Cell Phones Responsible For Next Internet Worm?

nitsudima writes "The mobile devices you know and love are great for productivity, but they have completely changed the vulnerability state of our networks. Norm Laudermilch tells you why you should be afraid, very afraid." From the article: "The new and largely unexplored propagation vector for malicious code distribution is mobile devices. With 802.11, Bluetooth, WiFI, WiMAX, MMS, Infrared, and cellular data capabilities on almost all new models, these devices provide a wealth of opportunity for the transmission of data. With no notion of user access levels in the compact mobile operating systems, a lack of effective authentication, and no data encryption, these environments are prime targets for the incubation of malicious code."

Bollocks!

[Troed]

With no notion of user access levels in the compact mobile operating systems, a lack of effective authentication, and no data encryption

Absolute bollocks. The extreme majority of cell phones are running closed operating systems, and the only exposed APIs are Java (Java ME, MIDP). They are a lot MORE secure than anything else we're currently using - even on our PCs. They contain access levels (only signed applications can access certain APIs without needing to prompt the user), and they store their data encrypted if it's on an exchangable memory card or else it's stored in the phone's own secure flash.

The extreme _miniority_ of phones so far running less secure operating systems are rapidly shifting in the same direction - look at the latest Symbian version as an example.

Nothing to see here - move along.

Re:Bollocks!

[vasqzr]

Absolute bollocks. The extreme majority of cell phones are running closed operating systems, and the only exposed APIs are Java (Java ME, MIDP). They are a lot MORE secure than anything else we're currently using - even on our PCs.

They're also not very complex, relatively speaking. A cell phone might have 150,000 lines of code as opposed to 20-50 million that Windows might have

Oh my, what amazing FUD.

[Andy+Dodd]

So what if phones do more?

One of the biggest problems in the PC world with respect to virus propagation has been the homgenous nature of desktop PCs. 90%+ of the desktops in the world (and a decent percentage of servers, especailly a very high percentage of servers in small businesses) are running one software architecture (Win32) on one hardware architecture (x86). This means that viruses don't encounter compatibility problems when trying to propagate.

In the mobile phone market, this is not the case. There are at least three major smartphone software architectures (PocketPC/Windows Mobile, Symbian, PalmOS) each of which run on multiple hardware architectures. (PalmOS is only on ARM machines unless you count old m68k PalmOS smartphones, but I'm positive PPC/Windows Mobile supports at least 2-3 different CPU architectures and I believe Symbian does too.) Let's not forget the huge variety of "dumb" phones out there, where every manufacturer has their own custom OS and chances are that even compatibility of malware between a manufacturer's phones isn't guaranteed.

Yes there are hardware/software abstraction layers such as J2ME and (to some degree) BREW which allow an application to run on multiple manufacturer's phones, but both have varying degrees of sandboxing for those abstracted applications, and in the case of J2ME, compatibility STILL can't be guaranteed. (Look at the sites that offer Java games for mobile phones - Many of them have a slightly different download for every phone!)

Even if the phones didn't have ANY security features built into them at all, the heterogenous software/hardware environment that phone malware would have to live in presents large barriers to malware propagation.

Re:I want a refrigerator

[dnaumov]

"In defence of text messaging, in most markets/countries, it's a hell of a lot cheaper, or even free, versus the cost of making a one minute phone call, so it's a highly cost-efficient (not to mention more private) way of communicating."

Cost isn't even the issue for me, in my case 1 SMS message costs EXACTLY as much as a 1 minute phone call. It's all about the convinience. You can reply WHEN you want and you have time to think about WHAT you actually want to reply. Where I live (Finland), it's not uncommon for the youth to keep their phones on "silent mode" and communicate via SMS.

Not common yet, but they're working on it.

[Tool+Man]

The bigger threats here might be more related to crossover cases, either on the device or the worm itself. The recent Linux/Windows proof of concept is an example of the latter, though in its infancy. For the former though, there is at least one case where a Windows glitch can be exploited in both PCs and mobile devices. SANS story While not common yet, the power of available devices will grow, and costs will decrease. Of course, reasonable policies can help in general; start with trusting nothing, and then make exceptions as needed. The IT folks where I work do have wireless access points set up in the office, but with all available security enabled. Even then, those users are still firewalled off from most of the network. That said, I must say I like my little Palm Treo 650, though I haven't been tempted by Bluetooth yet.