Fortunately, the worm was not released ‘into the wild’, but was emailed anonymously to antivirus software companies by a group of international hackers known as 29a. Primarily based in Spain, they specialise in creating worms and viruses to demonstrate that no technology is reliable and safe from attack.
But if it had been released, the consequences could have been devastating.
The worm, known as Cabir, is capable of infecting smartphones and other mobile devices running the Symbian operating system, used in devices from almost all the major vendors, including Nokia, Siemens, Samsung and Matsushita, better known under the Panasonic brand name.
The worm propagates via the Bluetooth short-range connection technology. If it successfully finds and connects with another Bluetooth phone, it writes ‘Caribe’ or “Caribe-VZ/29A” on the screen. Most ominous of all, it does not get wiped when the device is turned off, but is activated every time it is powered up.
However, it does not damage the phone or its software, but does drain the battery by constantly scanning for other Bluetooth-enabled devices to infect. Kaspersky Labs, a computer-security firm based in Moscow, has been credited with identifying and naming the worm.
The 29a group give credit for the worm to a new member called ‘Vallez’. It says that it is generally against destructive payloads and the spreading of viruses, but does not forbid its members from doing so — making it a so-called ‘grey hat’ hacking outfit.
The discovery of the worm has led to the predictably cliched conclusion that it should act as a “wake up call” to the industry. Although 29a has not tried to circulate the worm, other more malicious groups might, warn security specialists.
“Now that somebody has shown it can be done, somebody else could pick up on it soon and be far more disruptive,” says Vincent Gullato, vice president of McAfee. “There is now a road map for hackers to follow.”
But McAfee claims that the combination of increased mobile device capabilities combined with a lack of security could enable hackers and virus writers to wreak the same sort of havoc that they have done with Internet-connected PCs.
For example, by creating a virus that deletes contacts in other peoples’ phone address books, send unsolicited text or multimedia messages or make users’ mobile phones access websites to download paid-for or pornographic content without the handset owner’s knowledge.
Security specialists have for some time warned about the vulnerability of mobile phones, particularly the new breed of smartphones that boast some PC-like capabilities. However, vendors have been slow to act, mirroring the errors that has made the Microsoft Windows operating system such an insecure platform.
For example, although Bluetooth is switched off by default in some devices, in many others, the manufacturers have switched it on by default in order to make it easier to use. As a result, many people could be walking around with insecure devices without even knowing it.
That mistake could prove critical, believes Sal Viveros, a wireless security ‘evangelist’ at McAfee.
“Historically, the more functionality that emerges on any device, the more the hacker will take advantage of it,” he says. “With the advent of 3G and increased rollout of sophisticated devices such as smart phones, we’ll see all the same threats in mobile that you have in the PC space. And most people are painfully unaware of that fact.”