Virus raises concerns about wireless security- Large scale catastrophe unlikely

Reports circulating out of Spain that a computer worm was able to spam wireless phones via e-mail within its country's borders has raised questions over the existing protection of wireless devices from malicious code attacks.

Security experts agree that future harmful assaults could be directed at and spread by nondesktop computers, but the technological barriers surrounding those devices are probably too difficult for virus or worm creators to overcome in order to infect users en masse, such as the infamous ILoveYou worm.

"It's definitely possible. It makes me a bit uncomfortable," said Shawn Hernan, Computer Emergency Response Team (CERT) Coordination Centre team leader for vulnerability handling.

"I think it's an issue worthy of consideration, but I don't think the palm tops have become critical devices for many people."

Hernan said there are two trends emerging in the wireless field that should ultimately determine its e-mail virus vulnerability fate; namely, how much more powerful and consolidated will portable general-purpose computers become and how important a role will very specialised computers with limited functionality encompass?

At least two antivirus security vendors in Europe said they received calls last week from consumers who claimed their wireless phones were spammed with "propaganda" language denouncing Spanish telecomms giant Telefonica.

The day after news of the Visual Basic Script (VBS)-based e-mail worm, dubbed Timifonica, surfaced, Telefonica released a statement denying those claims. According to reports, Timifonica did not carry a destructive payload or delete any files.

Security companies in Europe said the worm spread via e-mail through addresses in Microsoft Outlook and attacked wireless phones by sending SMS (Short Message Service) to random GSM (general standard mobile) phones through a gateway operated by Movistar.net. Movistar is a brand of Telefonica.

The spread of any virus or worm is governed by the tools of the population it is designed to attack, according to analyst James Kobielus at The Burton Group. Because of the non-existence of a vendor monopoly in the wireless market, and the thin-client nature of most of those products, Kobielus said any large-scale catastrophes are unlikely.

"There won't be that much of a mono culture in terms of wireless mail client implementation," Kobielus said.

"There will be vulnerabilities, but a virus targeted at one vendor's implementation of one vendor's client that's Web-enabled might not be able to disable or affect someone else's WAP [Wireless Application Protocol]. People who create viruses are looking for impact."

When considering wireless devices' limited memory and limited storage locally, incorporating stronger security features such as antivirus protection into circuitry would not be cost-effective (or virus pattern upgradeable) and might take away from their "quick and easy" compatible appeal, Kobielus added. He said true wireless protection must lie at the server level.

Tivoli Systems is attempting to address the low-profile security of wireless products by targeting WAP through enhancements to Tivoli SecureWay Policy Director and Tivoli Secureway Privacy Manager.

New capabilities in Tivoli Secureway Policy Director allow it to define and manage access to applications and data from pervasive devices using WAP.

Symantec has also developed antivirus technology for the Palm OS platform. The company will incorporate its antivirus engine to protect handheld computers and other portable devices and applications, Symantec officials said.

How the spam spread

* European wireless phones users were spammed with "propaganda" language denouncing Spanish telecomms giant Telefonica.

* Timifonica is a Visual Basic Script (VBS)-based e-mail worm * Reports said Timifonica carried no destructive payload or deleted any files.

* The worm spread via e-mail through addresses in Microsoft Outlook and attacked wireless phones through a gateway operated by Movistar.net.

Team eyes wireless security

By Natasha David

RSA Security is set to launch SSL (secure sockets layer) for wireless products such as PDAs and mobile phones, Computerworld has learnt.

RSA hopes to address some of the more pressing wireless security issues that affected European wireless users with technology specifically designed for wireless use by a Brisbane-based team of developers. Acknowledging the need to keep it small for performance reasons, RSA's senior vice president for worldwide sales, Tom Schuster, said: "The SSL for wireless use has a small footprint and bandwidth."

Additionally, RSA has developed secure ID on Wireless Application Protocol (WAP) phones, the RC5 algorithm standard, currently used in the Ericsson R380 mobile telephones.

And Schuster hinted when wireless usage becomes ubiquitous, the industry will see developments in wireless certificates and, in time, full PKI systems. However, he added, "The wireless market is still in its infancy worldwide."

Schuster explained this is because the world lacks a single wireless standard. And although the world is moving to a global standard, G3, this could be a slow and tortuous route, Schuster said. "Currently we have three wireless ‘standards' operating in the world - iMode in Japan, CDMA in US and GSM used everywhere else". And security for the wireless device market also faces several hurdles, Schuster said. "Data is held in the memory of these devices," he said, adding this makes wireless devices sitting targets for virus and "Add to this fact that their operating systems are basic, and the result is that in-built security is extremely low." There is also a pressing need for encryption of data transmitted via wireless devices, Schuster said.

"Information transmitted via WAP devices currently has to pass through two gateways - the WTML gateway which translates data to HTML," he said.

"This gives potential hackers two opportunities at the weak security points."

Join the newsletter!

Error: Please check your email address.

More about Burton GroupCERT AustraliaComputer Emergency Response TeamEricsson AustraliaGatewayJames KobielusMicrosoftRSA, The Security Division of EMCSchusterSymantecTelefonicaTivoli

Show Comments