Hey Hey,

First let me just say... W00T!. MY suggestion became reality. I'm pumped. Thanks JupM.

Anyways... on with the discussion. I've been playing with my cell phone a lot lately, now that I have one that is actually fun to play with. Since I posted the suggestion for this thread I've been thinking a lot about cell phones and PDAs and the problems they could lead to. My cell phone is Java powered as many phones now are, other phones have built in PDAs and run PalmOS. With the advent of picture phones, the ability to SMS files is now a reality. What if someone decided to use our cell phones against us. A Java virus, or something written for the PalmOS (for which app dev. can be done in something as simple as VB), that could propagate through text messaging. I don't know a lot about the hardware of cell phones, so this could be fully impossible, but what will happen as cell phones become more advanced? A virii that is downloaded in a game or a ring tone seems entirely like a possibility. It spreads it self by SMSing itself to everyone in your phonebook (sure it won't make it to land line users, but everyone has at least one cell phone number in their phonebook). Besides sending itself to other cell users, it could also force your phone to dial a number. This would cause conjestion on the cell network to start with, but what if they were all directed at the same number, for example 911. This would cause basically a DDOS attack against the switchboards at 911. It was, in my opinion, cause chaos. Anyone thought about this before, or heard anything about it? What's everyone's opinion on it?


Peace,
HT

well that all might be possible ... there was one incident like year back when a guy switched some phone bord and sended emails out to people ... that they are short on their visa's so they should call that number an ye it was talked here about it but here is something new


FBI agents arrested a Louisiana man last week under the cyberterrorism provisions of the USA PATRIOT Act for allegedly tricking a handful of MSN TV users into running a malicious e-mail attachment that reprogrammed their set-top boxes to dial 9-1-1 emergency response.

According to prosecutors, David Jeansonne, 43, was targeting 18 specific MSN TV users in an online squabble when he crafted the script in July 2002, and sent it out disguised as a tool to change the colors on MSN TV's user interface. Though the code didn't mass-mail itself to others, some of the recipients were sufficiently fooled that they forwarded it to friends, for a total of 21 victims.

Source: http://www.securityfocus.com/news/8136



hope it helps ;)

Here (http://www.is.titech.ac.jp/~wakita/projects/kiken/virus/Virus%20Bulletin%202000%20papers.pdf) is an interesting whitepaper on this topic taken from the Virus Bulletin Conference in September of 2000.

Cheers:

Hmmm,

I suggested this generic vulnerability some three years ago. I concluded that as the SMS of the time supported (typically) 114 characters, and theoretically about 160; it was not a current threat, as there was not enough scope to include propagation or zombie code.

I am sure that it will happen, not "if" just "when"?

WAP/Palm devices linked to telephony make it more imminent IMHO

SMS "bombs" have been around for a while now, so you can see where things are headed?

HTRegz.......I have not forgotten you mate, I will get back with some suggestions this week-end..............interesting problem as it happens :D

Cheers

It might happen sooner than we think. Motorola just released the "Smart Phone" which includes Internet Explorer, MSN messenger and I believe it can be synchronized with your Outlook. How much worse can it get? Here's a scenario: User visits website with malicous code in its source; malicious code gets downloaded into the cell phone; malicious code spreads itself to all contacts on the cell and outlook. I'd say its possible to be done right now. Anyone care for an experiment? It would be very intersting.

EDIT: a little research on the "Smart Phone" shows these specifications:

Motorola MPx200 SmartPhone Features
Phone Features

Downloadable ringtones
Downloadable wallpaper
Downloadable screensavers
WAP 1.2.1
MSN Internet Explorer (HTML 3.2, WAP 1.2.1, SSL, & PPTP)
Tri-band
MMS (Multimedia Messaging Service)
Instant Messaging (MSN)
Group SMS
T9 predictive text
Time & date stamp (for calls & SMS)
SD/MMC card slot
1000+ number phone book
VibraCall®
Integrated speaker phone
Clam form factor

Preloaded Software

Activesync ™
MSN Messenger ™
Pocket Internet Explorer ™
Pocket Outlook ™
Windows Media Player ™


Memory

Up to 10 MB embedded
Expandable to 1 GB via SD/MMC slot

Display

65k TFT colourm, 176 x 220 pixels, 2 lines of text/icons

Connectivity

Mini USB / IRDA

Network

Tri-band GSM 900/1800/1900
GPRS (class 8)

Dimensions

89 x 48 x 27 mm

Volume

96 cc

Weight

118 g

Power Management *

Talk Time: up to 310 mins
Standby Time: up to 110 hrs



Clearly the phone has enough memory to support a virus and the means to catch it or distribute it.

There are a lot of phones on the market with sufficient capability to have viruses / malware written for them.

The most likely type is some kind of windows/outlook style worm which encourages users to open it using social engineering.

On my phone, it is possible to send games via bluetooth and infrared. I don't think games themselves can be sent via SMS, but you can send links and download via HTTP.

Some models of phone (for instance those supporting MIDP2.0) have access to sockets.

Some types of phone game (example: Morphun) have virtually unrestricted access to the phone's capabilities. Not all of these games need to be digitally signed, but instead rely on the network restricting download capabilities. This doesn't seem to extend to bluetooth / IR transmission.

--

So it's technically feasible for a phone game to actually be a worm which spreads via bluetooth with this model of phone. True, it would have to get fairly close to another phone, and the phone would need bluetooth enabled.

Equally, a SMS could entice a user to download a game via HTTP, then exploit some weakness in the phone's Java VM security to break out, and SMS its link to the phone's contact list (ala Outlook worms)

Java games are normally not allowed to access the phonebook, make calls, send SMS or use bluetooth / IR, but some vulnerabilitiy could allow them to do so. Java games are allowed HTTP access, but the user is always consulted first, as it may charge her money.

Slarty

Kinda off topic, couldnt a virus spread on pc's, then use the modems to call a number like 911 or whatever? Why use a phone when you can use a pc?

Ive never heard of an attack like that, but i can figure that its possible? maybe for american idol voting or something stupid like that....

Hi Soda,

That has been possible for several years.............I have used my PC to talk to my in-laws in Alabama (one penny per minute, hee hee) and have had the software to send SMS messages to cell phones.

Very interesting contributions from Cyber1d and Slarty, It seems that the technology is now here..............I haven't changed my mobile phone for three years so I am a bit behind the times :) .

I do recall someone offering AV for mobile devices..............PC-Cillin or McAfee?

What I fear is that people will secure their desktops and networks, and these mobile devices will be the literal trojan horses?...........an Administrator's nightmare :(

Cheers

Interesting. I have never really looked into it, however I am sure there will be a growing "market" of cell virii. Although as someone pointed out they can be made in high level language, I have a feeling the ones that do "well" ecologically (aka propegate themselves the best), will be in ASM, or a "high-level" ASM that works across all/most cellphones allowing for better manipulation of low-level functions and such, but still not specific to one phone. As usual the possabilities are endless. As nihil pointed out about this being an Admins worst nightmare, I believe most policies will/do prohibit messing with company phones, or plugging your own phone into your companie computer. Imagine if a virii would transfer itself to the box from your phone, effectively allowing it to spread via two medians. At least they don't spread through the TV eh?

