DUSSELDORF, Germany -- They're coming to mobile phones -- those nasty viruses, worms and Trojan horses that have, on more than one occasion, crippled PCs. No doubt about that, but will they be as bad?
Some experts believe mobile viruses could be as malicious as their PC predecessors. But some, disturbingly, worry they could be a whole lot worse.
Just consider this: The planet is populated with substantially more mobile phones than PCs, with the gap between the two steadily increasing; and many of these mobile phone customers plan to use their devices as electronic wallets capable of paying for goods and services.
Add to that the fact that mobile phone vendors have opened their once tightly controlled operating platforms to third parties to develop new applications that, in many cases, link to the public Internet.
Now put it all together: millions (and some day billions) of mobile phones with sophisticated banking functions, open interfaces and Internet capability. It's not difficult to understand why hackers, who have honed their skills on PCs over the past decade, are now setting their sights on mobile devices.
"Not fun or fame but money will be the main motive for writing mobile viruses, just as it has become in the PC world," said Andreas Lamm, manager of the German office of Russian antivirus company Kaspersky Labs Ltd.
So far, the attacks on mobile phones have been few, around 10, and relatively harmless. They have targeted primarily, but not exclusively, new smart phones that use open platforms such as Microsoft Corp.'s Windows Mobile or the combination of Nokia Corp.'s Series 60 interface and Symbian Ltd.'s operating system.
Smart phones offer users many functions, such as e-mail with attachments, game downloads or Bluetooth wireless networking, an environment full of potential for viruses, worms and Trojan horses. These are terms for programs designed to do malicious things to computers, and are sometimes collectively called malware. The terms, also sometimes used interchangeably, describe the way they are delivered to a computer.
Trojan horse programs, like the original wooden horse, appear to be something useful or gifts but later betray you. Worms eat their way from one computer to another, exploiting security flaws to find their way in. And viruses infect other files, and travel from computer to computer in the infected files.
First mobile phone worm
In July, Kaspersky Labs discovered the first-ever worm capable of spreading to mobile phones. Cabir is a proof-of-concept worm that uses the Bluetooth protocol to copy itself onto devices running the Symbian operating system up to 30 feet away. It is transmitted as a Symbian installation system (SIS) file and disguised as a security utility called Caribe. When the infected file is launched, the mobile phone's screen displays the word Caribe, and the worm modifies the Symbian operating system so that Cabir is started each time the phone is turned on. An infected phone sends the worm to the first vulnerable phone it finds.
In August, smart phones were attacked by another Trojan horse, Mosquito, which hides in a game by the same name. Once installed, the game causes phones to send text messages via SMS (Short Message Service) to premium-rate numbers in several European countries without the user's approval or knowledge.
And in November, mobile phone viruses surfaced once again, with two related Trojan programs. The first, Skulls.A, deactivates all links to Symbian system applications, such as e-mail and calendar, by replacing their menu icons with images of skulls. Users of affected phones can only send or receive calls.
The more recent strain, Skulls.B, includes the Cabir.B worm and, unlike the first version of the Trojan, can spread to other phones within Bluetooth range. Skulls.B is otherwise similar to its predecessor, using Symbian default icons, which look like jigsaw puzzle pieces, instead of skulls to render applications unusable.
Even if these viruses are few in number, what worries the mobile phone industry is that they're happening -- and with increased frequency.
"We aren't panicking; we're still at a stage where there aren't enough platforms out there for viruses to spread easily," said Steve Babbage, security director at Vodafone Group PLC. "But that won't protect us for long."
Vodafone, Europe's largest mobile operator, has reason to be concerned. The operator is one of many now offering 3G (third-generation) high-speed service to users equipped with smart phones. Most European operators, including Vodafone, paid exorbitant prices for 3G licenses. Understandably, the last thing they want is for a swarm of viruses to undermine that investment.
Enterprise customers are becoming concerned about mobile viruses, too, but they're far from paranoid. "We're only now beginning to see some mobile viruses, and these are quickly being hyped by vendors of antivirus software," said the IT security director of a blue-chip European consumer goods company with more than 200,000 employees worldwide. "There is still a bit of a wait-and-see attitude at our company, but this could change quickly if we ever get hit by a virus. And then, of course, it's too late."
The door to mobile viruses was opened when phone makers, led by Nokia Corp., the world's largest phone maker, decided a couple of years ago to open their platforms to third-party software developers and encourage them to develop applications for new smart phones. The decision was prompted in large part by the industry's push beyond pure telephony into mobile data services, requiring the expertise of developers trained in PC applications.
"We are very interested in promoting third-party applications to create greater choice for users," said Eero Kukko, marketing manager of technology platforms at Nokia, which is giving developers more architecture guidance and access to design libraries and APIs (application programming interfaces). "At the same time, we're enabling developers to develop security software to protect these applications."
Antivirus companies applaud the move.
