Are the latest mobile phones too smart for their own good? Once the viruses get to work, intelligence could be their undoing, says Duncan Graham-Rowe

IT LOOKS like any other mobile phone. And you would probably be delighted to be given one. What you would not realise, however, is that it is not quite what it seems. Most of the time it operates exactly like any other handset. But just one call from a particular number and it can be switched on without your knowledge, with no outward sign that it is operating. Everything you say will be captured and sent across the network to the eavesdropper, yet you will have no idea that anyone is listening in.

Right now the only way to get a spy phone like this is to spend about £600 and buy it on the internet. But that is about to change.

The hottest type of handset on the market at present is the "smart" phone - a device that combines the functions of a telephone, PDA, video camera and web browser, all linked to the internet via a high-speed connection that is always on. It's a combination that tech-savvy consumers are finding hard to resist, and sales are taking off. The demand for smart phones jumped 330 per cent last year, and by 2008 sales could hit 100 million a year, according to analysts at Allied Business Intelligence in New York state. But the very capabilities that make these phones so attractive are also their Achilles' heel.

Smart phones have processors, memory chips and operating systems almost as sophisticated as those of a desktop PC. And just as a series of viruses strangled the internet this year, cellphones - and smart phones in particular - are ripe for a virus attack. It could strike any day, security experts warn.

It would be bad enough if viruses and their relatives simply wiped a phone's address book or calendar. But their potential for doing damage is far more serious than that: they could transform a smart phone - camera, internet connection and all - from a do-everything digital organiser into the ultimate bugging device, and your own worst enemy. "It's really just a matter of time," says Charles Brookson, chairman of the security group at the London-based GSM Association, which represents cellphone network operators. "We have to start treating mobile phones of this sort exactly as if they are terminals connected to the internet."

There are already malicious programs out there that target other kinds of hand-held electronic devices. In August 2000, owners of Palm electronic organisers ran into trouble with a "Trojan" called Liberty Crack. A Trojan is a stand-alone program that appears to do one thing while in fact doing something else - probably harmful. Victims of Liberty Crack thought they were downloading a program that would allow them to play Nintendo games for free; what they got was a Trojan that deleted other downloaded programs from their PDAs, even those they had paid for.

A month later, Palms were hit by their first virus, called Phage. Just like Trojans, viruses cannot spread unaided. Instead, they embed themselves in an innocent host file and are activated when the file is opened. Most viruses are designed to do three things: destroy data, copy themselves into other files on the infected device, and spread to other devices. Phage did its damage by deleting programs and user information on the Palms it infected.

Finally there is a third group of rogue programs that if anything are even more insidious. Called worms, they need neither disguise nor carrier to get about the web, because they actively seek out new hosts to infect. Two programs that brought the internet to a near-standstill this year, Msblast and Welchia, were worms.

Now phones are in the firing line. As well as standard cellphone circuitry, a typical smart phone has a processor and memory that allow it to run application programs, which is why it can be an MP3 music player, web browser and email text editor all in one. Other software enables you to take pictures, play games, download and read electronic books and - yes - even make phone calls. But these capabilities come at a price: a phone that is sophisticated enough to execute programs is vulnerable to the sort of attacks that unlucky PDA owners have already experienced.

Indeed, the risk of attack is far higher. PDAs spend only a small fraction of their time in contact with the outside world, so the only way a virus can get in is during the palmtop's occasional connection to a desktop computer to download new contacts or to synchronise diaries. A smart phone, of course, is a totally different proposition. The "always-on" GPRS or 3G connection that comes with nearly all new phones means they spend the whole time permanently plugged into the internet and the big, bad world beyond.

The risk has already proved itself to be real. In June 2000, a worm called Timofonica appeared in Spain. As viruses go, it was pretty harmless: all it did was send unwanted text messages from an infected phone to people in the phone's contacts list. More ominously, in November 2002 the cellphone network operator T-Mobile was forced to install a firewall on its GPRS network in the US when users discovered its high-speed mobile service was being probed by hackers.

It is only a matter of time before someone unleashes malevolent code that does serious damage to phones. Software that will activate a mobile phone's microphone without the owner's knowledge can already be bought online. It should not be difficult to turn one of these programs into a virus that activates the camera in a videophone and uses compression software built into the phone to surreptitiously stream video to a third party.

How important such a breach would be is a matter of opinion. Even if someone were able to remotely activate the microphone or camera in a phone, it will make for pretty poor entertainment most of the time, says Graham Cluley of the antivirus firm Sophos, based in Abingdon in the UK. "All you'll hear is my stomach gurgling, or my change jingling in my pocket," he says.

