A recent spate of electronic infections is giving new meaning to the familiar question, “Can you hear me now?”
Strictly speaking, Cabir, Lasco, and Commwarrior are “worms,” not viruses, that target the Symbian operating system used on Nokia series 60 cell phones, which account for about half of all units on the market. They’re spread through Bluetooth, a technology that allows close-range wireless connections of electronic devices. Lasco also inserts itself in “installer” files, so it could be transferred from phone to phone in a game program; Commwarrior attempts to spread through messages that include a picture, audio, or video file.
While security vendors have received multiple reports of these worms, experts agree that essentially they’re little more than a nuisance. “We’re starting to see more variants, but we’re not seeing them spreading,” notes Dominic Wild, an analyst at Vancouver-based security provider Sophos. “You have to agree to receive the file from your phone,” just as if you received a suspicious email message on your personal computer and clicked to launch an attachment.
Wild observes that after many reports last year about “bluejacking” — in which people would use their electronic devices to detect Bluetooth-enabled phones in the immediate area, then send them malicious text messages — cell-phone users have become much more savvy. Such phones also have “the ability to ‘hide’ themselves from other devices,” he says, “so even though Bluetooth is activeÂÂÂpeople can’t send viruses to you.”
Travis Witteveen, a vice president for San Jose-based security vendor F-Secure, agrees that none of the malware targeting the Symbian operating system is spreading significantly. “When you get one of these viruses you have to click three times to have it installed on your phone, so it’s actually amazing it’s spreading at all,” says Witteveen. “Typically, people are curious though. The spread of it is minimalÂÂÂthere are regular reports, but when you think of number of phones out there, it’s an extremely small percentage.”
If a phone becomes infected with Cabir, “you’ve brought it on yourself. You have to work to get it,” concurs John Jackson, a senior analyst at the Boston-based Yankee Group research and consulting firm. And although it generated a lot of headlines, Cabir didn’t have malicious consequences, he emphasizes; it was a “proof of concept virus,” which often is intended to show how a particular vulnerability could be exploited.
As for the threat to other electronic devices, “the idea that the virus can get into a cell phone and then attack the broader population is hard to envision,” says Jackson. “The orientation towards this potential threat should be one of concern, and one that is easily addressed by putting security measures in place.”
That was the response when several variants of a slightly more serious virus, SymbOS.Skulls, were reported recently by vendors including Symantec, McAfee, and F-Secure. SymbOS.Skulls replaces application icons with a skull and crossbones, rendering a cell phone virtually useless. The makers of Symbian reacted swiftly to this new threat, notes Jackson, and the latest version of the operating system will contain “significant enhancements in security to prevent this sort of thing.”
Observers say, however, that just as personal computers became more vulnerable to attacks when they added more functionality, cell phones with more-robust features may also become more of a target. “When a standard becomes more prevalent in the market,” says Witteveen, “the guys with the big egos see it as a platform to establish themselves and infect tens of thousands of machines.”
But for now, says Wild, anyone who uses a cell phone should rely on common sense: “If you have to have Bluetooth activated, make sure it’s hidden from other Bluetooth devices, and don’t accept files from people you don’t know and that you’re not expecting.”
