Cell phone zombies a possibility? -- Theoretical discussion
Page 1 of 6 123 ... LastLast
Results 1 to 10 of 51

Thread: Cell phone zombies a possibility? -- Theoretical discussion

  1. #1
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914

    Cell phone zombies a possibility? -- Theoretical discussion

    Hey Hey,

    First let me just say... W00T!. MY suggestion became reality. I'm pumped. Thanks JupM.

    Anyways... on with the discussion. I've been playing with my cell phone a lot lately, now that I have one that is actually fun to play with. Since I posted the suggestion for this thread I've been thinking a lot about cell phones and PDAs and the problems they could lead to. My cell phone is Java powered as many phones now are, other phones have built in PDAs and run PalmOS. With the advent of picture phones, the ability to SMS files is now a reality. What if someone decided to use our cell phones against us. A Java virus, or something written for the PalmOS (for which app dev. can be done in something as simple as VB), that could propagate through text messaging. I don't know a lot about the hardware of cell phones, so this could be fully impossible, but what will happen as cell phones become more advanced? A virii that is downloaded in a game or a ring tone seems entirely like a possibility. It spreads it self by SMSing itself to everyone in your phonebook (sure it won't make it to land line users, but everyone has at least one cell phone number in their phonebook). Besides sending itself to other cell users, it could also force your phone to dial a number. This would cause conjestion on the cell network to start with, but what if they were all directed at the same number, for example 911. This would cause basically a DDOS attack against the switchboards at 911. It was, in my opinion, cause chaos. Anyone thought about this before, or heard anything about it? What's everyone's opinion on it?


    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  2. #2
    Senior Member st1mpy's Avatar
    Join Date
    Jun 2003
    Posts
    111
    well that all might be possible ... there was one incident like year back when a guy switched some phone bord and sended emails out to people ... that they are short on their visa's so they should call that number an ye it was talked here about it but here is something new

    FBI agents arrested a Louisiana man last week under the cyberterrorism provisions of the USA PATRIOT Act for allegedly tricking a handful of MSN TV users into running a malicious e-mail attachment that reprogrammed their set-top boxes to dial 9-1-1 emergency response.

    According to prosecutors, David Jeansonne, 43, was targeting 18 specific MSN TV users in an online squabble when he crafted the script in July 2002, and sent it out disguised as a tool to change the colors on MSN TV's user interface. Though the code didn't mass-mail itself to others, some of the recipients were sufficiently fooled that they forwarded it to friends, for a total of 21 victims.

    Source: http://www.securityfocus.com/news/8136

    hope it helps
    Un Seen But Well Heard Of

  3. #3
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Here is an interesting whitepaper on this topic taken from the Virus Bulletin Conference in September of 2000.

    Cheers:
    DjM

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Hmmm,

    I suggested this generic vulnerability some three years ago. I concluded that as the SMS of the time supported (typically) 114 characters, and theoretically about 160; it was not a current threat, as there was not enough scope to include propagation or zombie code.

    I am sure that it will happen, not "if" just "when"?

    WAP/Palm devices linked to telephony make it more imminent IMHO

    SMS "bombs" have been around for a while now, so you can see where things are headed?

    HTRegz.......I have not forgotten you mate, I will get back with some suggestions this week-end..............interesting problem as it happens

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,836
    It might happen sooner than we think. Motorola just released the "Smart Phone" which includes Internet Explorer, MSN messenger and I believe it can be synchronized with your Outlook. How much worse can it get? Here's a scenario: User visits website with malicous code in its source; malicious code gets downloaded into the cell phone; malicious code spreads itself to all contacts on the cell and outlook. I'd say its possible to be done right now. Anyone care for an experiment? It would be very intersting.