We know where you live

More seriously, personal data held on a phone could also be targetted. Some vulnerabilities have already shown up. In May 2001, for example, Japanese wireless operator NTT DoCoMo recalled 1200 of its new, high-speed 3G mobile phones because their software had been modified by one of its subcontractors without authorisation. The result was that data stored on the phones was no longer secure.

Viruses could easily make use of similar vulnerabilities. In lab demonstrations, Ollie Whitehouse of digital security firm @Stake of Cambridge, Massachusetts, has run a Trojan program that downloads to a phone when the user clicks on a link in an SMS text message and then sends the contents of a user's email inbox to another device via SMS. He says the same trick works for other personal data such as lists of contacts, web browsing history, music files or even credit card details.

Code crackers could also make use of premium-rate online services while the victim unwittingly pays the bill - a trick known as "spoofing". If smart phones can be spoofed, it would be a major blow to the telecoms industry since it was to prevent precisely this sort of crime that the GSM digital mobile phone system was designed in the 1980s.

With the analogue mobile phones that preceded GSM, it was possible, for example, to intercept a signal and copy, or "clone", a phone's identity into another handset. Anyone using the new handset was then able to run up bills in the genuine owner's name. The GSM standard provides security measures such as encryption to prevent this, and they seemed to work - until now.

The link between an ordinary "dumb" mobile phone and the base station, which was the weak point in analogue phones, remains secure, and that stops all but the most determined and highly financed criminal from intercepting your calls to clone your phone. But it is possible to break into smart phones at a much more fundamental level, by exploiting the way their software is designed. For example, a hacker could now spoof a GSM mobile phone through loopholes in the software the phone uses to handle conference calls, says Whitehouse.

And here lies the problem. Smart phones are designed to run third-party code. The principal smart phone operating systems currently on the market are Microsoft's Windows Pocket PC, Palm's Palm OS and Symbian's EPOC. All three manufacturers publish details of how their operating systems work to encourage other software developers to write code that will run on their systems. The strategy has proved its worth for desktop computers: not only does it allow individuals to personalise their devices by installing software of their choice, it also means small software developers can build applications that run on existing operating systems. This openness has played a major part in promoting the growth of the computer industry - but it has also given a few mischievous people the tools they need to write malicious code.

Some parts of the cellphone industry have taken this lesson on board. "Most [operating system] vendors realise the risks perfectly well and have taken precautions," says Mikko Hyppönen of Finnish antivirus firm F-Secure. "When you download any software to your phone they warn the user." But these warnings make no distinction between safe and dangerous downloads. Inevitably, users become complacent and get used to ignoring the warnings, he admits.

Even the small proportion of smart phones that use proprietary operating systems, such as DoCoMo's internet-enabled i-mode phones, are not immune. Though details of the operating system itself are not openly available, these phones all run the widely used Java software language in addition. And this, says Hyppönen, is where malicious code writers can strike. In June 2000, i-mode users were sent a prank email that claimed to be part of a survey asking people if they would drink from a girlfriend's half-empty cup of coffee if she had a cold. Clicking "yes" made the phone dial the emergency services, and the lines were quickly inundated.

With so many ways to break into cellphones, you might expect manufacturers, network operators and their software suppliers to be rushing to install virus protection. Yet none of the three main operating systems incorporates antivirus software or a firewall, and of the networks only T-Mobile in the US is so far offering a firewall for its GPRS mobile phone users.

Most of the industry seems happy to let someone else take responsibility for this kind of security. "It's a choice we leave to our licensees," says Craig Heath, a product strategist at Symbian. These threats are just the price you pay for an open architecture, he says.

Cluley argues there is little point in trying to protect phones until viruses begin to attack them. Conventionally, antivirus software works by watching for the unique pattern or "signature" of a virus. Once a signature is found, it is distributed to everyone who has bought the antivirus software, allowing the software to block or destroy the new virus (New Scientist, 6 September, p 6). If you have never seen a virus that runs on phones, then you don't know what to look for, says Cluley. You can't do pattern matching on something that doesn't yet exist.

However, some companies are already doing what they can to build antivirus software and firewalls for phones before the viruses arrive. One early attempt was designed to sit on a desktop PC, where it simply scanned files being uploaded to a phone. This is useful while the phone is connected to the PC, but provides no protection from code downloaded directly to the phone or received through an email via GPRS.

Hyppönen's company, F-Secure, has mobile antivirus software that runs on the phone itself and is designed to scan for existing malicious code and for Java-based viruses, like the one that struck in Japan. By taking action against phone viruses now, we could stop an epidemic taking hold among mobile phones, he says.

But others think it is already too late. "I'd say in the next 6 to 18 months, we'll definitely see these attacks," warns Whitehouse. If you are lucky enough to own a smart phone, enjoy it while you can.

Source: NewScientist