Cell phone zombies a possibility? -- Theoretical discussion

[HTRegz]

Hey Hey,

First let me just say... W00T!. MY suggestion became reality. I'm pumped. Thanks JupM.

Anyways... on with the discussion. I've been playing with my cell phone a lot lately, now that I have one that is actually fun to play with. Since I posted the suggestion for this thread I've been thinking a lot about cell phones and PDAs and the problems they could lead to. My cell phone is Java powered as many phones now are, other phones have built in PDAs and run PalmOS. With the advent of picture phones, the ability to SMS files is now a reality. What if someone decided to use our cell phones against us. A Java virus, or something written for the PalmOS (for which app dev. can be done in something as simple as VB), that could propagate through text messaging. I don't know a lot about the hardware of cell phones, so this could be fully impossible, but what will happen as cell phones become more advanced? A virii that is downloaded in a game or a ring tone seems entirely like a possibility. It spreads it self by SMSing itself to everyone in your phonebook (sure it won't make it to land line users, but everyone has at least one cell phone number in their phonebook). Besides sending itself to other cell users, it could also force your phone to dial a number. This would cause conjestion on the cell network to start with, but what if they were all directed at the same number, for example 911. This would cause basically a DDOS attack against the switchboards at 911. It was, in my opinion, cause chaos. Anyone thought about this before, or heard anything about it? What's everyone's opinion on it?


Peace,
HT

[st1mpy]

well that all might be possible ... there was one incident like year back when a guy switched some phone bord and sended emails out to people ... that they are short on their visa's so they should call that number an ye it was talked here about it but here is something new

FBI agents arrested a Louisiana man last week under the cyberterrorism provisions of the USA PATRIOT Act for allegedly tricking a handful of MSN TV users into running a malicious e-mail attachment that reprogrammed their set-top boxes to dial 9-1-1 emergency response.

According to prosecutors, David Jeansonne, 43, was targeting 18 specific MSN TV users in an online squabble when he crafted the script in July 2002, and sent it out disguised as a tool to change the colors on MSN TV's user interface. Though the code didn't mass-mail itself to others, some of the recipients were sufficiently fooled that they forwarded it to friends, for a total of 21 victims.

Source: http://www.securityfocus.com/news/8136

hope it helps

[DjM]

Here is an interesting whitepaper on this topic taken from the Virus Bulletin Conference in September of 2000.

Cheers:

[nihil]

Hmmm,

I suggested this generic vulnerability some three years ago. I concluded that as the SMS of the time supported (typically) 114 characters, and theoretically about 160; it was not a current threat, as there was not enough scope to include propagation or zombie code.

I am sure that it will happen, not "if" just "when"?

WAP/Palm devices linked to telephony make it more imminent IMHO

SMS "bombs" have been around for a while now, so you can see where things are headed?

HTRegz.......I have not forgotten you mate, I will get back with some suggestions this week-end..............interesting problem as it happens

Cheers

[Cybr1d]

It might happen sooner than we think. Motorola just released the "Smart Phone" which includes Internet Explorer, MSN messenger and I believe it can be synchronized with your Outlook. How much worse can it get? Here's a scenario: User visits website with malicous code in its source; malicious code gets downloaded into the cell phone; malicious code spreads itself to all contacts on the cell and outlook. I'd say its possible to be done right now. Anyone care for an experiment? It would be very intersting.

