Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror

Cell Phones Responsible For Next Internet Worm? 109

Posted by Zonk
from the i-guess-they're-tasty dept.
nitsudima writes "The mobile devices you know and love are great for productivity, but they have completely changed the vulnerability state of our networks. Norm Laudermilch tells you why you should be afraid, very afraid." From the article: "The new and largely unexplored propagation vector for malicious code distribution is mobile devices. With 802.11, Bluetooth, WiFI, WiMAX, MMS, Infrared, and cellular data capabilities on almost all new models, these devices provide a wealth of opportunity for the transmission of data. With no notion of user access levels in the compact mobile operating systems, a lack of effective authentication, and no data encryption, these environments are prime targets for the incubation of malicious code."
This discussion has been archived. No new comments can be posted.

Cell Phones Responsible For Next Internet Worm?

Comments Filter:
  • by yagu (721525) * <yayagu@noSPaM.gmail.com> on Friday April 28, 2006 @12:21PM (#15222170) Journal

    No, seriously, what aren't they thinking of using cell phones for these days, except maybe making reliable, clear, and simple phone calls? Seems like the piling on of more non-cell-phone features on cell phones is not very well thought out. Couple the lack of security design in these added networking features with the possibility/probability more mobile phones are moving to embedded Windows (at least that's what I've read), potential for network compromise and disaster increases non-linearly (upward).

    What I find annoying and intrusive about this is I'm sitting here in my (our) internet universe working hard to make it reasonably sound, and these entrepreneurs trump that work with their one-off, disposable technology. So, I (we) eventually take the big hit for their irresponsibility. Sheesh, in every major park I've visited there's a requirement for pet owners to clean up after their pets, it'd be nice to see similar structure here.

    When they're designing these phones, and these networks, and what and how the phones work, does anyone in the room bring up the notion these phones first and foremost should be phones?

    In haste to be the first with the new features it seems the ramifications of what and how they add are considered little, if at all. It's money grabbing, and let the chips fall where they may, as long as the manufacturer is first and fastest with the latest new features. Sick.

    I find it ironic, paradoxical(?), one of the features so darling and network centric is text messaging. I've referenced this before the T-Mobile Sidekick got written into an episode of Gilmore Girls where Rory carried on a "conversation" with Daddy about arrangements to attend a function. I'm waiting for the next great headlines where someone discovered the newest and fastest way to communicate with one of these devices -- you can actually dial a number and talk to the other person!!!

    As for the "The mobile devices you know and love are great for productivity" statement, give me a break. Firstly I don't "love" them, and if by "great for productivity" you mean: great for interrupting the social flow of interaction; great for rude behavior; great for ignoring real world, then, okay, great! Not.

    (And, for those who feel they must beat me with their clue sticks, no thanks on advice about how to get phones that are just phones -- been there, done that... I know how to get around the system, I just don't think I should have to.)

    • by Captain Splendid (673276) <capsplendidNO@SPAMgmail.com> on Friday April 28, 2006 @12:31PM (#15222244) Homepage Journal
      In defence of text messaging, in most markets/countries, it's a hell of a lot cheaper, or even free, versus the cost of making a one minute phone call, so it's a highly cost-efficient (not to mention more private) way of communicating.

      After that, it's all bloat as far as I'm concerned.

      Disclaimer: I'm still cell-phone free.

      • by dnaumov (453672) on Friday April 28, 2006 @01:24PM (#15222643)
        "In defence of text messaging, in most markets/countries, it's a hell of a lot cheaper, or even free, versus the cost of making a one minute phone call, so it's a highly cost-efficient (not to mention more private) way of communicating."

        Cost isn't even the issue for me, in my case 1 SMS message costs EXACTLY as much as a 1 minute phone call. It's all about the convinience. You can reply WHEN you want and you have time to think about WHAT you actually want to reply. Where I live (Finland), it's not uncommon for the youth to keep their phones on "silent mode" and communicate via SMS.
    • you can actually dial a number and talk to the other person!!!

      I've spent a lot of time, money, and effort to build and acquire devices that make it so I don't have to talk to other people. Actually talking is for sales people and MBAs.
    • When they're designing these phones, and these networks, and what and how the phones work, does anyone in the room bring up the notion these phones first and foremost should be phones?

