, SecurityFocus 2000-06-14
Handheld and mobile phone malware is a remote threat today, but inevitable in the future, experts say. Is it too soon to inoculate your Palm?
If you want to try to put 50,000 fingerprints on a Palm device, you're not going to have any room for other applications.
In today's mobile computing and telecommunications environments, viruses and other malicious programming code don't attack handhelds or cell phones. There simply isn't the mass exchange of data such as email attachments or other programs as with wired computing environments, experts say.
These handy technological marvels are still largely localized and constrained by memory and bandwidth. When downloaded data is exchanged today over handheld devices, it is spread among relatively few users -- similar to computing in the early 1990s when malicious code was present but largely impotent because few shared it.
But as wireless platforms mature and proliferate to accommodate new programming environments and applications, some computer security experts are warning manufacturers and end users to keep their guards up. Meanwhile, experts are trying to figure out how best to shoehorn anti-virus software into devices already cramped for memory.
Researchers at the AntiVirus Research Center at Symantec Corp., Cupertino, California, last week raised the bar by demonstrating a scanner-based, fingerprint detection system for the Palm OS platform, calling it the first anti-virus technology for handhelds.
Carey Nachenberg, chief researcher at the Symantec center, says while the threat is largely nonexistent today, manufacturers and designers of operating systems will be wise to build anti-virus solutions into future product generations, particularly as devices gain more power and capability.
"The Palm pilots and Windows CE devices can absolutely harbor computer viruses. We just haven't seen it yet," says Nachenberg. "My suggestion in that space is that in the next generation of these products they should really engineer these devices to make them less available for computer viruses to run on."
Nachenberg explained that as mobile devices become more popular and programming environments more available, virus mischief-makers will look to attack them.
Already earlier this month some Spanish mobile phone users received a scare from a virus called Timonfonica, widely publicized as the first worm to infect these devices. While it turned out to be relatively harmless - merely sending annoying messages to mobile phones -- Nachenberg says it is an indicator of what's possible.
"It is something that can definitely happen as these devices start running arbitrary software," Nachenberg says.
Larry Cosgrove, marketing manager for Toronto-based Diversinet Corp., which builds security solutions for wireless devices like pagers, smart phones and personal digital assistants, agrees the threat will be real down the road.
"If you're just downloading a to-do list or something, then merely encrypting the stuff may be good enough," says Cosgrove. "But the moment I start to access very confidential and personal data, like trying to move money between bank accounts or placing stock order trades on margin, if that type of information is abused it is really going to cost somebody an awful lot of goodwill. It's like playing with fire."
Diversinet's solution is to build security into the individual device, rather than on a network or through software, Cosgrove says.
Nachenberg acknowledges that Symantec's scanner-based fingerprint system isn't a long-term solution. "If you want to try to put 50,000 fingerprints on a Palm device, you're not going to have any room for other applications. Right now our initial version is for the short-term," he says.
Dan Schrader, chief security risk analyst at Trend Micro Inc. of Cupertino, California, a Symantec competitor, says writing anti-virus software for handheld devices right now might be overkill. Things will change, he agrees, but it's not clear when.
"The overall risk level right now is relatively low, and we certainly wouldn't recommend that people put anti-virus software on their Palm Pilots and cell phones," Schrader says. "And it's hard for us to understand how one can buy a product like that and know it works when no one has written any of these nasty programs,"