-Cheers-

....hmm well spyware could be downloaded into Tivo if programmed right and you'd get pop-ups about penis enlargement every time you turn on your TV :). Its feasible but not easy at the moment, but dont be surprised if it happened. ANY hardware that connects to a remote service, is at risk of being victim of a malicious code, let it be a virus, a trojan, a work or spyware. Its just the never-ending cycle of life. You build something; someone screws it up; you try to fix it and come up with something better than before while you're fixing it. INOVATION

/inject humour

Cyber1d, don't go for those penis enlargement thingies............hell, I nearly tripped over it and broke my neck the other day, running downstairs to collect the viagra that the postman delivered. :D

/end

This is a pretty serious topic..........how many of us have policies regarding the use of hand held & mobile devices? We need to get there first or we will be bitten on the bum?

Cheers

ROFL nihil:D


Unfortunately the policies wont do much because if someone is determined to commit some malicious act, they'll find a way to. I was just thinking though, In the US you could get a decent hand-held device running some sort of windows in it for about 200-400 dollars. Some of the phones that are filled with all kinds of goodies from MS sell for about the same price (u can get rebates). Also, all the major phone distributors carry some sort of PDA phone which runs on windows. Now, as for the handhelds, you can purchase a wi-fi card for them, and launch an attack from starbucks. Same Idea as carrying a laptop with you, but perhaps more discrete.




P.S. Sweeeeet, i'm a senior member now :D

Well there was something almost 4 years ago in Japan. This refers to it: http://news.bbc.co.uk/2/hi/technology/2690253.stm

That Motorola MPx200 seems to finally catch up to my 4 year old cell phone. Appart from the software and size, my cell phone still competes against it a bit.

I know that Japan has had cellphones that are capable of accessing the Internet and at least downloading and uploading files. And they pretty much all have software built into them that can make it at least a 64k Internet Connection for computers, dialup you could say. These phones are/were very common, and I guess it is just a feature that has stayed in them since. Imagine if a virus could eliminate the computer software end of it, set the cellphone into the data transfer mode, and control what is sent? My guess is that only preprogrammed-target viruses would be of use, since the attacker wouldn't be able to control the infected cellphones by connecting to them directly, as the cellphone tower prevents that I think. I never got my cellphone to act as a modem for me so I don't know for sure how IPs and ports are managed. It might be possible to set up a website for the infected phone to pick a victim, but that leaves another trail to the attacker and they might realize that. Based on that, unless the virus can morph, it might be possible to block the sending of it via SMS or something, since the code shouldn't change and having the tower look at the data for that pattern would catch it...

Of course even if the end-users all have 100% working antivirus that somehow catches everything, we still have a potential issue of a huge nation-wide wireless network...

Oh, and one more thing I want to add. Since cell-phones have to keep stuff off of the GUI to keep the screen less cluttered, we can see less information. So we can't verify things quite as easily or quickly as on a PC where tons of information is at our disposal. Namely, the URL of a link. I find it nearly impossible, and uncomfortable, to see the URL of a Link on my phone. Don't you think that leaves people open to phishing attacks if they don't pay attention? What if you get a SMS saying visit your bank's website for a phone-number you need to call with important and immediate banking details? And this website says it is the bank and you need to call xxx-xxxx...? (A common Japanese "spam" c-mail (SMS) I recieved was a phone number that was in a link. This special phone number costs tons of money to call, and the line owners (spammers) get this money somehow... At least I think that's how it works...)

-Tim_axe

Hey Hey,

Soda_Popinsky mentioned doing the same thing with a modem. It was possible and it has been done, however not to any great extent. Think back to the old Hayes Compatible modems and the AT strings you could pass them. ATH to hang up and ATH0 to hang up and go into command state. These were used a lot on IRC. You could pull it off rather simply. AFAIK you could even use a CTCP PING on IRC and never need the persons IP address, however the most common way was hex code in an ICMP PING, well now that was to hang up the modem, but there were other command as well.. ATDT would cause it to dial a number. I don't know why it never happened, maybe we were just lucky, but a virus that issued an ATDT911 command, or any other number could have be spread rather quickly, or even something coming into the computer like an ECHO REQUEST.

Anyways just wanted to add that.... I know i started this, but I don't have much to add. it was just something that was on my mind, although I'm enjoying the read.

Peace,
HT

never thought about it but yea i guess you could get a virus on your cell and then it get transmitted to everyone elses cells.

With SMS/WAP/etc all on the rise, I can see it definitely being abused in some sense, just like wireless networking was a greatfantasticoutstandingwhydidn'twethinkofthissooner idea until people found out they could hijack networks and leech off someone else's bandwidth as well as look at corporate data.

This is the consequence of thinking of a great idea and promoting it without thought of how it could be abused. Never trust user input :D :D :D...

I havn't heard anything about a self-replicating virus on cells as of yet but there has been instances of malcode written for them.
One I have came across was in the older nokia phones - there was certain code that could be sent through text msgs that would cause the screen to blink on and off....once the message was viewed the only way to stop it was to turn off the phone. Hardly a major issue.

But with the technology advancing so quickly i dont think it is to far in the future before virii similar to what has already been mentioned becomes a real life problem

v_Ln

What a wonderful sociological exercise. Imagine this. It could certainly be a reality in just a while here.

The Corporate Petri Dish

Desk attendant: Good evening sir, how can I help you?

Bob: I need to speak with Mr. D, He's expecting me.

Bob's Cellphone: Beep Beep Beep ... Beep Beep Beep.

Bob: Oh, it looks like your networks caught some sort of bug.

Attendant: Yeah, there's some virus in the air. You might want to turn your phone off. The tech guys haven't cured it yet.

Bob: No, mine blocked it.

Attendant: Still, it's a good habit to get into. Leaving it on all the time you'll never know when some little bug will crawl in and make itself at home. Just last month I got one that infected every computer I walked by almost. The tech guy said someone was trying to store child porn on my phone or something. It was a drone or droid or something like that to put pictures on.

bob: You mean a zombie?

Attendant: Yeah, something like that.

Bob: They aren't trying to store stuff on your phone, your phones just infected to spread it. They're hoping you'll walk by the server room with your phone on one time and they'll get all that to keep there trash on.

Attendant: Yeah, I heard we got this one from across the street. They said it just came out of nowhere. On systems that aren't even hooked to the internet. I guess that means it's not supposed to happen.

Bob: Well, if they're simple enough to expose sensitive stuff to the air, who knows.

Attendant: maybe....

Bob: anyways, I need to get going, is he in?

Attendant: ahhh, I don't know, his desk phones got it too I guess, It's beeping and all sorts of stuff.

Bob: let me guess? VoIP?

Attendant: Yeah, It's no good.

Bob: Alright, I'll just go see him.

Attendant: Alright, but you have to step in the Scanner Cubicle over there.

Bob: My phone, PDA, and watch all have the latest AV, they'll be fine.

Attendant: It's company policy, I'll have to insist. That or you'll need to leave them here.

Bob: What? and leave them here where they can catch whatever other bugs you've got on the network?

Attendant: If you'll just step in for the scan it'll only take about 10 minutes.

