It was the denial of service attack everyone feared. Within the space of a few hours, thousands of calls overwhelmed switchboards handling communications for the emergency services, causing widespread chaos.
Fiction? Unfortunately not. Just such an attack happened two years ago in Japan. But while computers are normally to blame for such incidents, in this case the unwitting culprit was the humble mobile phone.
A virus written to exploit vulnerabilities in Japanese operator DoCoMo’s ‘i-Mode’ mobile data network spread quickly. The program, when opened by the user, directed the phone to call the emergency services number. At the height of the crisis DoCoMo warned that more than 13 million handsets might be affected.
Thankfully, the UK and most of the rest of the world has so far been spared such dramas. In the past, each handset manufacturer wrote its own software, and virus writers had to be very dedicated indeed to create malware that would affect a large number of phones, since they would have to recompile the virus code for each type of handset.
But experts say that mobile virus attacks will become more common. That is primarily because greater numbers of people are using ever more sophisticated wireless devices based on a smaller number of standardised operating systems, including Pocket PC, a version of Microsoft’s Windows environment that has proved so vulnerable to viruses in the fixed world. The risks are heightened further because users can easily download and run software such as Java ‘applets’, which could be infected. Add to the mix smartphones and PDAs, which users often connect to their office PCs, and the problem becomes one that could easily spread to corporate networks.
Experts do not want to spread panic, but clearly the dangers are acute. Research by Mercer Management Consulting predicts that by 2005, an outbreak of a virus worm on mobile devices could affect 30% of the population.
“This is absolutely a huge challenge,” says Richard Wong, general manager of the messaging group at Openwave, the US software company that supplies much of the messaging infrastructure for mobile phone networks. “Messaging abuse, whether it is spam or viruses, could easily affect 10 to 25 times as many people as PC-based viruses or spam.”
Security policy
Typically, IT departments have less control over smart phones and PDAs than they do over fixed computer hardware. “If you allow people to buy their own phones and use them for purposes other than voice, you will be susceptible to viruses,” says Magnus Nystrom, a technical director of IT security company RSA Security. “It is rather like businesses allowing employees to buy their own laptops: they can do it, but companies need to have a policy.”
Unlike a laptop, however, it is not simply a question of dropping some anti-virus, firewall and perhaps authentication software onto the hard disk. Although there are some client-level anti-virus programs available for Pocket PC-based devices, smartphones, which tend to run the rival Symbian operating system, may not have sufficient spare memory for extra applications.
But help is at hand. In most cases, users download new applications for a smartphone from the network operator’s mobile site, rather than from the Internet. This offers the first layer of protection: manufacturers, in partnership with their operator clients, can configure devices so that they only run applications from trusted sources.
Steve Babbage, a cryptographer with UK operator Vodafone, believes that the mobile industry can minimise the threat through a combination of preventative measures at the device layer and corrective measures, including virus scanning, at the network layer.
But he adds: “It would be naive to think that the preventative approach will keep all problems at bay. You need a layered approach. But if we fail to do this, then viruses could crash phones completely. It is up to us to stop that happening.”
The downside is that a wide range of preventative measures would inevitably make smartphones and PDAs less flexible. They could even make it harder to roll out enterprise applications to mobile devices unless companies use standard software modules from authorised vendors. But that could be a small price to pay to avoid an outbreak of mobile viruses.