      Well, they would if they weren't busy fiddling with their Blackberrys.

      In haste to be the first with the new features it seems the ramifications of what and how they add are considered little, if at all. It's money grabbing, and let the chips fall where they may, as long as the manufacturer is first and fastest with the

    • No, seriously, what aren't they thinking of using cell phones for these days

      Phone calls.

      This may be because I'm from the US, and we get the crap phones here from what I hear. The UI on these things gets worse every year. I wish there were "open" phones with a free SDK so I could make the UI worthwhile. My current phone is pretty simple, so I can tolerate the numerous issues I have with it, but are these people on crack when they program these things?

      My phone is paid for by my employer and is "part of my
      • Good rant. I'm never getting a phone until they improve the UI to "PC LOAD LETTER" quality or above.

        It's really sad how many phones get landfilled, most of them still work fine, even have a good battery. I'd be more likely to consider a phone that was built to last, focused on simple things like being pleasant to use and high voice quality. Oh well, if I won't buy a new phone every few months I'm not who they're designing these things for. Works for me!

      • My current favorite cellphone gripe: eight levels of volume. For the ringer. To go from "vibrate" to "as loud as possible, w/ vibrate just in case I'm not listening" is like 9 clicks. And of course, vibrate silently plus vibrate w/ maximum ringer should use the same icon.

        DUH. DUH DUH DUH.

        I swear, cellphone UI design must be done by retards.
        • I swear, cellphone UI design must be done by retards.

          I have a feeling its some PHB behind the issues.

          Wow, I forgot to mention that my phone does not have a ring at a moderate level AND vibrate option. Vibrate only works with no volume on the ringer or when the ringer is at full volume. Keep in mind that it took extra code to make it that way vs a simple toggle for vibrate on or off.

          I don't get it.

          • I know we all have our own gripes... I can kind of see the logic in "no moderate volume w/ vibrate" and not having a seperate switch. The former is 'cause they didn't think it would be used, the latter because they wanted to keep it on one physical switch continuum.

            On this phone loud isn't all that loud for the ringer, really. I'd be happier w/ just ringer on/off, *possibly* with a "settings" menu option to change the volume... I don't think people want to always be finessing the fucking volume all the ti
            • Seems that the Japanese people have their cellphone design down pat- a simple phone that only makes phone calls and nothing else(see here [kddi.com] for what I mean) for those who want no-nonsense basics, phones that can switch between "simple mode" and full-function mode for people who want to use all the functions, but want a little help, and full-function phones for the total geeks (I fall into this category). On my phone I have 5 ringer levels, not counting silence, and I can select Light only (flash on my camer
    • So, I (we)

      you mean, Wii?
    • To make this as simple as possible: Everyone makes a cell phone.

      The goal now is to differentiate your product from the 'normal' cell phone. Hence the feature bloat.

      Would you complain that computers are no longer highly specialized code breaking machines and instead have turned into general computing devices?
    • I agree with your well thought out and valid points. However, I think that we should keep in mind the reason/necessity/market for the cell phone. Sure it's to make phone calls, but I don't think it's really that specific or simple. I think the real allure of the cell phone is the convenience and freedom. It's the ability to do more without being confined by wires and offices. Therefore, it only makes sense to add features to devices to increase individual freedom and convenience.

      Having said that, it woul
    • "When they're designing these phones, and these networks, and what and how the phones work, does anyone in the room bring up the notion these phones first and foremost should be phones?"

      What the hell device[s] are you ranting against that are sold as cell phones and can't make calls? Every cell phone I've seen in the past year can make calls. Nobody is going to manufacture a cell phone that can't make calls.

      The reason some idiot engineer doesn't raise his hand at the meeting and say "What about making ca
      • What the hell device[s] are you ranting against that are sold as cell phones and can't make calls? Every cell phone I've seen in the past year can make calls. Nobody is going to manufacture a cell phone that can't make calls.

        I didn't say "couldn't make calls", I added the modifiers: reliable, clear, and simple .

        • I don't find cell phones to be reliable (just completed a cross-country drive, want to guess what the percentage of calls were that were either dropped, unable to connect, or interrupted/garbl
        • I think you are changing your argument a bit here. You were originally railing against extra features that phones have, such as cameras and PIM features. I don't think these features really are imparing cell networks. The first thing you should realize is that PIMs and Cameras in the phone are developed by manufacturers, such as Nokia and Samsung, not Service Providers, like like Cingular and AT&T.

