TELECOM Wireless devices catch bad code through the air and theninfect supposedly secure computer
systems. ValleZ has released
a digital epidemic -- or maybe he's delivered an earlyinoculation.ValleZ is the online handle of a 24-year-old computer programmer from Spain who, lastJune, wrote the first malicious program targeting cellular phones, the Cabirworm. Now,
security experts fear that the rush to integrate cell phones intoevery aspect of our daily lives might make them the perfect carriers fordigital diseases. Bruce Schneier, founder and chief technology officer ofCounterpane Internet Security in Mountain View, CA, assessesthe threat bluntly: We're screwed, he says.Or maybe not. ValleZ is a member of an international cabal of programmerscalled 29A, which specializes in malicious software, or malware. These ethicalhobbyists send their creations to security labs so that experts can researchcures.
was a manner of saying that the antiviral people should bewatching out for this, says ValleZ, whom Technology Review tracked down viae-mail.ValleZ shared the code for his original, nonmalicious version of the wormwith other members of 29A. Shortly after, it was passed to a Brazilianprogrammer who posted his own variation on his website in December. Now, badguys everywhere are spinning off new versions that are melded with othermalware that locks up phones or autodials obscure numbers. As of March, the Helsinki, Finland–basedsecurity company F-Secure reported that 15 variations of Cabir had popped up in14 countries.Cabir spreads like an airborne disease through Bluetooth wireless connections,a popular means of transferring data at close proximity between cell phones andeverything from other phones to car GPS navigation systems. Even antiviralresearchers have found themselves worrying that viruses under examination mightspread wirelessly to mobile devices outside their labs' doors. TravisWitteveen, vice president of F-Secure's North American division, says hiscompany now runs its main mobile-security lab out of an old military bombshelter. The cell-phone worm's task could be as simple as swiping your address bookor spewing out costly and annoying text-message spam. Or it could mount a denial of service attack on your wireless-service provider bymaking your phone rapidly dial many numbers in succession. As people startusing their smart cell phones to tap into computer networks, thedamage caused by malware could grow more severe. If, as promised, cell phonessoon begin to serve as payment devices, mobile malware that nabs your identityand taps directly into your credit line could follow. Theoretically, acorporate accountant's phone could pick up a worm and, when synched to a PC,let it loose on the company's network, jumbling accounts.And mobile malware will be able to infect systems not vulnerable toconventional viruses. A car owner could link her Bluetooth-enabled phone to herdashboard computer, so that she can control the phone via buttons on hissteering wheel. As she drives down the road, her phone might connect to anotherin a passing car. Suddenly, her navigation system fails. This type ofthreat is probably inevitable, says Schneier. In the future, cars willinclude computer systems that permit remote diagnosis of problems. They shouldbe kept physically separate from hardware that regulates mechanical systems -- performingcalibrations, for instance -- lest a virus cause steering or brake controls tofail.Protection against this nascent peril is beginning to appear. Symbian, thecompany whose mobile-device operating system has been targeted by everycell-phone virus so far, has released a version of its software that grantsBluetooth access only to programs tagged with secure digital IDs. Antiviralsoftware is not currently bundled with the software preinstalled on mostprivately purchased cell phones and so is found almost exclusively inbusiness-issued phones. But companies like McAfee and InnoPath Software aredeveloping es for individual consumers to download antiviral software.According to research firm IDC, spending on mobile security will leap from around$100 million in 2004 to nearly $1 billion by 2008 -- with a significant portiongoing toward antiviral protection.ValleZ says he's done coding mobile malware -- for a little while, at least.Of course, that won't stop others from concocting their own electronic pests.Another, completely new and more virulent mobile virus, CommWarrior, was foundin late February. It sends out costly multimedia messages but contains so manybugs that it doesn't pose a major threat. The next malicious piece of code, however,may be neither a warning exercise nor a self-defeating pest but a full-boreattack on the wireless world.