10 Emerging Technologies
(Page 9 of 10)
TELECOM Wireless devices catch bad code through the air and then infect supposedly secure computer systems. By Stu Hutson
ValleZ has released a digital epidemic -- or maybe he's delivered an early inoculation.
ValleZ is the online handle of a 24-year-old computer programmer from Spain who, last June, wrote the first malicious program targeting cellular phones, the Cabir worm. Now, security experts fear that the rush to integrate cell phones into every aspect of our daily lives might make them the perfect carriers for digital diseases. Bruce Schneier, founder and chief technology officer of Counterpane Internet Security in Mountain View, CA, assesses the threat bluntly: "We're screwed," he says.
Or maybe not. ValleZ is a member of an international cabal of programmers called 29A, which specializes in malicious software, or "malware." These "ethical hobbyists" send their creations to security labs so that experts can research cures. "[Cabir] was a manner of saying that the antiviral people should be watching out for this," says ValleZ, whom Technology Review tracked down via e-mail.
ValleZ shared the code for his original, nonmalicious version of the worm with other members of 29A. Shortly after, it was passed to a Brazilian programmer who posted his own variation on his website in December. Now, bad guys everywhere are spinning off new versions that are melded with other malware that locks up phones or autodials obscure numbers. As of March, the Helsinki, Finland-based security company F-Secure reported that 15 variations of Cabir had popped up in 14 countries.
Cabir spreads like an airborne disease through Bluetooth wireless connections, a popular means of transferring data at close proximity between cell phones and everything from other phones to car GPS navigation systems. Even antiviral researchers have found themselves worrying that viruses under examination might spread wirelessly to mobile devices outside their labs' doors. Travis Witteveen, vice president of F-Secure's North American division, says his company now runs its main mobile-security lab out of an old military bomb shelter.
The cell-phone worm's task could be as simple as swiping your address book or spewing out costly and annoying text-message spam. Or it could mount a "denial of service" attack on your wireless-service provider by making your phone rapidly dial many numbers in succession. As people start using their "smart" cell phones to tap into computer networks, the damage caused by malware could grow more severe. If, as promised, cell phones soon begin to serve as payment devices, mobile malware that nabs your identity and taps directly into your credit line could follow. Theoretically, a corporate accountant's phone could pick up a worm and, when synched to a PC, let it loose on the company's network, jumbling accounts.
And mobile malware will be able to infect systems not vulnerable to conventional viruses. A car owner could link her Bluetooth-enabled phone to her dashboard computer, so that she can control the phone via buttons on his steering wheel. As she drives down the road, her phone might connect to another in a passing car. Suddenly, her navigation system fails. "This type of threat is probably inevitable," says Schneier. In the future, cars will include computer systems that permit remote diagnosis of problems. They should be kept physically separate from hardware that regulates mechanical systems -- performing calibrations, for instance -- lest a virus cause steering or brake controls to fail.
Protection against this nascent peril is beginning to appear. Symbian, the company whose mobile-device operating system has been targeted by every cell-phone virus so far, has released a version of its software that grants Bluetooth access only to programs tagged with secure digital IDs. Antiviral software is not currently bundled with the software preinstalled on most privately purchased cell phones and so is found almost exclusively in business-issued phones. But companies like McAfee and InnoPath Software are developing easy ways for individual consumers to download antiviral software. According to research firm IDC, spending on mobile security will leap from around $100 million in 2004 to nearly $1 billion by 2008 -- with a significant portion going toward antiviral protection.
ValleZ says he's done coding mobile malware -- for a little while, at least. Of course, that won't stop others from concocting their own electronic pests. Another, completely new and more virulent mobile virus, CommWarrior, was found in late February. It sends out costly multimedia messages but contains so many bugs that it doesn't pose a major threat. The next malicious piece of code, however, may be neither a warning exercise nor a self-defeating pest but a full-bore attack on the wireless world.