Bob: alright, man! we were just gonna plan a stupid fishing trip, never mind. I'll just go to his house tonight... sans gadgets...




Missing man

"Sure are a lot of people out today. Nice weather too" the waiter cut in too cheerily.
"Yeah, a whole lot" Responded Joe with obvious lethargy.
Joe is sitting nervously at the counter of the coffee shop surveying the airports cavernous interior. His 4 accomplices wait nearby, positioned strategically across the floor. Ignoring one another per the plan, they wait for their lead man. He has the payload, the reason for their operation. They sit in position like fighter pilots awaiting the order to scramble, though their spitfires remain impotent. They hold phones and PDA's close in anticipation. A single beep, a specific combination of rings, they all set signals to recognize his arrival. All they need is the sign.

--

"I'm going down the far left, Phil, your next, Joe down the middle. Norb you'll get the right." Commanded Jake, their leader.
"What about me?" asked Billy
"Shrimp... think about it, 5 people, all but the second to right position full... what's your position?"
"Oh, right." Billy responded.
"You've got your SONY right Will?" asked Phil.
"Yes, and I'm Billy." he blurted.
"Ok, your not using that sissy HP thing are you Joe?" demanded Jake.
"No, No, I've got my uncles Sharp with linux" Joe defended.
"Alright, at least you've *borrowed* a real palm box"
"Yeah."
"So it's on for this Saturday. It'll be like the most crowded travel day for months. It'll be great" explained Jake.
"Yeah!"
"You know it!"
"We leet!"
"..."
"..."
"Shut up Norb."
"Dude, I'm so just kidding."

--

Before anyone sees Jake, his gadgets make themselves known to his companions. This is how it's supposed to go down. No one is to know the whereabouts of the others. If nothing else, the sheer size of the structure and masses of people should save them. Jake began the uploads. He had tailored three strains of the infection. They were to be known as xmlbocf.CF, xmlbo_14.W32, and xmlbopda.LZ. Known to Jake and his team as Red White and Blue respectively. All three were crafted for the same purpose, though they relied on slightly different exploits, XML parser buffer overflows. They were to target Certain cell phones, Windows PC’s and certain PDA’s respectively.
Jake sent the white to Norb, and intended to use it himself. He sent the red to Phil and Billy, and the blue to Joe. This pattern will efficiently target intended victims. With PC’s along the walls in shops, cell phones largely among the crowd, and Joe’s Sharp putting out a stronger signal to the lesser number of active PDA’s on the floor. All they needed to do now was take a walk.

--

“So… why are we walking that way? Me and Norb will be walking uphill most of the way.”
“Do you want to be walking directly into the sun for like, ten minutes?”
“No, never mind. You really did think of everything didn’t you Jake?”
“Yeah, I try.”

--

Joe gets up and heads east as instructed. White knuckled hands quivering with excitement, though he is only taking a stroll. He struggles to look calm as feelings of dread and romance fill his mind. The picture of the group heading off like the Blue Angels leaving colored smoke in their wake. The patriotic pattern betrayed by Jakes randomly directed anarchist motivations. Though all he had to do was walk. He can’t remember a time when he couldn’t do that. A far cry from flying a hornet.

That’s it, they’ve completed about half of their constitutional, and the realization that there shouldn’t be anything in existence that can catch them or trace them is setting in. There’s something wrong though. Norb and Joe notice at about the same time. Joe notices too much commotion toward the south wall of the terminal. There’s shouting and a crowd gathering. He decides it’s probably a pick pocket or something. The plan goes ahead. All they have to do is make it to the east end and they’ve done all they can to propagate the fruits of Jakes labor.
It’s become apparent now that the subject of the commotion has been silenced. Shortly thereafter several security guards and the apparent perpetrator can be seen gliding along a moving elevated walkway. It’s immediately clear to both Joe and Norb that Billy is being carted off above and between them both.
Their only choice is to proceed as planned.

They reach the east end and prepare to depart. They planned to leave at that point after waiting at different intervals to avoid suspicion. This time it was Jake who broke procedure.
“What the **** happened?” Jake demanded as he gathered them.
“I have no idea.” Joe answered,
“He just got caught I don’t know what for.” Confirmed Norb.
“I’d be I know.” Phil Proposed.
“You don’t think…”
“Billy’s a whiz at looking harmless. He didn’t get caught for looking suspicious, and he’d never nab a purse, I’ll tell you that.”
“I thought that kind of scanner was just theoretical” Pleaded Jake.
“Guess not.” Phil added solemly.

Joe’s mind again faded to the vision of F-15’s flying overhead. Jake, Phil, Joe and Norb flying straight ahead, and then Billy. Where’s Billy?

Cell Phones are the new target of spammers. I see it as a whole new place to get junk email.


--PuRe

That'd be crazy. especially if small devices start using either blue tooth or 802.11x even more. Just make a prog on a PDA or PalmTop that simulates being a phone or something, send out your bug wirelessly with a spoofed/random phone id type thing (assuming such ids do or will exist) and catch all little boxes around you. How can that be traced, if for example, you drive by people with phones and such. Talk about WAR driving in a more literal sense...

edit:added the word 'more' to line 1

a "high-level" ASM that works across all/most cellphones allowing for better manipulation of low-level functions and such, but still not specific to one phone.

That will never happen. There are currently several different OS'es that are being used on phones, symbian, palmos, windows ce, etc... Not to mention that there is not a single standard in terms of how the phone "desktop" operates. Even with Nokia phones there are 4-8 different ways of programming the phone to work depending on which model, and how old it is.

There will definitely be issues that impact one specific phone, or type of phone. But there will not be a virus/malware that will attack all phones effectively.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=255233#post725470) by mohaughn
That will never happen. There are currently several different OS'es that are being used on phones, symbian, palmos, windows ce, etc... Not to mention that there is not a single standard in terms of how the phone "desktop" operates. Even with Nokia phones there are 4-8 different ways of programming the phone to work depending on which model, and how old it is.

There will definitely be issues that impact one specific phone, or type of phone. But there will not be a virus/malware that will attack all phones effectively.

You are right about there being different platforms, but that still doesn't protect the phones from participating in dos attacks, flooding email servers with useless messages, and social engineering and identity theft.

There's lots of security one should take into account, for instance, does the phone have internet access, also, does it have bluetooth enabled. Such things can be used adversedly, for example, and this is just speaking hypothetically: An mass email get's sent to thousands or millions of phones, by using a script to just mail xxx-xxx-xxxx@sprintpcs.com . Now this email has images it's suppose to display (it's an html email) those images sit on a webserver. Upon request of the image, the webserver scans the requesting ip to determine the OS of the phone and use a known exploit (Possibly some ActiveX in a M$ phone, or some java sploit for a nokia).

This is not imagination, I think it's just more a matter of time, before virus writers, really start getting more creative with their code.


--PuRe

Well....theres alot of factors this depends on..but I think it would be possible, I have thought of this some myself and ran into some walls...

Differing operating systems and architectures...I wouldn't see how you could get past this..unless you were either sure that certain people were on the same cell phone..maybe you have one host device..sending to poeple who are known to have that type of phone and/or config?

