The scene is set in a dark and gothic basement, somewhere in Russia apparently. Amid the clicking of a keyboard the following chilling statement of intent can be heard; “Let’s see what an application that simultaneously opens up 1000 windows does to a smartphone today, da? Mwahahaha, er, ha!” (Cue bolt of lightning).
Well, for starters it would cause the system to crash. If such an application system could spread with speed you can bet executives at an effected network provider would sit up. Take into account the ability to target huge corporate subscription lists (and the projected loss of revenue from such a DoS attack) and it's easy to imagine network execs performing acts that would make acrobats at the Cirque du Soleil blush.
The Skulls virus denied service by slowly strangling out all the functionality of a smartphone and leaving a map of mocking skull and crossbones where user icons once blinked. However Skulls had no propagation model or system for replication and as a result posed no real dangers at all. June 2004 saw the arrival of it's follow up, Cabir, which had a model to spread itself via Bluetooth capabilities. But this propagation model was weak for three major reasons. Firstly, it could only replicate when a phone was rebooted - most people recharge with their phone on. Secondly it relied on other phone users to have their phone's Bluetooth functionality switched on, be in range and have the device set in discoverable mode. Thirdly, Cabir required user authorization before it could be installed. Simply put, Cabir is relatively ineffective because its means for spreading is far too slow. Skulls and Cabir may have generated a bit of interest and press coverage, but they weren't enough to make network operators quake. How far away is the arrival of a worm virus which can perform the same DoS attack on a mass scale?
The days of devastating smartphone viruses are just around the corner according to big security vendors like F-Secure. While phones become more technologically advanced, to the extent where they will one day be the equivalent of a hand held PC, it makes sense that the viruses which target them will also evolve. The amount of information a device stores is proportionate to its value - more data equals a higher value. As that value increases, so does the focus of hackers looking for financial gain. The arrival of new operating systems, protocols and technologies also welcomes new opportunities to mount an attack because their integration at an early stage is always going to create overlaps and chinks, waiting to be exploited by hackers. A merging between mobile and internet protocols has created a more accessible trough of knowledge, freely available to be shared among hackers. But it seems that the hackers who share this knowledge are still only taking a side glance at the possibilities of phone hacking. As the father of IT devices the PC is constantly changing and evolving. It logically follows that hackers have a background almost completely in PC technology because other devices like PDA's and smartphones have yet to advance to a stage where they offer the same opportunity for major gain. Smartphone information capabilities have a long way to go before they are as entrenched in the corporate conscience as is the case with the PC.
It's true that a lot of the underlying principles behind these different technologies are the same. OS Symbian platforms (the frontrunner platform used by the likes of Nokia, Motorola and Siemens) support the use of native C, the preferred language for hackers and because of its lack of 'policing' as compared to MIDP2.0 supporting devices it can be used to craft exploits to attack vulnerabilities on the device. But a hacker whose expertise is confined to the realm of PC's will never be as aware of the opportunities to launch an attack as someone who has worked with mobile technology. What happens when a hacker who has a background in the mobile industry decides to stir the pot? In the case of Cabir it seems that the worm virus was created by someone who has not worked in the phone business. If they had, the virus would have spread at a much quicker rate and created a greater scale of devastation.
So when can we expect to see a smartphone attack that is smart? It comes down to the question of whether mobile technology is in an advanced enough stage to merit a smart attack. Last year saw various network operators investing millions in the rollout of 3G services. These are services which allow users to connect to the net, download information, check e-mail and message other people via videophones. A lot of people would debate whether that is an advanced enough stage for fears of major smart phone attacks to break out. Regardless, it looks like it will be left up to a hacker with a taste for fine 'wodka' (apparently) to decide.
* Simon Edmed is an analyst with Information Risk Management, based in London.
