Cell Phones Responsible For Next Internet Worm?

nitsudima writes "The mobile devices you know and love are great for productivity, but they have completely changed the vulnerability state of our networks. Norm Laudermilch tells you why you should be afraid, very afraid." From the article: "The new and largely unexplored propagation vector for malicious code distribution is mobile devices. With 802.11, Bluetooth, WiFI, WiMAX, MMS, Infrared, and cellular data capabilities on almost all new models, these devices provide a wealth of opportunity for the transmission of data. With no notion of user access levels in the compact mobile operating systems, a lack of effective authentication, and no data encryption, these environments are prime targets for the incubation of malicious code."

Afraid

[kevin_conaway]

Norm Laudermilch tells you why you should be afraid, very afraid.

I realize the submitter was probably joking, but has anyone else noticed that the same sentiment is exactly what comprises 90% (number pulled out of thin air) of media stories these days?

Counter productive

[Neil Watson]

When I look at how people allow their focus to be interrupted by mobile devices I'm not so sure that they are really helping people's productivity.

Re:I want a refrigerator

[Captain Splendid]

In defence of text messaging, in most markets/countries, it's a hell of a lot cheaper, or even free, versus the cost of making a one minute phone call, so it's a highly cost-efficient (not to mention more private) way of communicating.

After that, it's all bloat as far as I'm concerned.

Disclaimer: I'm still cell-phone free.

Responsible?

[Anonymous Coward]

Call me a stickler for semantics, but is it right to suggest cellphones could be "responsible" for the worms? Isn't that a bit like saying cars are responsible for car wrecks? I thought the writers of the worms were the ones responsible for the worms.

802.11 is the only real threat

[randomErr]

802.11 is the only real threat for now. 802.11 is the only widely adapoted standard. Everything else is niche market or platform specific.

With 802.11 I can take a Nintendo DS with Linux and go to McDonalds, Starbucks, most local libraries and TV stations, and dozens of bussiness and port scan and/or brute force the hell out of the place.

If I find an open platform (it could even be the router) I then have the DS pull every bit of info out of it I can automatically. Then go home and look at my booty, like unencrypted passwords, stored in my handheld. Alterntively, I can inject tojans into the system that I scanning without anyone suspecting.

Ha

[Zebra_X]

Can you still talk about your perimeter security with a straight face? If you have even one employee with a mobile device connecting to your network, chances are you answered "No" to that last question? The mobile devices you know and love are great for productivity, but they have completely changed the vulnerability state of our networks. Norm Laudermilch tells you why you should be afraid, very afraid?

Can i even say the words "perimeter security" with a straight face. Ha, no. This is a bunch FUD created by people (or one in particular) who doesn't have enough work to do over the course of a day.

Sure, mobile devices have a number of transmission channels. It makes them useful. The reason why they are not a real tangible risk is that they are incredibly difficult to configure and operate in a networked mode. Getting a windows mobile phone to connect to a network and do something useful takes about three minutes by hand. Not to mention that their programming API's usually contain a much smaller subset of functions than that of a full blown pc.

Reading through the article there are more outlandish claims such as "The native security features of today's mobile devices are not capable of protecting against attacks like [mobile to mobile propagation], so it would be trivial to infect, say, an entire coffee shop full of Bluetooth phones in just a few minutes."

Right, and monkeys might fly out of my butt. The mobile device market is incredibly diversified. There are so many phones and capabilities that the notion of One Worm to rule them all is preposterous. This also assumes that everyone in the coffee shop has their phone in whore mode, accepting connections from any shiny device that walks by.

He goes on to suggest that "The mobile devices then walk out of the coffee shop and in the front door of corporate offices all over the world, past the perimeter security devices and all other network security protections, cradle to the desktop, and infect organizations in the worst possible spot: at the heart of the network, where security controls are the thinnest."

How? Almost every desktop PC in a corporate network has AV software on it. Any malicious code coming from the handheld would be detected by the AV software. Not to mention that the desktop sync software would ALSO need to be vulnerable.

Lets also examine the likelihood of this occurring: It would require the following scenario: the handheld device has a flaw that allows the transfer and execution of malicious code, the infector and the infected must be of the same type, they would also both need to have BT or Wi-Fi enabled, though I suspect that BT is much more a risk than wi-fi (most mobile devices don't provide services via wi-fi, but they do via BT). The virus would also need to behave itself such that the OS won't crash. Usually upon infection there are obvious signs of corruption. Slow downs, crashes, restarts. Then corporate man/woman would need to plug his/her device into his PC. From here the handheld may, or may not have a bridged connection directly to the network. Alternatively the handheld might be able to exploit a hole in the sync software such that it can remotely execute code on the host desktop. Finally, the handheld would execute a PC based worm that would not be in an up to date virus def. file.

Is it just me or does it seem like the planets need to align nicely for this work?

Re:Security through Obscurity

[DragonWriter]

So as I scan the responses here the overwhelming message is that cell phones are secure because they are closed-source and their code isn't published anywhere.

The gist I got was that they were secure because they are secure because they don't allow random software to run and don't expose any but secure APIs (requiring code-signing, etc.) to any software that does run, not that they were secure because their code was unpublished and not open-source.

One of us isn't reading the responses right.