The only other thing, would be assuring that it actually spread. Possibly thru there phone book etc etc, or maybe even a certain list of targets..that you've coded into the malware. And quite possibly...you could use this for flooding purposes....

I could see alot of spreading, but what would happen if you sent a code from a palmos to a windowsce based device?

And the only thing I would see wrong with that phone book theory...is that they would probably see that your sending a file..doesn't totally gauruntee that they'll d/l the file and exec it.

is a self propogating worm that infects microsoft active sync through windows xp possible? both of my pda's use active sync and I am just a small part of the world. They also have wireless ethernet cards.

Makes me all the more glad that I don't have or ever will have a PDA nor do I have an internet-capable cell.

lol, i'm getting a pda in around a month or two but....geesh...these things are expensive!! o.o

And yes I think it would be possible. Just don't count on it being a "big" concern..I would think that unless you could find a way to launch this attack remotely..i.e send it and launch it....you shouldn't be in that big of a pickle. Since if they have physical access somehow then they could do worse things.

As far as I know, the virii world thru pda's is up and coming, but as there are many big differences between pda's and pc's alot of them can't be carried over. However, more ontopic..what I mean to say is that yes it is possible, but don't expect it. pda's and wireless are still "fairly" new..we still have yet to have an overall use for this on the side of worms.. I mean..how many atm's do you see running wirelessly? Or..anything with highly secure data that would prove really useful? I think, on the subject of worms, corporate wireless networks would be more of a useful attack then pda's..

Why not expect it? A simple attatchment sent to a few hundreed email accounts with a virus that sends to everyone on that persons address book and it's done. Especially if it spreads like the worm that took out SCO.
With that large of an infection it would surely spread to enough PDa's. But ohwell it's only speculation, why plan for the future. Or am I way off in thinking it's gonna happen sooner than later.

I might be correct in thinking..that it's already in development as we speak.

As for the problem, it was the whole thing about people not opening the e-mail. You would have to come up with some naming convention..because these days you see a commercial every 2 or 3 hours like AOL or whatnot..that they have AV and that it scans "Attachments". The world is alot more open to that sort of thing now and distrust attachments.

But maybe..there were software(s), that update certain things....like lets say a form of windows update, that could be a possible form of infection..although harder..it could probably be done.

I think a limiting factor in cell phone and pda trojans/zombies is that for cell networks, they are running at high capacity already. It doesn't matter if you can get a DDoS type trojan onto every single cell phone in America or what not. If you initiate an attack, the cell-tower will be overloaded. Granted there would be quite a bit of bandwidth, but only maybe 5% or so of the cell phones could acturally attack since the tower would become overloaded. You have much less effective attacks due to this, although it can still be crippling. It could at least prevent anyone with a cell phone from calling 911 since the tower might not be accepting any more cell-phone traffic.

For PDAs, they usually are not connected to the Internet 100% of the time. They don't have enough power to maintain long range, high-speed connections 24/7. Their batteries last maybe 7/8 hours with the backlight off and nothing running. That number quickly drops when it is under load and with a wireless card, but I don't know by how much since my PDA doesn't have a WiFi card. Also, PDAs are fairly easy to turn off, and currently you would need a specialized virus to have it start back up and hide when you turn the PDA on/off.


PDAs could be where an attack is controlled from since they are somewhat inexpensive and easy to throw away. A simple hard-reset could eliminate pretty much all evidence, since they don't usually store stuff in permanent storage like a HDD. But as for the zombies, I think they could be a threat, though not an effecient one. I'd probably be more concerned if a virus could steal my cell-phone ID, account number, hack into the cell-companies database to get CC detials, etc., but I guess I'm lucky my cell phone doesn't work in the USA. :)

I've often wondered why I haven't heard more about viruses spreading through bluetooth enabled devices. I don't know much about bluetooth standards so maybe it's to difficult to bother with or just not effective enough to bother with, but I can definitely imagine a few uses for this type of malware. Especially with the U.S. E911/GPS requirements in cell phones these days. Talk about privacy concerns; a malware author could track movements, messages, calls made, calls received, etc... I'm sure somebody will come out with a phone (if it's not out already) that has the ability to record a phone conversation - aaayyy that's a scary thought!

As for spreading from one phone to the next, it seems like the malware would only need to target the application/OS in question. After all, MS is not likely to modify Pocket PC to the manufacturer's phone specifications. I'm sure it's the other way around.

On a side note, the new Lexus LS 430 is bluetooth/wireless enabled. I'm sure this feature could be used to extract information about the vehicle at the very least. It seems the more technologically advanced our society becomes, the more disaster prone it gets.

_TOMDAQ

Phone security runs on eliptic curves and is so secure, only about 80-100 posabilitys have been uncovered and it would take about a network of 3000 computers to break the code as it runs on a mathmatical theroy with about 1000 billion possabilitys.

Are we speaking of landline or wireless phone?

It depends on the fone and the implimentation and what it travels through and what company it's goin thru etc etc.

But your right about one thing, it is very tough to break. Since most phoned these days are digital and switch frequencies VERY fast, you would have to monitor thousands of frequencies at a time, and even then you'de probably get an extremely high rate of unwanted traffic and not come close to getting a single conversation with much intelligable data. UNLESS you can predict the switching algorithm in place, which from what i've heard it's extremely difficult to even come close to that.

Ahh, just got my new palm pilot too :)

About ActiveSync, i've noticed on my firewall that ActiveSync attempts to contact some(seems to be an ad-server) server, on the internet. Quite possibly the data that this server sends could infact be executed in a manner which is malicious in nature. Quite possibly you could spoof the reply packets source IP and somehow send malicious code over the wire, however, only if ActiveSync knows how to run the code and if theres no valid code checking involved. And this would probably require a DoS to the ActiveSync server so that ActiveSync doesn't close the connection on ya. But I duno, thats the only thing I could think of right now..

Tronic we're talking about cell phones (Wireless)

As for:

Since most phoned these days are digital and switch frequencies VERY fast, you would have to monitor thousands of frequencies at a time, and even then you'de probably get an extremely high rate of unwanted traffic and not come close to getting a single conversation with much intelligable data. UNLESS you can predict the switching algorithm in place, which from what i've heard it's extremely difficult to even come close to that.


Here's some information on how Cell Phones actually work...perhaps we can come up with more theories about the posibility of malicious code being transmited through cell phones. Hopefully Cell Phone makers are reading this and learning how to make cell phones safer in the future.

Info Provided by: http://electronics.howstuffworks.com

In a typical analog cell-phone system in the United States, the cell-phone carrier receives about 800 frequencies to use across the city. The carrier chops up the city into cells. Each cell is typically sized at about 10 square miles (26 square kilometers). Cells are normally thought of as hexagons on a big hexagonal grid.

Because cell phones and base stations use low-power transmitters, the same frequencies can be reused in non-adjacent cells.

