, SecurityFocus 2002-10-29
Mobile phones packing Java virtual machines are gaining in popularity, and are headed for American shores. Will they be the next arena for malicious hacking?Java phones are coming to the U.S., bringing with them a second chance for mobile applications, and, experts caution, a new platform for malicious code.
"It's going to be an issue," says Tony Davis, acting CEO of Tira Wireless, a Toronto startup that certifies and publishes J2ME (Java 2 MicroEdition) applications. Davis already uses a Trojan horse program when he makes sales calls. "When I meet with European carriers, I pull up a phone and show them a car racing game that's actually not just that, it's sending a huge amount of traffic back and forth," Davis says. "I tell them, your customer is going to get a bill for 500 pounds at the end of the month, and who are they going to come after? You."
Davis didn't get his racing game in the wild. He uses it to make his point that carriers should offer certified applications. At the same time, "it's very, very simple and easy to do."
Malicious code can be used to cause cell phones to freeze up, or to connect to Web sites. Data interception is also possible, and theoretically a virus or worm could attack a device, though replicating itself seems unlikely.
Java phones have been in European and Asian markets for some time, and are gaining popularity -- largely because of their ability to play interactive video games
Davis notes that the world's biggest handset maker, Nokia, expects seven in ten of its phones to ship with J2ME by the end of 1st quarter 2003. The first Java phones are now shipping in the U.S., in phones used by Nextel, Sprint and others.
On a one-to-five scale, where five means no problem, "right now, the issue is a four," says Andy Seybold, president of Outlook4mobility. Seybold thinks it won't get much worse, because Sun Microsystems has told him it plans to step in and build certification services and other elements around J2ME, much like what Qualcomm has done with its BREW (Binary Run-Time Environment for Wireless). But he does note that if Sun moves too slowly, the security issues won't be just a game.
Seybold says the longer term issue will come as Java transforms phones into data devices, even in the U.S.
"You're going to see lots of them, and you're going to have lots of Java applets."
The J2ME platform itself is fairly secure -- for instance, code runs in a virtual "sandbox" that prevents it from accessing other data stored on the phone. It also runs most applications locally, limiting data transfer. But if the technology sees Java applets take off in the way other wireless data applications have not, there are potential issues.
Multicasting applications require better security provisioning in general, and some parts of J2ME, such as the Mobile Information Device Profile, or MIDP, can't use certain security features of standard Java, largely because of limited memory. Companies also might build proprietary extensions to J2ME, which may offer potential for virus writers or other malicious hackers. Seybold expects that someone will write an effective virus for Java phones, over time. But for right now, the signal is clear.