by Angela R. Garber
Pda and cell phone users may be getting nervous about all those reports of viruses attacking handheld devices. Businesses that have protected desktops and networks with anti-virus software for years now wonder if the same precautions are necessary for their mobile tools. With the number of Internet-ready devices increasing, and users indiscriminately “beaming” information to one another, the environment is as ripe for infection as a third- grade classroom during flu season.
The anti-virus community expects an epidemic to hit any day, and all the leading companies — McAfee, Symantec, and F-secure — have either released or are working on beta versions of PDA- and cell-phone-specific security programs. Some of these live on a PC’s desktop to scan files before they are downloaded to a PDA or when a PDA syncs with programs residing on the PC. Others are native to the PDAs themselves and scan every bit of information beamed through the infrared port or downloaded from a computer. Still, some experts question whether such solutions protect users.
Reports Exaggerated
The threat so far has been relatively benign. The “LibertyCrack” virus hit in August but was more of a hoax than anything else. Liberty is an application that allows PalmOS devices to run Nintendo GameBoy games. The LibertyCrack program claimed to be a tool for pirates to “crack” it — that is, convert the shareware version to a fully registered edition. Instead it was a “trojan horse” (a virus that masquerades as another application), and left behind instructions to delete all files from the handheld and then reboot.
Something called “Timofonica” showed up on cell phones in Spain and was first thought to be a mobile-phone virus. Instead, it turned out to be a simple e-mail chain-letter virus, much like Melissa and LoveLetter, that sent annoying e-mail messages to Web-enabled phones. As it turned out, no mobile devices were affected, because Timofonica had infected the cellular company’s controlling computers, not the phones themselves.
Finally, the Phage trojan attacked the PalmOS last September, blacking out users’ screens and crashing programs, but little damage was reported. In fact, after the virus was discovered, there was a fix released within hours.
Impending Doom?
“The fact that PDA operating systems are new makes them more vulnerable to viruses and exploitative code,” says Randy Meyers, director of network security services for Ajilon Services, Inc., a Baltimore-based IT staffing and consulting firm. “But for the same reason, hackers aren’t writing many viruses to attack them.”
He points out that the attacks that bombard Windows-based computers pass over seemingly immune Macintosh systems almost daily. “It’s not that Macs are more secure than PCs; they just don’t command the market share that will gain the attention hackers want,” Meyers says. “It’s the same with PDAs.”
He is not alone in his assessment. “Viruses primarily appear on the Windows OS because that’s where people do most of their computing,” says Joel Scambray, co-author of Hacking Exposed, and principal at Foundstone, Inc., a computer-security consulting firm with locations in Irvine, Calif., and New York City.
However, Scambray believes the trend is shifting. “Most people aren’t using PDAs and cell phones to access the Internet yet,” he says, “but that will increase with ‘always on’ connectivity, and there will be a concurrent security risk.” (For insight into
the problems this has caused in the non-wireless world, see this month’s feature, “Sitting Ducks.”)
Race For A Cure
Scambray is worried that despite their best efforts, the anti-virus companies may not be able to keep things under control. “I personally think the anti-virus vendors will get caught with their pants down on this,” he says. “They are doing a great job and people are happy with their progress in the PC and networked environments, but it’s difficult to write a broadscale antibiotic for the handheld market. There are too many different mobile systems and platforms.”
This raises the question: How can the anti-virus companies create a program to protect against something that doesn’t even exist? Robert Bromley, a professor of accounting systems at Central Michigan University, conducts research in the fields of computer fraud and viruses. “There are commonalities in all viruses,” Bromley says. “The anti-virus software searches for codes that are similar. It can look for commands that don’t make sense.”
“Just keep in mind that the anti-virus industry is reactive,” Scambray warns. “It sees what’s happening in the wild and then reacts, but things are incessantly changing. There is an active community that constantly thinks of new ways to access the information stored on these devices.”
Preventive Medicine
Investing in anti-virus software is one precaution to take. (At the moment, some can even be had for free.) McAfee.com’s Wireless Security Center offers McAfee VirusScan Wireless to protect consumers from Internet viruses and malicious code transferred via PDA devices. It works with the PalmOS, PocketPC, WindowsCE, and Symbian EPOC devices. The software resides on the desktop and scans files during synchronization between PC and PDA.
At press time, McAfee also offered a beta version of McAfee Anti-Virus Resident Scanner (MARS) that resides on the handheld to protect against the currently known PalmOS trojans. The user scans for viruses after receiving data via infrared beaming, infected PCs, or wireless modems. An additional application for Palm, Guard Dog, watches for malicious code that could steal passwords or erase files. F-Secure offers EPOC platform-specific anti-virus software that resides on mobile communicators, smart phones, and PDAs from vendors such as Nokia, Ericsson, and Psion. Symantec offers a similar beta version specific to the PalmOS.
Steps To Take Now
But no one, not even the anti-virus companies, would recommend relying solely on their tools to protect information. Bromley tells businesses to be aware and take precautionary measures to secure files. But he also adds that there is no need to panic.
According to Bromley, the most important security measure to take right now is something that users should be doing anyway: backing up the information stored on the handheld devices. “It’s not exotic, but it works,” he says. “If there are dated backups stored on the PC, it is easy to revert back to a time before any files were corrupted.”
Meyers additionally suggests checking the Web sites of PDA vendors and looking for current threats and download patches. Scambray encourages not only using available anti-virus software, but also diligently updating virus signature databases. These simple precautionary steps should keep professionals on top of — if not ahead of — the game.
A Serious Threat?
Currently, the risk to cell phones seems even more remote than that to PDAs, and the reason is simple. “At the moment, cell phones are ‘stupid,’ so they just aren’t a good target for viruses,” says Meyers.
But Meyers, Bromley, and Scambray agree that as cell phones and PDAs are increasingly used in tandem, phones will become a more frequent target. Users must take the threat seriously. “People know they need anti-virus software installed on their computers and networks, but the battle now is for awareness about PDAs,” Scambray says. “I think we are in a quiet period before hackers create a barrage of code from annoying to destructive. Now everyone just needs to take seriously the kind of damage hackers can do.”