A single cell in an analog system uses one-seventh of the available duplex voice channels. That is, each cell (of the seven on a hexagonal grid) is using one-seventh of the available channels so it has a unique set of frequencies and there are no collisions:

A cell-phone carrier typically gets 832 radio frequencies to use in a city.
Each cell phone uses two frequencies per call -- a duplex channel -- so there are typically 395 voice channels per carrier. (The other 42 frequencies are used for control channels -- more on this on the next page.)
Therefore, each cell has about 56 voice channels available.
In other words, in any cell, 56 people can be talking on their cell phone at one time. With digital transmission methods, the number of available channels increases. For example, a TDMA-based digital system can carry three times as many calls as an analog system, so each cell has about 168 channels available

Cell phones have low-power transmitters in them. Many cell phones have two signal strengths: 0.6 watts and 3 watts (for comparison, most CB radios transmit at 4 watts). The base station is also transmitting at low power. Low-power transmitters have two advantages:
The transmissions of a base station and the phones within its cell do not make it very far outside that cell. Therefore, in the figure above, both of the purple cells can reuse the same 56 frequencies. The same frequencies can be reused extensively across the city.
The power consumption of the cell phone, which is normally battery-operated, is relatively low. Low power means small batteries, and this is what has made handheld cellular phones possible.
The cellular approach requires a large number of base stations in a city of any size. A typical large city can have hundreds of towers. But because so many people are using cell phones, costs remain low per user. Each carrier in each city also runs one central office called the Mobile Telephone Switching Office (MTSO). This office handles all of the phone connections to the normal land-based phone system, and controls all of the base stations in the region.

Digital cell phones use the same radio technology as analog phones, but they use it in a different way. Analog systems do not fully utilize the signal between the phone and the cellular network -- analog signals cannot be compressed and manipulated as easily as a true digital signal. This is the reason why many cable companies are switching to digital -- so they can fit more channels within a given bandwidth. It is amazing how much more efficient digital systems can be.
Digital phones convert your voice into binary information (1s and 0s) and then compress it (see How Analog-Digital Recording Works for details on the conversion process). This compression allows between three and 10 digital cell-phone calls to occupy the space of a single analog call.

Many digital cellular systems rely on frequency-shift keying (FSK) to send data back and forth over AMPS. FSK uses two frequencies, one for 1s and the other for 0s, alternating rapidly between the two to send digital information between the cell tower and the phone. Clever modulation and encoding schemes are required to convert the analog information to digital, compress it and convert it back again while maintaining an acceptable level of voice quality. All of this means that digital cell phones have to contain a lot of processing power!

There are three common technologies used by cell-phone networks for transmitting information:
Frequency division multiple access (FDMA)
Time division multiple access (TDMA)
Code division multiple access (CDMA)
Although these technologies sound very intimidating, you can get a good sense of how they work just by breaking down the title of each one.
The first word tells you what the access method is. The second word, division, lets you know that it splits calls based on that access method.

FDMA puts each call on a separate frequency.
TDMA assigns each call a certain portion of time on a designated frequency.
CDMA gives a unique code to each call and spreads it over the available frequencies.
The last part of each name is multiple access. This simply means that more than one user can utilize each cell.


GSM is the international standard in Europe, Australia and much of Asia and Africa. In covered areas, cell-phone users can buy one phone that will work anywhere where the standard is supported. To connect to the specific service providers in these different countries, GSM users simply switch subscriber identification module (SIM) cards. SIM cards are small removable disks that slip in and out of GSM cell phones. They store all the connection data and identification numbers you need to access a particular wireless service provider.

Unfortunately, the 1900-MHz GSM phones used in the United States are not compatible with the international system. If you live in the United States and need to have cell-phone access when you're overseas, the easiest thing to do is to buy a GSM 900MHz/1800MHz cell phone for traveling. You can get these phones from Planet Omni, an online electronics firm based in California. They offer a wide selection of Nokia, Motorola and Ericsson GSM phones. They don't sell international SIM cards, however. You can pick up prepaid SIM cards for a wide range of countries at Telestial.com.





Technically you'd only need a fast frequency scanner to do the work. Generally if a user is not driving...and they stay in one location, they could be affected by malicious code transmitted through the wiFi. (Theoretically)


An article from Cornell University speaks of Cell Phone security:
http://www.cit.cornell.edu/cellphone/security.html

Cell phones are more vulnerable than regular phones due to two dangers: eavesdroppers can listen in on your calls, and thieves can bill their own calls to your account.

Eavesdropping: Anything you say on an analog cell phone can be easily overheard by someone using a scanner. Digital cell phone transmissions are scrambled for better protection, but eavesdroppers with the right equipment may be able to unscramble them.

The best protection? Be aware of what you discuss on your cell phone. Remember that it acts as a handheld broadcast station. Don't give out your credit card number or other sensitive or confidential information; don't say anything you wouldn't say on broadcast radio or TV.

Fraudulent billing: It is possible for thieves to intercept a cell phone signal and clone the phone's ID numbers (its Electronic Serial Number and Mobile Identification Number, or ESN/MIN). The result is the equivalent of a stolen calling card. Some simple countermeasures include:

Limit "roaming": Review which phones have roaming enabled and limit these as much as practical. Roaming usually defeats the use of Personal Identification Numbers (PINs). Cloners prefer roaming phones for this reason and they target airport parking lots, airport access roads, and rural interstates. Roaming also makes it more difficult for some cellular carriers to use fraud-detection programs to monitor an account and shut it down when fraud is detected.

Turn the phone off. Cell phones poll the cellular base station with the strongest signal every few second. This is how the system knows which base station to route calls through. However, this polling exposes the phone to interception and cloning.

Review all bills and report every erroneous call to the service provider. There are two types of cloning:
Outright theft of the phone's ESN/MIN is most common. A bill will reflect hundreds, even thousands of bogus calls.
The other type of cloning is called tumbling, where a cloned phone uses a different ESN/MIN for each call. A bill might have only one bogus call this month, none next month, but three calls the month after that. The phone has still been cloned and fraud is occurring.

Prefer hands-off vehicle-mounted phones to handhelds. The boxes used to capture ESN/MIN have a limited range; cloners will follow an individual they know is using a phone. Recent news reports reflect the chances of an accident increase substantially if a driver is operating a vehicle and a cellular phone simultaneously.



Whats most interesting though, is this article from Wired News written in 1998:

http://www.wired.com/news/technology/0,1282,11630,00.html

A group of California-based computer experts claims to have compromised the cryptographic security behind the world's most popular digital cell-phone system, making it possible to clone any phone using the GSM standard.

The Smartcard Developer Association says it cracked the algorithm used as the basis for the The Global System for Mobile Communications (GSM) -- a digital cellular phone system that is used in about 80 million cell phones, primarily in Europe and Asia. Many US networks are starting to implement GSM standards, too, and this attack was launched against a card issued by Pacific Bell. If the group's claims are true, it could lead to a recall or reissue of the smart cards used in GSM-based phones.



never settle. "GSM is likely to face fraud problems of the same magnitude as analog systems have had," said Marc Briceno, a member of the SDA who said that analog systems have lost billions of dollars because of cellular phone cloning.

GSM-based cell phones work with a small card containing an electronic chip called a Subscriber Identity Module card. The SIM card inserts into the back of the cellular phone and contains information that is used to identify subscribers and their account information to the GSM network. The SIM card must be inserted into a GSM Mobile handset to obtain access to the network, and one of the primary benefits of the technology is that cell phones have access to GSM networks worldwide.