"We're glad that mobile phone vendors have opened their platforms," said Matias Impivaara, business manager for mobile security services at F-Secure Corp. "The benefits users have from open platforms are much larger than the problems they face on the security side. Security is just something we have to prepare for."
You would expect to hear that from a company peddling antivirus software, but Impivaara has a point: Does anyone really want to abandon new mobile data services -- for security reasons -- to return to voice only?
Hardly. But as mobile phone makers and operators open the gate to the global Internet, they will need to get tough on security, much tougher than they have been in the past, when they enjoyed the protection of closed proprietary systems.
Plenty of activity on the security front is under way.
At the client software level, for instance, Nokia responded quickly to attacks on its new smart phones by signing deals with two antivirus software vendors, F-Secure and Symantec Corp., for subscription services.
For the Nokia 6670, F-Secure provides on-device protection, similar to antivirus protection programs for PCs, with automatic over-the-air antivirus updates for a monthly fee.
Symantec has made its Client Security software available for the Nokia 9500 Communicator and 9300 smart phone, which use the Symbian operating system. As early as a year ago -- in anticipation of problem -- NTT DoCoMo Inc. signed a contract for antivirus software from Network Associates Technology Inc., the maker of the McAfee antivirus product line.
At the hardware level, for example, Texas Instruments Inc. (TI) is building a security platform from U.K. chip designer Arm Holdings PLC into its next-generation mobile processors, following the introduction of hardware-based security in Intel Corp.'s next-generation XScale handheld chips. Arm's hardware security platform, called TrustZone, could become a standard, since Arm's core processor technology powers most mobile phones and newer handheld computers on the market today.
Leading mobile chip makers plan to introduce a hardware-based security concept similar to the one pioneered by Microsoft in the PC world: the Next Generation Secure Code Base (NGSCB), formerly known as Palladium. Schemes put forward by Intel, TI and Arm call for a protected portion of memory -- totally separated from the rest of the processor -- in which applications can be verified and then run securely.
At the infrastructure level, operators have been installing a wide range of equipment to monitor and filter corrupt downloads and spam. These new messaging and content delivery servers are at the edge of their networks, where gateways open to the Internet. Other new technology to detect viruses and repair damage is being deployed deeper inside the network. All of these new systems come on top of the authentication and control systems already in place in mobile phone networks that require users, from the start, to log on and identify themselves via the SIM (Subscriber Identity Module) card in their mobile phone.
"It's really important to defend the network at the edge and not let spam viruses in the front door," said David Staas, director of the antivirus team at Openwave Systems Inc., which provides mobile phone software and messaging technology. "But some will still trickle through. Here is where a second line of defense is necessary."
Openwave, for instance, has developed a system that secures a messaging network at the instance of an attack, preventing spammers from exploiting vulnerabilities while they are being eliminated.
Nokia's infrastructure arm also provides a range of security equipment to operators beyond basic firewall systems. Its Message Protection Server, for instance, filters out potentially harmful e-mail, while its Operator Delivery Server inspects all downloaded content. The Finnish manufacturer is also offering additional security through its mobile VPN (virtual private network) client and SSL (Secure Sockets Layer) encryption for Web-based applications.
As for downloads -- a prime source of viruses -- two new application certification programs aim to ensure quality and, above all, trustworthiness. The Java Verified program was launched earlier this year by several vendors, including Motorola Inc., Nokia, Siemens AG, Sony Ericsson Mobile Communications AB and Sun Microsystems Inc., to provide a unified process for testing and certifying Java-based applications for mobile phones. Two of Europe's largest mobile phone operators, Orange SA and T-Mobile International AG, have since adopted the plan.
The Symbian Signed program provides a service for testing and certifying Symbian OS-based applications that meet a set of criteria. The initiative, which includes Nokia, Sendo International Ltd. and Sony Ericsson, aims, among other things, to ensure a thriving market for trusted applications.
In addition to these initiatives several other organizations are developing standards for security systems in mobile devices, including the Trusted Computing Group, the Open Mobile Alliance and the European Telecommunications Standards Institute (ETSI).
How effective these security efforts will be remains to be seen, however. For one, users will need to cooperate and should be given the tools to do so. "They should have the ability to set preferences, like their own block list, for instance," said Staas. "They should also be able to set their sensitivity level for spam, say, for high, medium and low control."
For another, operators shouldn't wait for a virus to bring down their networks or, as was the case recently in the U.S., allow abusive spam to potentially scare away lucrative customers.
"The CEO of a big mobile operator with many businesses customers got a call from the chief executive officer of one of his customers," said Staas. "The night before, this business customer received a text message at 2 a.m. His wife thought it was urgent so she got up and read what turned out to be a sexually explicit text. He was furious."
What's encouraging, from a security perspective, is that "the mobile phone executive turned around the very next day and told his team to make security a top priority," Staas said.
Sometimes, a little spam can go a long way.