          So if your phone has a calendar on it, but gets lousy reception, and you're thinking that Cingular is wa
          • From a larger perspective, do you seriously think the cell phone network, with moving transmitters in contention for bandwidth with other units, could ever provide similar levels of quality with land lines, where copper wires are run from point to point? I think you are expecting too much.

            But, I'm the customer -- I should always be right. As I've mentioned, I've been in some of these design meetings, and I know what tradeoffs are being made to maximize profit (translation: push the compression algorithm

        • I don't find cell phones to be reliable (just completed a cross-country drive, want to guess what the percentage of calls were that were either dropped, unable to connect, or interrupted/garbled?).

          Forget about driving across country. What about standing still in the middle of a major metro area?

          The building I work in has a cell antenna on top of it (to be fair, it isn't from my provider). The building two blocks over (right outside our window) has a cell antenna on it. The building one block over and one bl
    • I find it ironic, paradoxical(?), one of the features so darling and network centric is text messaging.

      Text messaging is the equivalent of someone coming to you and telling you to give them money for something you've already paid for. What people don't understand about this technology is that they are getting nothing for something. In the time it takes for you to utter "Hello World!" with your voice, you could send hundreds of text messages in the same data stream. So text messages are essentially "free"
      • First, let me say that I agree with your post. But I do have to respond to something that jumped out at me.

        You asked, "In fact, why in the world don't prices drop further for established services? Why do all your typical monthly bills seem to bottom out at around $20 to $30 (a single person, living alone). Why are they all about the same, even for completely differing services. Ever notice that you will never get an electric bill for less than $30 dollars? Why doesn't a land line phone only cost $5.00 a
      • It seems these days that people understand less and less about how technology works

        That's an ironic claim, from someone who had just written:

        In the time it takes for you to utter "Hello World!" with your voice, you could send hundreds of text messages in the same data stream. So text messages are essentially "free" from the cell providers point of view,

        Firstly, mobile communications tend to use multiple channels for different purposes. It's not very likely that your text messages are in the same d

    • This question is the doorway to an interesting and long lasting paradigm debate. Quality or Quantity, which is better?

      In Microsoft and Apple's example, Microsoft is doing better. So Quantity wins here.
      In GM and Toyota's example, obviously Toyota is doing better. So Quality wins.

      In the case of cell phones, there isn't even a clear competitor that offers Quality over Quantity. Or is there? Look at Samsung phones. Their models just barely started getting bluetooth. And they are rudimentary, with a simpl
  • Yeah, if I was a virus-writer, I'd definitely bank on infrared to distribute my malware. psha!
  • by MudButt (853616) on Friday April 28, 2006 @12:23PM (#15222181)
    I remember how SARS almost killed of the human race too. And remember Y2K? I'm glad I had a bunker for that one! Oh, and West Nile! And remember how sick we all got from Mad Cow Disease? I'm just glad I have my duct tape and plastic bags.
    • I remember how SARS almost killed of the human race too.

      Sorry, biology is WAY OFF TOPIC and doesn't apply here. Perhaps you'd like calling the people who DID die of SARS [cnn.com] "just statistics".

      • Sorry, biology is WAY OFF TOPIC and doesn't apply here. Perhaps you'd like calling the people who DID die of SARS "just statistics".

        Sorry, you're missing the point. I'm not saying that SARS is funny, or that the people who have died (170 in China, according to the article you reference), are just "statistics".

        I'm saying that the media's hype is inappropriate for these cases. If the media spent half as much time reporting on drunk driving cases, domestic abuse, etc., you'd think that thousands and thous
      • More people die from lightning every year than died from SARS ever.

        It's sad so many retards get all worked up over something so insignificant. 58 million people die every year. That number will only go up unless we're dying as a species. When a disease or natural disaster or attack approaches 1/100th of this is the time to freak out. Not at 1/1,000,000.

        Appeals to emotion never enhance the issue, by the way.