However, to clone a SIM card, a would-be cracker would have to have physical possession of one. Unlike the cloning used in analog systems, the crack does not yet include being able to listen in on peoples phone calls or obtain a SIM ID via the airwaves, although the SDA has stated that an "over-the-air attack should not be ruled out."

The SIM uses encryption to keep the identity of the phone secret, and the encryption algorithm used on most of the GSM network is called COMP128. The SDA was able to obtain the secret ciphers used by the GSM network. After verifying authenticity, the group turned them over to UC Berkeley researchers David Wagner and Ian Goldberg, who were able to crack the COMP128 algorithm within a day. In 1995, Wagner and Goldberg succeeded in another high-profile hack when they compromised the crypto code used in Netscape's Navigator browser, which was supposed to secure credit-card transactions.

"Within hours they discovered a fatal flaw," said Briceno. "The attack that we have done is based on sending a large number of challenges to the authorization module in the phone. The key can be deduced and recovered in about 10 hours."

A group of hackers gathered with security and crypto experts Friday evening at a San Francisco hacker club called New Hack City, for a demonstration of the hack, but it never came off. Eric Hughes, a member of the SDA and founder of the Cypherpunks cryptography group, discussed the technical aspects of the hack, but had to give up the planned demonstration after threats of legal action from Pac Bell and other telephone company executives. It is illegal in the United States to possess cellular phone cloning equipment, although legitimate businesses are exempted. The telephone companies dispute SDA's claims to legitimacy.

Wagner blames the ease of the crack on the secrecy with which the ciphers were kept.

"There is no way that we would have been able to break the cryptography so quickly if the design had been subjected to public scrutiny," said Wagner.

The GSM standard was developed and designed by the European Telecommunications Standard Institute, an organization that has about 500 members from 33 countries, representing administrations, network operators, manufacturers, service providers, and users.

"There's going to be an orgy of finger pointing," said Hughes, referring to all the engineers and other people associated with the design of the GSM network.

The SDA say that they were able to crack the GSM network algorithm due to weak encryption in the original design. When the system was being designed, several European government agencies were successful in their demands to weaken encryption standards for government surveillance purposes.

The SDA also claimed that the GSM security cipher that keeps eavesdroppers from listening to a conversation called A5 was also made deliberately weaker. The A5 cipher uses a 64-bit key, but only 54 of the bits are actually in use -- 10 of the bits have been replaced with zeroes. The SDA's Briceno blames government interference.

"The only party who has an interest in weakening voice privacy is the National Security Agency," he said.

The SDA said that a proper demo will be taking place soon from somewhere outside the United States. The group has also released the source code for COMP128 and A5 for further testing.




Phone security runs on eliptic curves and is so secure, only about 80-100 posabilitys have been uncovered and it would take about a network of 3000 computers to break the code as it runs on a mathmatical theroy with about 1000 billion possabilitys.



Omol, how did you come up with those numbers?

Encryption standards on modern systems are very tough to break. I think that is what omol was getting at. You wouldn't need a very fast frequency scanning device if you listen to a single transmitter and recorded all the data. Of course you would have to break the encryption on the systems that utilize it. In this scenario you could listen to an entire cell and record data for all channels. Those frequencies are fixed and assigned by the FCC. Fast frequency hopping is only an issue for systems that spread data packets across mutiple frequencies. CDMA does that and there are definitely systems that us that in the US. But again those freqs are hopping among the same site and if you record all fixed channels, then technically you could figure out the hopping algorythm and get it. You could see patterns easily in the hopping, propietary systems utilize methods to radomize the events. Cell phone companies have laptop tools to monotor the process, and those could be compromised. But all in all the encrytpion is outstanding. Attacks made against cell sites will not be to comprmise data, that would have to come from the source gatway in the near future unless encrytpion keys in cell phone are compromised. There are multiple layers of security and authentication built in.

Do not confuse Cell Phone technology with Wi-Fi, they aren't the same beast to me.

Excellent research Cybr1d

But no matter how secure the phone is, once it hits the switch it's converted to the same exact technology used to carry any call in the world and those areas can be intercepted and tapped along with data gatways to the internet so you get your text message from sweety.

I think tronic was wondering about wireless land line type phones...correct? Forget about security with those any one with a scanner that can hit 900mhz (or whatever your phone uses) can pick up your conversation. (my baby monitor picks up my nabighors phone.)

There are freqency hopping versions of those 900 -5 Ghz wireless phones as well. They are expensive and most people wouldn't pay that much for something they wrongfully believe to be secure, that is until recently. Make sure you get a digital spread spectrum one. There are scanners that will figure the hop algorythym when fed random information from number generators, but the baby monitor won't pick up on it. If it does happen across a channel for a split second, it will sound like static. By the time the baby monitor locks the signal it would be gone again. It seems that it's actually getting hard to find a 900 these days at specialty shops outside of Wal Mart. Most are 2.4 Gig.

Ya but with some of the older scanners you can pick up 2.4 band also...I have one somewhere in my basment, but it was my understanding that most 2.4's hopped is this correct?

Most hop because by the time they were licensed the technology was cheaper. Some do not because at the beginning the difference between hopper and nonhoppers was several hundred dollars. Most people didn't want to pay over 300 bucks for a coordless phone. If it says digital spread spectrum or DSS it's a hopper.

This Time, Cell Phone Virus Is for Real
Fri Jun 18, 2:05 PM ET
Carol Ellison - eWEEK

It had to happen: A computer virus has spread to cell phone networks. Kaspersky Labs issued an advisory Thursday on a network worm called Cabir that is evidently crawling its way through phones that use the Symbian operating system.


http://story.news.yahoo.com/news?tmpl=story2&u=/zd/20040618/tc_zd/129901

Cabir is the first network worm capable of spreading via Bluetooth; it infects mobile phones which run Symbian OS.

A wide range of phones from a number of manufacturers use this technology. It is clear that Nokia 3650, 7650 and N-Gage phones can all be infected by Cabir. However, any handset running Symbian OS is potentially vulnerable to infection.

http://www.viruslist.com/eng/viruslist.html?id=1689517

Hi,

My 2 pence on all of this.

Regarding breaking encyrption algorithms, there are alot easier ways of eavesdropping on a call. At the end of the day encryption to an entity must end somewhere for the transmitted data to any use, hence in our case it is de-crypted in the mobile handset.

On the issue of smart phones, one can implement a MIDP applet to listen to the speaker on the handset when it starts to transmit data, the applet then just collects the data and pushes this out somewhere when the user connects to the net via his handset. Some thing that springs to mind here is DRM (Digital Rights Management) will this ever work!! when data has to be de-crypted and played back somewhere!!

Redarding different platforms and the difficulty to propogate a virus, I think this is interesting. I think there is a common factor in all OS's provided vendors and that is a standard way to do a service and alomost all handset now have support for J2ME i.e. SMS is supported both on claosed and open OS's, newer services that you will see (in the future) PoC (Push to talk over cellular) is another service that will be supported by all OS's. My point being, potentially a J2ME applet can easily exploit new services on a handset by propogating it-self to all subscribers on a particular handsets phonebook. If you take a look at some MIDP API's there is a powerful infrastructure already in place to access sensitive areas of a mobile handset.