EDIT: a little research on the "Smart Phone" shows these specifications:

Motorola MPx200 SmartPhone Features
Phone Features

Downloadable ringtones
Downloadable wallpaper
Downloadable screensavers
WAP 1.2.1
MSN Internet Explorer (HTML 3.2, WAP 1.2.1, SSL, & PPTP)
Tri-band
MMS (Multimedia Messaging Service)
Instant Messaging (MSN)
Group SMS
T9 predictive text
Time & date stamp (for calls & SMS)
SD/MMC card slot
1000+ number phone book
VibraCall®
Integrated speaker phone
Clam form factor

Preloaded Software

Activesync ™
MSN Messenger ™
Pocket Internet Explorer ™
Pocket Outlook ™
Windows Media Player ™


Memory

Up to 10 MB embedded
Expandable to 1 GB via SD/MMC slot

Display

65k TFT colourm, 176 x 220 pixels, 2 lines of text/icons

Connectivity

Mini USB / IRDA

Network

Tri-band GSM 900/1800/1900
GPRS (class 8)

Dimensions

89 x 48 x 27 mm

Volume

96 cc

Weight

118 g

Power Management *

Talk Time: up to 310 mins
Standby Time: up to 110 hrs



Clearly the phone has enough memory to support a virus and the means to catch it or distribute it.

[slarty]

There are a lot of phones on the market with sufficient capability to have viruses / malware written for them.

The most likely type is some kind of windows/outlook style worm which encourages users to open it using social engineering.

On my phone, it is possible to send games via bluetooth and infrared. I don't think games themselves can be sent via SMS, but you can send links and download via HTTP.

Some models of phone (for instance those supporting MIDP2.0) have access to sockets.

Some types of phone game (example: Morphun) have virtually unrestricted access to the phone's capabilities. Not all of these games need to be digitally signed, but instead rely on the network restricting download capabilities. This doesn't seem to extend to bluetooth / IR transmission.

--

So it's technically feasible for a phone game to actually be a worm which spreads via bluetooth with this model of phone. True, it would have to get fairly close to another phone, and the phone would need bluetooth enabled.

Equally, a SMS could entice a user to download a game via HTTP, then exploit some weakness in the phone's Java VM security to break out, and SMS its link to the phone's contact list (ala Outlook worms)

Java games are normally not allowed to access the phonebook, make calls, send SMS or use bluetooth / IR, but some vulnerabilitiy could allow them to do so. Java games are allowed HTTP access, but the user is always consulted first, as it may charge her money.

Slarty

[Soda_Popinsky]

Kinda off topic, couldnt a virus spread on pc's, then use the modems to call a number like 911 or whatever? Why use a phone when you can use a pc?

Ive never heard of an attack like that, but i can figure that its possible? maybe for american idol voting or something stupid like that....

[nihil]

Hi Soda,

That has been possible for several years.............I have used my PC to talk to my in-laws in Alabama (one penny per minute, hee hee) and have had the software to send SMS messages to cell phones.

Very interesting contributions from Cyber1d and Slarty, It seems that the technology is now here..............I haven't changed my mobile phone for three years so I am a bit behind the times .

I do recall someone offering AV for mobile devices..............PC-Cillin or McAfee?

What I fear is that people will secure their desktops and networks, and these mobile devices will be the literal trojan horses?...........an Administrator's nightmare

Cheers

[silver-bullets]

Interesting. I have never really looked into it, however I am sure there will be a growing "market" of cell virii. Although as someone pointed out they can be made in high level language, I have a feeling the ones that do "well" ecologically (aka propegate themselves the best), will be in ASM, or a "high-level" ASM that works across all/most cellphones allowing for better manipulation of low-level functions and such, but still not specific to one phone. As usual the possabilities are endless. As nihil pointed out about this being an Admins worst nightmare, I believe most policies will/do prohibit messing with company phones, or plugging your own phone into your companie computer. Imagine if a virii would transfer itself to the box from your phone, effectively allowing it to spread via two medians. At least they don't spread through the TV eh?

-Cheers-

[Cybr1d]

....hmm well spyware could be downloaded into Tivo if programmed right and you'd get pop-ups about penis enlargement every time you turn on your TV . Its feasible but not easy at the moment, but dont be surprised if it happened. ANY hardware that connects to a remote service, is at risk of being victim of a malicious code, let it be a virus, a trojan, a work or spyware. Its just the never-ending cycle of life. You build something; someone screws it up; you try to fix it and come up with something better than before while you're fixing it. INOVATION