A weekly series by United Press International examining emerging wireless telecommunications technologies.
--
CHICAGO, June 25 (UPI) -- A hacker sits on a bench at Grand Central Station in New York City and, with his mobile phone and a Wireless Fidelity connection, deviously places a virus on the cell phones of unsuspecting commuters as they walk nearby, on their way to work.
Within a few hours, the virus multiplies, infecting several hundred thousand phones, causing them to dial long distance numbers and run up millions of dollars in fraudulent telecom charges.
Fantasy? No -- the coming reality. Viruses and worms on mobile phones are now considered by computer gurus to be a legitimate threat that soon may become as pervasive as the malicious codes being sent to PCs via the Internet every day.
"This is going to be a large problem," Mark Komisky, chief executive officer of Bluefire Security Technologies, a wireless software developer in Baltimore, told United Press International.
The first test case for mobile phone viruses debuted last week in Europe. There, a group of hackers developed a code that attacked Nokia mobile phones, using the Bluetooth software, a wireless technology.
The virus even had a name -- Cabir -- and was said to thrive on the operating system technology developed by Symbian.
"This virus, or worm, is being attributed to a group of hackers known as 29a," said Charles Kaplan, an information security officer at VeriSign Inc., an Internet technology company in Providence, R.I.
"That's the hexadecimal for 666 -- or the biblical sign of the devil," he told UPI.
Hexadecimal is a numbering system that uses 16 as the radix, and employs the numerals zero through nine, and represents digits greater than nine with the letters "a" through "f."
The underground group used the software to take over mobile phones in what experts are describing as a proof of concept project for hackers.
There is some disagreement among tekkies as to whether the code is a true virus or worm -- but the fine distinctions may not matter to civilians whose phones are infected by these attacks in the future.
"My opinion on it is that this is the first application that installs itself via Bluetooth," said Adam Laurie, chief security officer and director of A.L. Digital Ltd., located in London.
"I wouldn't go so far as to describe it as a virus," he told UPI. "The end user has to agree to install it. They have to accept the incoming transmission, and allow the installation to take place. But this proves that a wireless application can self-initiate, and that is stage one in making bad things happen."
Wireless phone companies -- such as AT&T, Cingular and T-Mobile -- have fortified their national and regional networks to prevent hackers from penetrating them. Hackers have worked around the problem, though, using local, WiFi network access.
"What was demonstrated is that wireless carrier networks can be bypassed and can propagate worms," Kaplan said.
As computers and mobile phone technologies converge in smart phones -- or whatever name the industry finally settles on for the devices -- there will be a proliferation of this kind of hacking, said Ryan Crum, a senior associate in the Boston security and privacy practice office of PricewaterhouseCoopers.
International Data Corp., the computer consultancy, also in Boston, predicts the market for wireless PDAs and smart phones will grow from 22 million units in 2004 to 100 million by 2008.
"Anytime you have these new embedded operating systems -- like Microsoft CE or Symbian -- there is more potential for attack," Crum told UPI. "Our society is becoming more and more technically advanced. Today, there are even refrigerators with operating systems connected to home networks. Someone is going to figure out how to hack your fridge."
Crum said the problem would probably become much more pervasive for consumers than for companies.
"You can't stop people from clicking on a download if free content is offered," Crum said.
Watch out for other types of attacks in the coming months and years, said Patrick Lopez, a data product manager at Redknee Inc., a software developer in suburban Toronto.
Hackers can try to use text messaging to propagate code to shut down cell phones, or attempt to defraud pre-paid phone card providers and make free phone calls.
Another likely trick is to send a text file secretly to an unsuspecting mobile phone containing the text of an entire novel, like Irish novelist James Joyce's best-known work, "Ulysses."
"That will create memory problems on the device," Komisky said.
People who engage in a mobile phone pastime called "Bluetoothing" are susceptible. It occurs when a user leaves a Bluetooth software-enabled phone or PDA on, and looks to link with other mobile phones in the area using the same software, to have real-time, phone chats with strangers.
"That software leaves the phone in a promiscuous position," Kaplan said.
Many of the suspected hackers are ex-mobile phone company employees, looking for some serious revenge.
"To hack the phones, you need libraries of information and Application Program Interfaces to develop code that will have effect on the code," Lopez told UPI. "Somebody would not stumble across this code accidentally. That requires hardware and software tools to hack into the memory and crack the code. Probably has to be an inside job."
Phone companies are very interested in software that can squelch the creativity of these hackers.
Komisky said he recently learned of a technology demonstration where European hackers were able to steal all the contacts on a person's PDA, wirelessly, in less than 5 seconds.
"And they apparently had only been working on that for a few months," he said.
Software companies are developing anti-virus components for mobile networks, as well as software that will block unwanted Bluetooth components from being uploaded onto mobile phones or PDAs. Experts caution, however, that once a virus is out on the Internet, less skillful hackers could copy it and wreak havoc with new attacks.
"We call them 'script kitties,'" Crum said. "They have no knowledge of how to create the script, or code, for a virus, but they use what is created by knowledgeable guys. A lot of the viruses are like this. They use virus creation tools found on the Internet. It's like paint by numbers -- virus by numbers."
--
Gene Koprowski covers IT and telecommunications for UPI Science News. E-mail [email protected]