    EDIT: a little research on the "Smart Phone" shows these specifications:

    Motorola MPx200 SmartPhone Features
    Phone Features

    Downloadable ringtones
    Downloadable wallpaper
    Downloadable screensavers
    WAP 1.2.1
    MSN Internet Explorer (HTML 3.2, WAP 1.2.1, SSL, & PPTP)
    Tri-band
    MMS (Multimedia Messaging Service)
    Instant Messaging (MSN)
    Group SMS
    T9 predictive text
    Time & date stamp (for calls & SMS)
    SD/MMC card slot
    1000+ number phone book
    VibraCall®
    Integrated speaker phone
    Clam form factor

    Preloaded Software

    Activesync ™
    MSN Messenger ™
    Pocket Internet Explorer ™
    Pocket Outlook ™
    Windows Media Player ™


    Memory

    Up to 10 MB embedded
    Expandable to 1 GB via SD/MMC slot

    Display

    65k TFT colourm, 176 x 220 pixels, 2 lines of text/icons

    Connectivity

    Mini USB / IRDA

    Network

    Tri-band GSM 900/1800/1900
    GPRS (class 8)

    Dimensions

    89 x 48 x 27 mm

    Volume

    96 cc

    Weight

    118 g

    Power Management *

    Talk Time: up to 310 mins
    Standby Time: up to 110 hrs



    Clearly the phone has enough memory to support a virus and the means to catch it or distribute it.


  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    There are a lot of phones on the market with sufficient capability to have viruses / malware written for them.

    The most likely type is some kind of windows/outlook style worm which encourages users to open it using social engineering.

    On my phone, it is possible to send games via bluetooth and infrared. I don't think games themselves can be sent via SMS, but you can send links and download via HTTP.

    Some models of phone (for instance those supporting MIDP2.0) have access to sockets.

    Some types of phone game (example: Morphun) have virtually unrestricted access to the phone's capabilities. Not all of these games need to be digitally signed, but instead rely on the network restricting download capabilities. This doesn't seem to extend to bluetooth / IR transmission.

    --

    So it's technically feasible for a phone game to actually be a worm which spreads via bluetooth with this model of phone. True, it would have to get fairly close to another phone, and the phone would need bluetooth enabled.

    Equally, a SMS could entice a user to download a game via HTTP, then exploit some weakness in the phone's Java VM security to break out, and SMS its link to the phone's contact list (ala Outlook worms)

    Java games are normally not allowed to access the phonebook, make calls, send SMS or use bluetooth / IR, but some vulnerabilitiy could allow them to do so. Java games are allowed HTTP access, but the user is always consulted first, as it may charge her money.

    Slarty

  7. #7
    Kinda off topic, couldnt a virus spread on pc's, then use the modems to call a number like 911 or whatever? Why use a phone when you can use a pc?

    Ive never heard of an attack like that, but i can figure that its possible? maybe for american idol voting or something stupid like that....

  8. #8
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Hi Soda,

    That has been possible for several years.............I have used my PC to talk to my in-laws in Alabama (one penny per minute, hee hee) and have had the software to send SMS messages to cell phones.

    Very interesting contributions from Cyber1d and Slarty, It seems that the technology is now here..............I haven't changed my mobile phone for three years so I am a bit behind the times .

    I do recall someone offering AV for mobile devices..............PC-Cillin or McAfee?

    What I fear is that people will secure their desktops and networks, and these mobile devices will be the literal trojan horses?...........an Administrator's nightmare

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  9. #9
    Banned
    Join Date
    Feb 2004
    Posts
    94
    Interesting. I have never really looked into it, however I am sure there will be a growing "market" of cell virii. Although as someone pointed out they can be made in high level language, I have a feeling the ones that do "well" ecologically (aka propegate themselves the best), will be in ASM, or a "high-level" ASM that works across all/most cellphones allowing for better manipulation of low-level functions and such, but still not specific to one phone. As usual the possabilities are endless. As nihil pointed out about this being an Admins worst nightmare, I believe most policies will/do prohibit messing with company phones, or plugging your own phone into your companie computer. Imagine if a virii would transfer itself to the box from your phone, effectively allowing it to spread via two medians. At least they don't spread through the TV eh?

    -Cheers-

  10. #10
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,836
    ....hmm well spyware could be downloaded into Tivo if programmed right and you'd get pop-ups about penis enlargement every time you turn on your TV . Its feasible but not easy at the moment, but dont be surprised if it happened. ANY hardware that connects to a remote service, is at risk of being victim of a malicious code, let it be a virus, a trojan, a work or spyware. Its just the never-ending cycle of life. You build something; someone screws it up; you try to fix it and come up with something better than before while you're fixing it. INOVATION

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides