from the PDF that describes the process for obtaining a developer testing certificate:
In other words, people who use Linux or (pre-Intel) Mac OS need to buy a new computer to run Windows just to get a developer certificate. Or is this known to work in WINE?Though Symbian Signed makes a provision for free software and freeware (but not for "content", defined as works other than software), do network operators respect this? And are there corresponding freeware programs for other platforms? (There's definitely not one for BREW, as the BREW model resembles the video game console development model more than anything else.)
There are so many radio waves in the air these days. It wouldn't surprise me at all if these frequencies are causing mutations and health problems for our future generations. Nobody really cares though, money and the immediate benifits are all anyone really cares about. It's the same situation with global warming and the environment. And by the time we humans realize that we have eradicated ourselves it will be far too late to do anything to save ourselves. Actually perhaps it already is.
there was a bluetooth type "virus" that automatically hijacks phones that had their bluetooth on (caribe virus i think.) though there is a prompt to the users about bluetooth access, many in our country (philippines) got infected and had to reinstall the os in their phones (many repair shops were actually making money charging around $10 to fix.)
this wouldn't be very difficult in mobile phones especially now they are becoming more connected via ip. my friend told me once that he connected his pc to the mobile phone and used the grps feature. since an ip is assigned, he is able to access the other phones and i think he was able to look at some files in some phones.
i guess it is just a matter of time where we see in our bills a very big internet charges.
Live your life each day as if it was your last.