  • Bollocks! (Score:5, Informative)

    by Troed (102527) on Friday April 28, 2006 @12:24PM (#15222184) Homepage Journal
    With no notion of user access levels in the compact mobile operating systems, a lack of effective authentication, and no data encryption

    Absolute bollocks. The extreme majority of cell phones are running closed operating systems, and the only exposed APIs are Java (Java ME, MIDP). They are a lot MORE secure than anything else we're currently using - even on our PCs. They contain access levels (only signed applications can access certain APIs without needing to prompt the user), and they store their data encrypted if it's on an exchangable memory card or else it's stored in the phone's own secure flash.

    The extreme _miniority_ of phones so far running less secure operating systems are rapidly shifting in the same direction - look at the latest Symbian version as an example.

    Nothing to see here - move along.
    • Re:Bollocks! (Score:2, Informative)

      by vasqzr (619165)

      Absolute bollocks. The extreme majority of cell phones are running closed operating systems, and the only exposed APIs are Java (Java ME, MIDP). They are a lot MORE secure than anything else we're currently using - even on our PCs.

      They're also not very complex, relatively speaking. A cell phone might have 150,000 lines of code as opposed to 20-50 million that Windows might have

    • That is a major problem with security -- assuming that you are secure. If and when virus/malware/spyware writers start to target the cell phone platform, then we are going to have some major problems. Just because the API's are limited and the source closed doesn't mean that some elite hacker with too much time on his hands isn't going to sit down and reverse engineer a phone. Also, what about insiders stealing the API's needed to do something bad. The main issue here is that cell phones are going beyond th
    • Yep. The cell phone virus meme has been going on for years now and it still hasnt happened. Vendor lock-in and lock-down goes a long way towards security it seems.

      This is like porn to people like Bruce Schenier, but in real life its alarmist crap. This is just as real as "Toothing" which got lots of press but turned out to be an urban legend fueled by the sexual fantasies of tech writers.
    • Actually, signed apps can't access restriced APIs either without users permission. The difference is that the user can choose "don't ask this question again" if the app is signed.
      You are stop on about the story being bollocks though.
    • In the Philippines, cellphones are God. During my three week trip, I became close to a couple of women, and they both had their Cellphones, and treated them like family members.

      People in the upper middle class in the Philippines - that means they earn about 50,000 pesos a month, or $1,000 - thought of their phones as status symbols. They would happily show them off to me, and I was suitably impressed. The technology was much, much nicer than what I saw routinely in the US. Everyone had nice cameras, big
    • The extreme majority of cell phones are running closed operating systems, and the only exposed APIs are Java (Java ME, MIDP). They are a lot MORE secure than anything else we're currently using - even on our PCs.

      I use Opera Mini on my Motorola v557 and EVERY time it goes to the net for a web page, I get the Java warning, "Allow network access? Yes - this time, No - this time, No - never". Not an option for a "Yes - Always".

      Apparantly it doesn't like Opera Mini's certificate.

      It would be quite difficu

    • You completely miss the point. The cell phones you mention are almost *never* used in enterprise deployments where over-the-air sync of email, calendar, and contacts are used for corporate purposes. In those cases, the devices that are used are Treos, PocketPC devices, Mobile 5 devices, Symbian devices, and a mix of Blackberries - which are the devices and operating platforms that suffer from the most security vulnerabilities. It is these devices that are the focus of the entire article, because they now
      • The cell phones you mention are almost *never* used in enterprise deployments where over-the-air sync of email, calendar, and contacts are used for corporate purposes.

        Please don't mistake the sorry state of cell phone use and features in the US with the rest of the world. My closed operating system (with excellent Java support) phone has no problems whatsoever using SyncML for wireless synchronization of mail, calendar, contacts etc over GPRS, EDGE and 3G.

        • Well, you're right about one thing: the sorry state of wireless in the US. However, just because SyncML (though, out-of-date, bloated, inefficient, and not used by many sync vendors anymore) can sync PIM data to your device over-the air doesn't make it useful in the enterprise. Does your closed operating system phone have a keyboard? If not, there's just no way that enterprises are going to use them for their mobile workers. Have you tried responding to 200 e-mails a day without a keyboard? I have, and
          • I wouldn't have posted my comment if it weren't for the fact that a lot of companies are using such phones. Contacts, calendar etc are important enough features for this to be (very) worthwhile even though you aren't using them for email.

            OTOH, I'm quite biased.