Bluetooth on the other hand is a different kettle of fish. It can be used to transmit AT commands to a phone, meaning anything and everything can be exploited on a mobile handset unless some propritary implementation prevents it. In-fact this can be done over Infra-red but obviously more restritive due the frequency range. The Bluetooth protocol it-self is fairly good security wise (to my knowledge) as they have just defined a new security pairing scheme and also working on taking on ciphering options over a bluetooth link. I thnk in the future we will be seeing something called PAN's (Pesonal Area Networks) which use bluetooth to connect to one another, this is where thigs may get a little complicated as definitions for Master objects and authorisation/authentication within the PAN will become an issue, perhaps the use of TCG (Trusted Computing Group) may come into use here.

Regards,

HT Was right.

I just found this under my bed !

On the issue of smart phones, one can implement a MIDP applet to listen to the speaker on the handset when it starts to transmit data, the applet then just collects the data and pushes this out somewhere when the user connects to the net via his handset.


MIDP does not allow applications to do either of those things without user authorisation. And on many phones, they aren't allowed to record from the microphone at all.

The MIDP system has been thought out reasonably well from a security standpoint. There is nothing inherently insecure about the API. Unfortunately, some vendor implementations might have serious holes in, and as vendors are free to implement their own APIs, some of those may be less well thought out.

At least it's better than the native-code game APIs, which generally let the game do anything it likes. A Symbian game can copy itself to a part of the filesystem that the user has no access to (hence can't delete it), and run continously, if it wants to.

Having said that, there are still some controls over things being sent to phones, the software generally asks the user before downloading anything or installing anything. If the user is not present (i.e. the phone is in a pocket or something), the item won't be downloaded. In the case of Bluetooth, the sender would have to continue to try and send until the user confirmed it.

Slarty

MIDP does not allow applications to do either of those things without user authorisation.

AFAIK, MIDP1.0 does not implement any security controls at all, MIDP2.0 recommends to use JSR 177, which is the recommended security practice (this implements the Mexe like security domain system) - most importantly it is not mandated. Thus, I believe you will see many phones that have KVM's which will allow you to do almost anything on the handset, in-fact it is possible with the digital camera on most phones i.e. take photos and have them posted to some server without any user consent.

The MIDP system has been thought out reasonably well from a security standpoint.
Not true for MIDP1.0, possibly true for MIDP2.0 - only if JSR177 is implemented.

At least it's better than the native-code game APIs, which generally let the game do anything it likes.

Indeed, I agree that Symbian native code is much less secure in terms of the application writer having API's that let him get to the core of the OS and also access the radio stack, meaning attacks on the air interface can be possible (that should be very worrying to network operators), bear in mind MIDP2.0 without implementation of JSR177 can also be used for some fairly complicated attacks however the API's are not as rich as Symbian C. Nokia have 'hidden' API's only available to Nokia developers and possibly some others ;) , which allow all sorts of platform specific (i.e. Series 60) features.

Having said that, there are still some controls over things being sent to phones, the software generally asks the user before downloading anything or installing anything.

Agreed, however, unfortunatly this is due to the implementation on not usually to do with a particular standard and implementation specific controls usually can be by passed by the application/software, the key point in your quote above is that the software will ask.

Regards,

Its only a matter of time before there is a necessity for an av for cell phones. And any device thats got any sort of os. I heard a claim that the AV would be handled on the cell phone providers servers but. This question has been in my mind since. The blue tooth connection that alowwed that virus to travle didn't spread though the providers server but though a direct connection. The idea of norton on a nokia amuses me.

Its only a matter of time before there is a necessity for an av for cell phones.

True, in the Japanese market AV is already deployed on the client side. This is mainly to do with network operators having the liability and not the handset vender. We will soon see anti-virus solutions for the European market fairly soon, but I'm not sure that a client side solution will come to market too soon.

I heard a claim that the AV would be handled on the cell phone providers servers but. This question has been in my mind since. The blue tooth connection that alowwed that virus to travle didn't spread though the providers server but though a direct connection.

I'm not sure which Bluetooth 'virus' you are referring to? However, if you look at some propogation models, for a Bluetooth self-replicating worm with a virus attached to penetrate a vast amount of subscribers I think is still fairly low. If you take into account that not everybody has bluetooth enabled handsets, then those that do do not activate it (it is usually switched off by default) and then each subscriber has to be in specified range to be vunerable the odds are stacked against it. Thus, the reason for network filters at the moment, a virus will propogate a lot quicker through a GSM/GPRS/UMTS network than something like Bluetooth. I think network operators are assessing the costs to the real impacts and pumping money into those areas.

I do see client side solutions being implemented but not any time soon, I think users have difficulty updating the time, internet settings on their handsets let alone trying to configure any AV software. Until network operators start to offer true Device Mangament capabilites I don't really see client side AV happening for Mass market subscribers.

The idea of norton on a nokia amuses me.

Don't be surprised, F-Secure already have an AV solution for Nokia Symbian based handsets and other AV vendors are quickly following suite. NT DoCmo, have a client side AV solution implementd by Network Associates - McAfee.

Regards,

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=255233#post770009) by Trojan
[B]AFAIK, MIDP1.0 does not implement any security controls at all ...

... Thus, I believe you will see many phones that have KVM's which will allow you to do almost anything on the handset, in-fact it is possible with the digital camera on most phones i.e. take photos and have them posted to some server without any user consent.


I totally fail to see how:

1. There is no API in most phones to access the camera, or the filesystem where you might find pictures already taken
2. Access to the internet is denied by default, and on my phone it asks the user each time. Most phones I've seen always ask the user before allowing network access. Even then they only get HTTP (probably only on port 80).

Ok, so you could implement some kind of mal-ware, like a scanner, which ran as a MIDlet, but the user would have to keep the application running continously for it to work.

If the user doesn't see anything interesting happening on the phone, they will terminate the application (due to the fact that phones can't generally do anything much else while an app is running, they suspend the app temporarily on an incoming call)

MIDP1.0 may have no security features, but it has no security-vulnerable features either - there is no filesystem API, limited networking, no access to camera, bluetooth, IR, microphone.

Unless there's something I've very much overlooked. The classloaders aren't so stupid as to give the MIDLet full API access to the host VM, are they?

Mark

Well, I see cell phone viruses and worms being very rare if the market stays like it is now, diverse. With many different phones, different OS, different emulated OS, etc... Why are computer viruses so prevailent? We are virtually a virtual monoculture of Win32 and PE32 based "stuff". I am approaching this from an almost purely theoretical, ecological standpoint. By increasing diversity (types of phones, OS, etc, that have non portable/compatible executable formats) of the gene pool you severely limit the ability of viruses to spread and affect/destroy the majority of the sample.
Example:
There is an island that just has horses. These horses have inbred for so long that their genes are almost exactly the same (blue skinned ;)). A virus comes along and kills all of them. That is the current situation with computers (and Windows) today. And it could be the future of cellphones unless we keep the market healthily diverse. Not only is it good from a viral standpoint, but also from an economic one. Providing many choices, keeping prices down.

