Finding a cure for viral cells

Last month, one of the first known viruses to hit a cellular phone was found on Nokia Series 60 handsets. News of the event came from two sources: Kaspersky Labs in Moscow and Symantec in Santa Monica, Calif. The insidious bug, known as Epoc.cabir, displays a message — “caribe-Vz/29 !” — and installs eight files into a directory. The viral code runs each time the phone is restarted and attempts to send itself to the first Bluetooth-enabled device it finds — even a printer.

Although Epoc.cabir seems harmless so far, the message is clear. As cell phones become network-connected miniature computers, complete with standard operating systems and open APIs, they will be subject to the same attacks that plague other networked devices.

The biggest threat to data phones — also known as smartphones — comes from so-called piggyback viruses, according to Trevor Fiatal, chief security officer at cellular infrastructure vendor Seven.

Unlike worms that self-replicate, piggyback viruses latch on to data that is transferred to devices or downloaded from the Internet. Potentially, a piggyback virus could send a copy of your contact database, or any other file, to an undisclosed server.

The bigger threat — that of a virus working its way from the cell phone back to your corporate network — is unlikely at present. But when you set up a VPN session over the Internet from your handheld, says Sal Visca, CTO at Infowave, “You might have some issues.”

When I suggested to Visca that smartphones will one day become part of the enterprise infrastructure, he responded quickly. “[Security] will be an IT nightmare,” he said.

As with all computer viruses, the easiest way to contract a virus on your mobile handset is to download a personal application. It might be a free chess game you want to try or something for the kids, but if that application was infected with viral code, you’ll unwittingly bring it back to the office.

There is one measure that the carriers can take to prevent this kind of problem, but some may find it as onerous as the attacks it purports to defend cell phone users against.

Smartphones based on Microsoft Pocket PC Phone Edition or Palm OS come with an optional digital signature capability that can be invoked by the carriers. If used, the carrier can stop any application from being downloaded to your device unless the carrier has approved its code in advance.

Unfortunately, this will take us back to the bad old days of the walled-garden approach. Thousands of applications would have to first pass muster from the carrier and go through its approval process before you could install them. And I wouldn’t be surprised if there were a fee involved.

Seven’s Fiatal tells me that British wireless carrier Orange already tried this, but there was such a hue and cry that it backed down. Ultimately, the measures Orange took made the barrier to entry so low that they offered no real security anyway.

Whether or not the practice could work in the United States, the digital signature component is currently available for use only by the carriers, not the enterprise. Still, IT departments can implement a similar policy within their own organizations. For now, I suggest a policy that forbids unapproved applications on company handsets. In the long run, however, we will need better mobile management software that can cope with cellular viruses on an enterprise scale.