  • Afraid (Score:5, Insightful)

    by kevin_conaway (585204) on Friday April 28, 2006 @12:24PM (#15222188) Homepage
    Norm Laudermilch tells you why you should be afraid, very afraid.

    I realize the submitter was probably joking, but has anyone else noticed that the same sentiment is exactly what comprises 90% (number pulled out of thin air) of media stories these days?
  • Counter productive (Score:2, Insightful)

    by Neil Watson (60859)
    When I look at how people allow their focus to be interrupted by mobile devices I'm not so sure that they are really helping people's productivity.
    • When I look at how people allow their focus to be interrupted by mobile devices I'm not so sure that they are really helping people's productivity.

      Yeah, I know what you mean. Some of the less intelligent peers I have at work *always* answer the phone even though we're engaged in a very productive discussion. We're making great headway into some system we're developing or reverse engineering some problem domain programming language and the phone will ring. Even though both of us are really engaged in the
  • So now the obnoxious windbag annoying everyone on the bus can also be transmitting virii to everyone, too! Yet another victory for the annoying.
  • ZOMGWTF (Score:5, Interesting)

    by IamTheRealMike (537420) <mike@plan99.net> on Friday April 28, 2006 @12:28PM (#15222219) Homepage
    The native security features of today's mobile devices are not capable of protecting against attacks like this, so it would be trivial to infect, say, an entire coffee shop full of Bluetooth phones in just a few minutes.

    Says somebody who has clearly never programmed a mobile phone.

    The vast, vast majority of consumer phones are not the so-called "smartphones" that run traditional operating systems like Symbian or Windows, they run proprietary operating systems that have no publically known names and do not export any APIs, except for J2ME or possibly BREW.

    As an aside, J2ME consumer phones are often just as "smart" as larger, more powerful phone/PDA hybrids ... my own does calendaring, web access, has an IMAP client built in, is themable, plays music and videos, and has a 500mb flash storage facility amongst other capabilities. Yet by the standard definition it is not "smart".

    Anyway, J2ME has many flaws, but security is not one of them. If somebody finds a programmatic way to compromise a J2ME phone in the next 5 years then I will be very surprised. These things have no concept of processes or users, which is great, because this sort of security confuses the crap out of pretty much anybody who isn't steeped in UNIX security lore. Instead they rely on constructing (with a bit of help) a mathematical proof that the Java programs they're running don't compromise type safety, and then either interpret them or on Jazelle-based phones run them direct on the chip. This is safe and allows for a very flexible and intuitive form of security.

    The absolute best you can do on these things is social engineering or exploiting piss-poor UI (which is what Cabir does). To claim you could "infect a cafe full of phones" is ludicrous: most people don't even have Bluetooth switched on as many phones disable it by default.

    • Really. This article is just media over-hype. Sould be be afraid? Not really, just concerned. But I don't think anyone should get at all upset about this.
    • Well, Surprise!

      It's already been done by at least one person. [theregister.co.uk] I read the paper and I see no reason to dispute his findings. Now, since the J2ME market is so fragmented, with tons of different implementations, the vulnerabilty affects only a very limited number of phones. This is not to say that other brands are not plagued with similar bugs, but they are quite hard to find.

      At the time, I submitted the story, but it was rejected. Well, now you know.
      • Yeah, I found that later whilst looking for "j2me vulnerability" on google :) Suffice it to say, the researcher in question had to spend 4 months reverse engineering his phones OS to make it do anything interesting ... whilst it's deeply worrying that Sun haven't published ANYTHING about this exploit and so there's no way to know if it's fixed, I don't think there's any serious danger from it right now.
    • You said: > The vast, vast majority of consumer phones are not the so- > called "smartphones" that run traditional operating systems like > Symbian or Windows, they run proprietary operating systems that have no > publically known names and do not export any APIs, except for J2ME or > possibly BREW. And, not surprisingly, you have missed the entire point of the article. The cell phones you mention are almost *never* used in enterprise deployments where over-the-air sync of email, calendar,
  • by Anonymous Brave Guy (457657) on Friday April 28, 2006 @12:29PM (#15222231)
    The mobile devices you know and love are great for productivity

    Assumption failure at line 1.

