Will Cell Phones be Responsible for the Next Internet Worm?
If you have been following the news lately, chances are you are aware of the latest round of cellular phone viruses. Redbrowser , Brador, and Cabir are a few examples of new viruses and worms that compromise so-called "smart phones"—phones that running a handheld operating system such as Palm OS, Symbian, or Microsoft’s Mobile 5—in much the same way as e-mail worms have worked in an increasingly destructive and costly fashion over the past decade. The smart cell phones at the center of this growing problem are just one member of a larger family of mobile computing devices that share the same vulnerability potential. Palm Pilots, Pocket PCs, and RIM devices all share the same wireless data capabilities and provide a significant amount of computing power to boot. You might think, "So what?" It’s just a cell phone, right? Well, that cell phone might just be responsible for the next major Internet worm.
A worm is a self-contained, self-replicating program that propagates across the Internet by exploiting some known vulnerability. By exploiting the vulnerability, installing itself, and then searching for more computers with the same vulnerability to repeat the process, worms can spread very rapidly if the propagation vulnerability (or vector) is well-chosen. Even worse, some worms can propagate via multiple means (we call this multiple propagation vectors) making the speed and probability of spread much greater. Some of the more famous Internet Worms—costing industry billions of dollars—are LoveBug, Code Red, and Blaster. The good news is that as time goes on, we seem to be getting better at protecting our networks against attack as the perimeter security (firewalls, intrusion detection/prevention) industry matures. With capable perimeter security devices watching the entry points of our networks for malicious activity, the probability of infection is greatly reduced. Until now.
Mobile Devices Are the New Network Perimeter
The new and largely unexplored propagation vector for malicious code distribution is mobile devices. With 802.11, Bluetooth, WiFI, WiMAX, MMS, Infrared, and cellular data capabilities on almost all new models, these devices provide a wealth of opportunity for the transmission of data. With no notion of user access levels in the compact mobile operating systems, a lack of effective authentication, and no data encryption, these environments are prime targets for the incubation of malicious code. In addition, the limited processing power and small portable footprints give the perception of innocence so that many users (and misled system administrators) believe that "security isn’t needed." This education problem is the critical oversight that allows mobile devices to present a large security concern.
The result of an attack that uses mobile devices as a propagation vector would be staggering. The process would be simple: infect mobile devices via Bluetooth, SMS, or other networking capability—as Redbrowser, Brador, and Cabir have shown to be possible. The native security features of today’s mobile devices are not capable of protecting against attacks like this, so it would be trivial to infect, say, an entire coffee shop full of Bluetooth phones in just a few minutes. The mobile devices then walk out of the coffee shop and in the front door of corporate offices all over the world, past the perimeter security devices and all other network security protections, cradle to the desktop, and infect organizations in the worst possible spot: at the heart of the network, where security controls are the thinnest. The rogue code doesn’t enter the network at the wired perimeter, so firewalls and IDS devices don’t see it. It’s not injected via a CD-ROM, floppy, thumb drive, or e-mail, so the desktop virus protection doesn’t see it. After the malicious code executes, it has the opportunity to infect every system on the internal network with low risk of detection.
Because the point of enterprise injection is an unexpected portion of the desktop, there would be very little (if any) audit or log of this event, so tracking the attack to the source would be nearly impossible. If the malicious code performed even a small amount of damage—say, deleting a number of critical operating system files—the effects of the attack would eclipse the current $83 billion price tag attached to previous Internet outbreaks. Not to mention the impact of taking down the cellular networks as well. Also, because almost all mobile devices contain information about the identity of its user, there is nothing stopping the malicious code from comparing the owner identity to a list of famous people and publicly posting all contact information, pictures, e-mail, and SMS messages for anyone on the list. Voila: a mass Paris Hilton scam.
The threat isn’t limited to desktop sync or USB connectivity either. The latest over-the-air sync products from Microsoft, Good, Intellisync, and others are more than willing to copy information from the mobile device over the air directly to your enterprise exchange server, with little regard for whether or not that data is malicious. Infect a mobile device with some malicious code that simply creates what appears to be a new outgoing e-mail, and in a few short seconds that malicious code is on your enterprise exchange server—ready to be executed and further the infection. Would this be detected if you were running an anti-virus product on your exchange server? Perhaps...if it had mobile device malware signatures in its database. But most likely not. Scary? Absolutely. Probable? You bet.