-Cheers-

1. There is no API in most phones to access the camera, or the filesystem where you might find pictures already taken

Not true, most MIDP2.0 supporting handsets have access to the camera, and because JSR177 has only beeen approved recently those handsets do NOT implement any security model. Even now, handsets such as the SE P900, Nokia 6600 do NOT implement JSR177 but have most MIDP2.0 supporting API's. Having said that, most handset vendors also provide propritary classes which adds to the problem, in-fact it opens up a new can of worms because these API's give much more deeper access to the base Symbian or propritary OS's. Just because something has been specified in the standard, it does not mean it has to be implemented unless it is mandated. On a side note, JSR 075 has just been approved and will allow a standardised way to access most parts of an OS file system.

2. Access to the internet is denied by default, and on my phone it asks the user each time. Most phones I've seen always ask the user before allowing network access.

Indeed, this is IMPLEMENTATION SPECIFIC and not stated anywhere in a JSR apart from JSR177, which explicitly states the user MUST be asked before the terminal accessing the internet, see above about current JSR177 support. However, because it's the software that implements such control, it can easily be digusied or overridden.

Ok, so you could implement some kind of mal-ware, like a scanner, which ran as a MIDlet, but the user would have to keep the application running continously for it to work.

Yes and No. If you look at some API's such as the JAVA Push registry, it allows for the application to triggred each time the handset is switched on (after the user has installed the application), such that the Push port will always listen regardless of the user executing the application or not, along with this, MIDP2.0 has the capability for allowing one midlet to execute another... do I need to say more....

If the user doesn't see anything interesting happening on the phone, they will terminate the application (due to the fact that phones can't generally do anything much else while an app is running, they suspend the app temporarily on an incoming call)

On newer handsets, it will be possible to hold a voice call and a data call at the same time, however, you are right, in most handsets today this is not possible.

MIDP1.0 may have no security features, but it has no security-vulnerable features either - there is no filesystem API, limited networking, no access to camera, bluetooth, IR, microphone.

Agreed, however, I wouldn't go to the length to say no security vulnerablities :D , what you need to remember is that MIDP1.0 supporting handsets were very limitied in memory and hence I regard something malicious when it can distrupt the normal working of the handset - If you have a program that can loop 1000 times and open up a graphical window and sound the ringtone buzzer at the same time.... hey presto, you've probably crashed a handset! :D

Interesting discussion. Outside of the blutooth interface on the phone you still have to break through the "firewall" wich is the cell system. Those phones don't just hang out on a loose network. And based on my experience with a particular system they aren't even tcpip devices. The protocol is changed as it passes through the system. At the same time regardless of the protocol used, when you start puting Windows CE and Palm on phones that are openly surfing the web; eventually something will learn the system and introduce ways to exploit them through the "firewall" but then again these aren't really phones anymore, the voice capability is just a side job. :)

Outside of the blutooth interface on the phone you still have to break through the "firewall" wich is the cell system. Those phones don't just hang out on a loose network.

Indeed, however it depends on how the network operator has set up its GPRS system. Most operators will use NAT and then have a firewall implemented, this way it's fairly difficult to get to a particular handset from the outside. However, again depending on how the network is implemented, it may possible for subscribers within the same network to see each others local addresses, kind of like a LAN environment, thus 'insiders' could launch attacks on the other subscribers. Because most newer handsets will support open OS's and TCP/IP, it will be possible to perhaps implement trojans that make the handset connect out by-passing firewall rules.

And based on my experience with a particular system they aren't even tcpip devices.

Well, it depends. Most N. American and European network operators have chosen to run with WAP protocols, now called OMA (Open Mobile Alliance). WAP 1.1 supported and independant protocol stack that mimicked the internet TCP/IP stack - I wonder why?? :confused: , now that the guys within WAP/OMA have come to their senses, they follow a TCP/IP stack with some profiling done to facilitate for the wireless bearer. Therefore any hanset that support WAP2.0 will support a TCP/IP stack and will support TCP/IP straight to the handset.

Regards,

heres the scary part: if your phone is sms capable, you can't stop them. at least not with sprint. the only way to stop sms to your phone is to change your phone number, and even then it's just a matter of finding your new phone number. sms uses voice services, so if your phone has voice service and is sms capable, you can't but recieve anything that is sent to your phone. that would make any virus spread thru sms devastating. just food for thought. as it stands all a person needs to do to send a text message to every possible phone number is write a script that sends the text message from a computer (possible) to all 6billion possible phone numbers that exist (ten digit phone numbers, 10 billion theoretical possibilities, cant start with a 0, 1, 8, or 9, so that eliminates 4 billion, leaving 6billion possibilities, I could be wrong, correct me if I am) most of which are home telephones, which would just error out in the phone system. A text message can be sent from a computer via the web in the time it takes to send a packet. meaning, properly scripted, this task could be done in a few minutes. a text message to EVERY PHONE NUMBER POSSIBLE. affectively infecting every vulnerable phone in the country.

<scary speculations list v1.0>
1. a virus that deletes PRL (preferred roaming list) causing the phone to at best be in perpetual roaming (roaming charges out the ass) or at worst, completely worthless, unable to make or recieve calls, and constantly searching for service, causing the phone to at best run the battery down in a matter of minutes or at worst overheat and fry. Note: phones like all electronics contain electronic components capable of shorting out and perhaps precipitating an inductance loop causing electrostatic discharge or explosion, either of which could cause serious injury.
2. a worm that gathers proprietary user information and sends it to the writer, giving him pictures, email, and ISP account passwords (all of which are stored in the phone) for malicious or intrusive intent.
3. a worm that gathers phone numbers in address books and sends them to spammers and spreads thru the same means.
4. a worm that causes the phone to dial 1-900 and other toll calls (disallowed on many providers, but not all)
5. a simple virus that scrambles or deletes phone programming, including but not limited to mdn and msid (phone number and network identifier) making the phone incapable of making or recieving calls.
6. worm that collects mdns, msids, esns, many of which could be used theoretically to tap cell phones.
7. think of all the important and confidential data people keep in their pda's (credit card numbers, bank codes, pin numbers, addresses, phone numbers, appointments) now imagine that pda had a wireless connection to the web and was infected with a worm with the intentions of leaking any or all of this information to the creator. (affected devices: handspring treos, toshiba g1000s, samsung i500s, countless others.)

with the use of the MSL (master subsidy lock) easily obtainable with a simple brute force attack (6 digit decimal number, a few minutes tops.) any of these things and more are possible. I could manually do a lot of damage to a phone just with settings alone, imagine what a capable and willing individual could do with a virus. pretty much all passwords used to remotely access billing and personal information online are protected by a block, locking the account if the wrong passwords are tried too many times, but all of these are stored with only the protection of the msl, which has no such restriction and noone has a way to stop someone or even tell if someone is attempting a brute force on the msl.

to give you an Idea of how dangerous this information could be, I could take one sprint phone and program it, with the help of the msl, to act as another person's phone (one already in use) and allow you to talk using their minutes, have free internet access, buy ringers, games, screensavers, all on their dime. use unlimited readilink (coast to coast walkee talkees) and even connect a mobile phone to a computer and have wireless broadband access to the web from anywhere in the continental united states. I could do that... right here right now, without any research or looking anything up. imagine what a more determined person could do. (most of the skills I have that I would need to do this are proprietary to sprint, which is why I singled them out)