    • The mobile devices you know and love are great for productivity

      Assumption failure at line 1


      I disagree. For me, cell phones have always been useful. In fact, I think it is much easier to complete specific tasks because of the ready availability of communi--oh, hold on, I got a call coming in.
    • The mobile devices you know and love are great for productivity

      When I read this phrase, it was pure sarcasm. Maybe my attitude colored my interpretation, but I was sure of its humor.

  • Paypal/ (Score:2, Funny)

    by Anonymous Coward
    http://www.technewsworld.com/story/49559.html [technewsworld.com]

    http://www.marketwire.com/mw/release_html_b1?relea se_id=103461 [marketwire.com]

    Pretty easy to transfer money if you can p0wn a phone...
  • by p3d0 (42270) on Friday April 28, 2006 @12:31PM (#15222253)
    I'd better get started right away!
  • So in the future when I dial a phone number, all of a sudden I will be sent to a phishing device asking me for my credit card and social security number?
    The future is looking up!
  • by Andy Dodd (701) <atd7.cornell@edu> on Friday April 28, 2006 @12:40PM (#15222310) Homepage
    So what if phones do more?

    One of the biggest problems in the PC world with respect to virus propagation has been the homgenous nature of desktop PCs. 90%+ of the desktops in the world (and a decent percentage of servers, especailly a very high percentage of servers in small businesses) are running one software architecture (Win32) on one hardware architecture (x86). This means that viruses don't encounter compatibility problems when trying to propagate.

    In the mobile phone market, this is not the case. There are at least three major smartphone software architectures (PocketPC/Windows Mobile, Symbian, PalmOS) each of which run on multiple hardware architectures. (PalmOS is only on ARM machines unless you count old m68k PalmOS smartphones, but I'm positive PPC/Windows Mobile supports at least 2-3 different CPU architectures and I believe Symbian does too.) Let's not forget the huge variety of "dumb" phones out there, where every manufacturer has their own custom OS and chances are that even compatibility of malware between a manufacturer's phones isn't guaranteed.

    Yes there are hardware/software abstraction layers such as J2ME and (to some degree) BREW which allow an application to run on multiple manufacturer's phones, but both have varying degrees of sandboxing for those abstracted applications, and in the case of J2ME, compatibility STILL can't be guaranteed. (Look at the sites that offer Java games for mobile phones - Many of them have a slightly different download for every phone!)

    Even if the phones didn't have ANY security features built into them at all, the heterogenous software/hardware environment that phone malware would have to live in presents large barriers to malware propagation.
    • by Anonymous Coward
      I could not have said it better myself.

      As someone who has worked in the mobile industry since the dawn of J2ME and Brew, I know that claims of a widespread virus are complete FUD.

      Anyone who has created applications for mobile devices know what a complete pain it is to port the applications (particularly ones that use advanced features like IR, Bluetooth, SMS or even create a network connection).

      The anti-virus guys like Norton and their ilk are showing up at all of the major mobile shows now claiming to be s
    • Please. The only important propagation step from an enterprise standpoint is Phone --> Enterprise. No one cares about, or will even spend 3 minutes coding for, a propagation method that spans cell phone operating platforms. Who cares how hard it is - it's not the point of the article. The next Code Red or Nimda style front page news article is going to be for the guy that figures out how to write a crossover virus that spreads from a PocketPC, Mobile 5, Symbian, or Palm OS to the juicy Win32 insides
  • Responsible? (Score:1, Insightful)

    by Anonymous Coward
    Call me a stickler for semantics, but is it right to suggest cellphones could be "responsible" for the worms? Isn't that a bit like saying cars are responsible for car wrecks? I thought the writers of the worms were the ones responsible for the worms.
    • Ha haha, great point. You are not a stickler for semantics - you're right. I'll keep that in mind next time I write a title :) Thanks for the input, Norm
  • So as I scan the responses here the overwhelming message is that cell phones are secure because they are closed-source and their code isn't published anywhere.

    That's a new sentiment to hear on /.

    • And because of the incompatibility between various phone operating systems, many of these hypothetical phones in cafe will not run identical applications .... or in this case identical viruses and malware.
    • Yeah, I also wondered about this. Bash M$ for the same thing, but don't mess with my "pain in everyone else's ass" cell phone! Heh, seems like we never learn.
      I for one can't wait for the feces to hit the fan, and will LOL at all of them when it happens.
      As it is now, in my home the standing rule is: turn of your cell phone upon entering- if it rings and disturbs me, I reserve the right to tie the offender's scrotum behind their ears. ;)
    • So as I scan the responses here the overwhelming message is that cell phones are secure because they are closed-source and their code isn't published anywhere.

