WSJ article on Bluetooth malicious software "virus."
November 15, 2004
THE JOURNAL REPORT: TECHNOLOGY
Outbreak!
Call it phone flu: a new breed of viruses targeted at mobile phones -- and with the ability to wreak havoc
By DAVID BANK
Staff Reporter of THE WALL STREET JOURNAL
The first of a new breed of viruses has escaped from the laboratory and is spreading through the air. A cluster of cases has been traced to a crowded meeting hall in Singapore, and global travelers may already have carried the infection to Europe and the U.S. Experts fear the bug, for now relatively harmless, may quickly evolve into a more virulent and dangerous form.
The virus is not avian flu or SARS, but Cabir, the first virus targeted at mobile phones. Cabir spreads via a wireless technology known as Bluetooth that is found in many cellphones and other devices. An infected phone seeks out other vulnerable devices and sends them the virus, in the form of a small software file. Once the file is installed, the device is infected -- and the process repeats itself. That makes Cabir the first digital virus that spreads much like some traditional diseases, through airborne transmission.
"It is like the real flu," says Matias Impivaara, who manages mobile security for F-Secure Corp., a Finnish antivirus-software company.
Air Attack
Mobile devices such as cellphones and hand-helds are the new frontier for the world's virus writers and hardware hackers. As more mobile gadgets come equipped with sophisticated software and new networking features, they are becoming vulnerable to the nuisances that afflict personal computers -- from spam to spyware to financial fraud.
With cellphone makers largely playing down the problem and most users unaware of it, the creators of malicious software, or "malware," for mobile devices have a sizable head start on those trying to thwart them. And some security experts fear the next generation of viruses will be even more potent as hackers learn to exploit the vulnerabilities of networking technologies such as Bluetooth.
Cabir appears to be the work of an underground virus-writing group known as 29A, based in Spain, which claimed credit for the bug in June. A month later, the same group announced Duts, the first virus targeting Pocket PC hand-held devices running software from Microsoft Corp. Both viruses were considered "proofs of concept" that demonstrated the possibilities of mobile viruses but didn't cause substantial damage. The group's Web site explains, "In general, we're against destructive payloads and the spreading of viruses, but we do not forbid our members...to include destructive payloads in their viruses."
Cabir moved from the laboratory into "the wild" when an unknown person posted its code to a public Web server. In October, cellphone users at a trade show in Singapore received the virus from infected phones, according to Mr. Impivaara of F-Secure.
The virus itself is well-behaved. When it first attacks a mobile gadget, it asks if you'll accept a message over the Bluetooth connection. Then it twice asks for approval to install a file -- the one containing the virus. If you agree, a message appears on the cellphone screen saying "Caribe-VZ/29a!" The only real damage Cabir inflicts is to drain cellphone batteries as the device continually scans for additional machines to infect.
A separate group apparently is responsible for another virus called Brador, which affects Pocket PC devices running Windows software. The bug opens a "back door" on the gadgets by sending their Internet address to the attacker and leaving an Internet port open to receive further instruction. That allows the attacker to upload and download files to and from the infected device and execute other commands remotely, effectively giving the attacker full control of the gadget. According to Kaspersky Labs, the Russian antivirus company that identified Brador in August, the programmer included a line in the code exhorting fellow hackers, "Get to work, folks, the Pocket PC market will soon explode."
The Tooth of Crime
As if the threat of viruses weren't bad enough, security experts have uncovered vulnerabilities in Bluetooth itself that hackers could exploit to make it much easier to transmit viruses.
Bluetooth is a short-range wireless technology that lets devices exchange information over a distance of about 100 feet, making it useful for connecting wireless cellphone headsets, exchanging electronic business cards and even delivering ads to mobile devices. The technology isn't limited to cellphones and is being built into laptops, automobiles, medical devices, home-security systems and a host of other devices. It is already standard on most European cellphones and is increasingly popular in the U.S. Market-research firm IMS Research estimates that, globally, 120 million Bluetooth-enabled devices will be shipped this year.
The way Bluetooth is implemented in certain devices can leave users open to "bluesnarfing," in which an attacker swipes, or "snarfs," contact lists, images and other data, as well as "bluebugging," where the intruder commandeers the phone to make calls or send text messages. Both attacks could potentially be combined with viruses such as Cabir to spread malicious code without the need for permission from the recipient.
The flaw in Bluetooth that allows bluesnarfing was announced last November by British security researcher Adam Laurie. He demonstrated the technique in a London Underground station, where in two hours he found 77 phones with Bluetooth configurations that made them vulnerable to the attacks. Later, in the British Parliament, he ran an attack from a laptop in his backpack, finding eight vulnerable phones in 14 minutes.
Mr. Laurie's Austrian colleague, Martin Herfurt, demonstrated the potential for abuse could be even greater. The bluebugging method he developed allows an attacker to take control of a targeted phone to make calls or send text messages using the victim's number. Attackers with purely pecuniary motives could use a victim's phone to call pay-per-minute services, with the charges appearing on the victim's phone bill. Bluebugging also turns a cellphone into a wiretap, allowing attackers to listen in on a victim's calls.
Most major cellphone makers initially discounted the severity of the vulnerabilities, saying that attacks couldn't be executed over distances of more than several hundred feet. But in August, Mr. Herfurt, with a team from Flexilis LLC, a wireless-security firm in Los Angeles, took control of a phone more than a mile away. From a spot on the Santa Monica Pier, the team used a laptop equipped with a high-gain antenna to hijack a standard-issue Nokia 6310i phone held by Mr. Herfurt on a bluff above the beach.
"There are people who do know how to perform the exploit in the wild," says John Hering, a founder of Flexilis. He says cellphones make attractive targets because they increasingly can be used to electronically charge small items, such as car washes and sodas from vending machines, through a method known as "reverse SMS," or short message service.
The Hot Zone
Organized crime could turn that vulnerability into big business, Mr. Hering says, sketching one possible scenario. An attacker in a waiting room at O'Hare International Airport in Chicago releases a virus that uses blueblugging to install itself on passengers' cellphones without asking permission. Travelers board their planes, spreading the virus widely. Once in place, the virus commands their cellphones to accept a reverse-SMS charge from a phony service set up by the criminals. The charge would be so small -- $3, say -- that many people wouldn't notice it on their phone bills.
Cellphone makers have stepped up their initially sluggish response. Finland's Nokia Corp., the world's largest handset maker, in October announced a software upgrade for seven phone models, and Motorola Corp. of Schaumburg, Ill., and Sony-Ericsson, a joint venture of Japan's Sony Corp. and Sweden's Telefon AB L.M. Ericsson, have also taken some steps to correct the problems.
One difficulty in fixing the vulnerabilities is a limitation in most cellphone software that makes it impossible to download patches over the cellular network itself. Instead, a cellphone user must bring each phone to a service center where the updated operating system can be placed into the device with a flash-memory card. "We need an over-the-air way to update these units," says Mr. Impivaara of F-Secure.
In the meantime, security experts say concerned users should first check with their phone's manufacturer to determine whether their particular model is vulnerable. If so, users can set their Bluetooth devices to "hidden," "invisible" or "nondiscoverable," which makes the device harder, though not impossible, for an attacker to detect. If users want absolute security, they can turn Bluetooth off, though of course that prevents them from using its positive features. F-Secure and other computer security companies are beginning to introduce antivirus software for cellphones, and some mobile operators are installing such technology on their networks as well.
Write to David Bank at david.bank@wsj.com
Copyright © 2004 Dow Jones & Company, Inc. All Rights Reserved. |