      The gist I got was that they were secure because they are secure because they don't allow random software to run and don't expose any but secure APIs (requiring code-signing, etc.) to any software that does run, not that they were secure because their code was unpublished and not open-source.

      One of us isn't reading the responses right.

      • You're reading the responses correctly. Except actually code signing is hardly important, phones are secure even with unsigned apps that anybody can write and distribute. I wrote an article on j2me security [plan99.net] for those who want to learn more. Not all phones use it of course, for instance, you can write programs that can do pretty much anything AFAIK for older Symbians (which were modelled internally sort of like DOS/Win9x security-wise).

        Now it turns out I was wrong, there HAS been a problem with J2ME in the

    • ...which is not only wrong, but concerning as well. The cell phones that they are talking about as "closed systems" are almost *never* used in enterprise deployments where over-the-air sync of email, calendar, and contacts are used for corporate purposes. In those cases, the devices that are used are Treos, PocketPC devices, Mobile 5 devices, Symbian devices, and a mix of Blackberries - which are the devices and operating platforms that suffer from the most security vulnerabilities. It is these devices tha
  • Hmm...

    The quick time to market model necessary to compete in the fast-paced world of mobile phones and the lucrative potential of exploits that call/text premium rate numbers means we're gonna get insecure firmware with plenty of black hat wannabes trying to create exploits.

    Before we had internet access universally and virus protection, protecting against floppy disk based viruses was a real issue on vulnerable OSes; you could have an antivirus program but you didn't get the definitions updates or OS/

  • My phone rarely works anyway and if my experience is an indication, any malware that gets through will have to deal static and dropped connections every 20 feet. Nothing to worry about here. Thanks Verizon!
  • by randomErr (172078) <ervin.kosch@noSPAM.gmail.com> on Friday April 28, 2006 @01:10PM (#15222528) Homepage Journal
    802.11 is the only real threat for now. 802.11 is the only widely adapoted standard. Everything else is niche market or platform specific.

    With 802.11 I can take a Nintendo DS with Linux and go to McDonalds, Starbucks, most local libraries and TV stations, and dozens of bussiness and port scan and/or brute force the hell out of the place.

    If I find an open platform (it could even be the router) I then have the DS pull every bit of info out of it I can automatically. Then go home and look at my booty, like unencrypted passwords, stored in my handheld. Alterntively, I can inject tojans into the system that I scanning without anyone suspecting.
  • Because I use cans and a string to talk to people across long distances, and I use pen and paper or playing cards to play games. For music, I sing, and for moving pictures I draw flipbooks!
  • Ha (Score:4, Insightful)

    by Zebra_X (13249) on Friday April 28, 2006 @01:20PM (#15222604)
    Can you still talk about your perimeter security with a straight face? If you have even one employee with a mobile device connecting to your network, chances are you answered "No" to that last question? The mobile devices you know and love are great for productivity, but they have completely changed the vulnerability state of our networks. Norm Laudermilch tells you why you should be afraid, very afraid?

    Can i even say the words "perimeter security" with a straight face. Ha, no. This is a bunch FUD created by people (or one in particular) who doesn't have enough work to do over the course of a day.

    Sure, mobile devices have a number of transmission channels. It makes them useful. The reason why they are not a real tangible risk is that they are incredibly difficult to configure and operate in a networked mode. Getting a windows mobile phone to connect to a network and do something useful takes about three minutes by hand. Not to mention that their programming API's usually contain a much smaller subset of functions than that of a full blown pc.

    Reading through the article there are more outlandish claims such as "The native security features of today's mobile devices are not capable of protecting against attacks like [mobile to mobile propagation], so it would be trivial to infect, say, an entire coffee shop full of Bluetooth phones in just a few minutes."

    Right, and monkeys might fly out of my butt. The mobile device market is incredibly diversified. There are so many phones and capabilities that the notion of One Worm to rule them all is preposterous. This also assumes that everyone in the coffee shop has their phone in whore mode, accepting connections from any shiny device that walks by.

    He goes on to suggest that "The mobile devices then walk out of the coffee shop and in the front door of corporate offices all over the world, past the perimeter security devices and all other network security protections, cradle to the desktop, and infect organizations in the worst possible spot: at the heart of the network, where security controls are the thinnest."

    How? Almost every desktop PC in a corporate network has AV software on it. Any malicious code coming from the handheld would be detected by the AV software. Not to mention that the desktop sync software would ALSO need to be vulnerable.

    Lets also examine the likelihood of this occurring: It would require the following scenario: the handheld device has a flaw that allows the transfer and execution of malicious code, the infector and the infected must be of the same type, they would also both need to have BT or Wi-Fi enabled, though I suspect that BT is much more a risk than wi-fi (most mobile devices don't provide services via wi-fi, but they do via BT). The virus would also need to behave itself such that the OS won't crash. Usually upon infection there are obvious signs of corruption. Slow downs, crashes, restarts. Then corporate man/woman would need to plug his/her device into his PC. From here the handheld may, or may not have a bridged connection directly to the network. Alternatively the handheld might be able to exploit a hole in the sync software such that it can remotely execute code on the host desktop. Finally, the handheld would execute a PC based worm that would not be in an up to date virus def. file.

    Is it just me or does it seem like the planets need to align nicely for this work?
    • Ah jeez, the ignorance displaced by TFA is just mindblowing. Only somebody with little knowledge of Bluetooth and how it works will believe that it's possible to infect the entire store with a virus or worm.

      Not only are mobile phones incredibly diverse in terms of operating systems and architectures, and most will not have Bluetooth on by default anyway, but Bluetooth is a very secure transmission protocol. People have been trying to hack it ever since it emerged as a standard, and I've yet to see any rea

    • by fatduck (961824) *
      Abandon All Hope, All Ye Who Text Here
  • that is funny because paid engineers have enough trouble getting all of these protocols and devices working, what makes you think a phisher/hacker has a chance of getting something working on all of these protocols and the 1000's of phone models out there?
  • by Khyber (864651) <techkitsune@gmail.com> on Friday April 28, 2006 @01:46PM (#15222767) Homepage Journal
    I'm not even worried about cell phones transmitting virii - I'm far more concerned with how slow current cell phones are. My *OLD* Nokia phone from six years ago dialed numbers far faster, responded the very moment I pressed a button on the phone, and there was no perceptible lag at all. Change providers, "upgrade" to a Kyocera Phantom, it takes at least four seconds after hitting the call button to actually see the screen shift, THEN see it try to connect, generally making the attempt to dial out take upwards of half a minute. Very disappointing. Older cell phones were faster, far more secure (namely because of the lack of "features") and were far less of a hassle. I want to see a cell phone company that does nothing but cell phones, for nothing but calling. No camera, no MP3 player, no stupid annoying bleep-bleep walkie-talkie (Real people get a GMRS License for that,) and by far no loud annoying polyphonic ringtones. Plain, simple, easy, fast SERVICE.

    Sadly the norm for most companies these days is to whore themselves out to the "must have it" minded people.
  • by Tool Man (9826) on Friday April 28, 2006 @02:14PM (#15222983)
    The bigger threats here might be more related to crossover cases, either on the device or the worm itself. The recent Linux/Windows proof of concept is an example of the latter, though in its infancy. For the former though, there is at least one case where a Windows glitch can be exploited in both PCs and mobile devices. SANS story [sans.org] While not common yet, the power of available devices will grow, and costs will decrease. Of course, reasonable policies can help in general; start with trusting nothing, and then make exceptions as needed. The IT folks where I work do have wireless access points set up in the office, but with all available security enabled. Even then, those users are still firewalled off from most of the network. That said, I must say I like my little Palm Treo 650, though I haven't been tempted by Bluetooth yet.
  • there was a bluetooth type "virus" that automatically hijacks phones that had their bluetooth on (caribe virus i think.) though there is a prompt to the users about bluetooth access, many in our country (philippines) got infected and had to reinstall the os in their phones (many repair shops were actually making money charging around $10 to fix.)

    this wouldn't be very difficult in mobile phones especially now they are becoming more connected via ip. my friend told me once that he connected his pc to the mo

It's hard to think of you as the end result of millions of years of evolution.

Working...