PC Today Article - Is Your Cell Phone A Target?

Subscribe Today

Contact Us

Register Now

Home | Tech Support | Article Search | Subscribe & Shop

Is Your Cell Phone A Target?

Email This

Print This
View My Personal Library

Communications June 2006 • Vol.4 Issue 6 Page(s) 10-12 in print issue	Add To My Personal Library
Is Your Cell Phone A Target? Just Because You’re Paranoid . . .

In a relatively short time, cell phones have become ubiquitous. It’s no longer unusual to see someone chatting on a cell phone. In fact, individuals who don’t have a cell phone are often considered oddities, even if they plead concerns about security or privacy issues.

Their concerns may not be as unfounded as you think. With an outbreak of viruses and worms designed to infiltrate phones, the recent revelation that anyone can easily access your phone records, and the ever-present reality of phone spam, you may want to consider letting your cell phone disappear into the recesses of your couch where it can keep the remote company. If parting with your cell phone isn’t a possibility, then it’s time to learn about the threats and effective ways of dealing with them.

Security Issues

If you haven’t been paying attention lately, you may be surprised to learn that many cell phones, smartphones, and other personal communication devices are vulnerable to the same threats as desktop and laptop computers. Viruses, worms, and Trojan horses are just a few of the malware types that can take possession of your cell phone.

The first mobile malware in the wild, the Cabir worm, surfaced by June 2004 and targeted mobile devices using the Symbian operating system. Some of the most popular cell phone systems, including models from Nokia, Samsung, and Sony Ericsson, use the Symbian OS. Less than a month later, Windows Mobile for Pocket PC devices were under attack, too.

The Cabir worm took advantage of phones with Bluetooth wireless capabilities. A cell phone infected with the worm could copy itself to other Bluetooth-enabled phones within range (around 30 feet, at most). Fortunately, this first worm did nothing more malicious than copy itself from phone to phone. But it was a wakeup call to cell phone users who until then had felt safe.

After Cabir, malware developers got serious. The Drever virus had to be downloaded and installed, but once installed, it disabled Kaspersky Lab’s antivirus software for Symbian-based phones.

The most recent confirmed malware is RedBrowser, a Trojan that spreads disguised as an application. RedBrowser promises that you can browse WAP (Wireless Application Protocol)-enabled Web sites without using a WAP connection. The application supposedly does this by sending and receiving free SMS (Short Message Service) text messages. Instead, RedBrowser sends SMSes to premium rate numbers that charge $5 to $6 per message. RedBrowser is a Java application and can run on any phone that supports Java, although you must download and install the application in order for it to take effect.

As of March 2006, researchers at MARA (Mobile Antivirus Research Association; www.mobileav.org) say they have received an anonymous proof-of-concept virus called Crossover that reportedly can infect both PCs and mobile devices that run Windows Mobile. The virus reportedly copies itself to the desktop’s Windows Registry and then waits for a Windows Mobile device to use ActiveSync. During the sync process, the virus attempts to erase files on the mobile device.

What to do. There are several steps you can take to protect your phone from attack; many of them are similar to the steps you take to protect your PC.

Never download files from unknown or untrustworthy sources. Ringtones, games, themes, and utility programs are all popular vectors for malware to gain access to a mobile device.

Turn off services you are not currently using, such as Bluetooth or Beam services. Some malware uses Bluetooth to propagate itself to any Bluetooth-enabled device within range; malware could also use the Beam function in a similar fashion if your phone accepts IR from unknown sources.

Install an antivirus system. Many cell phone companies have started offering their phones preconfigured with antivirus software. You can also obtain antivirus software online from third-party software vendors.

Always maintain a recent backup of your phone’s data. If you use your PC as your backup solution, you must have antivirus software on both your PC and your phone before syncing. This ensures that you only back up your data, and not any malware that may be present on your computer.

Trend Micro (www.trendmicro.com) is one of the few third-party developers of antispam tools for text messaging that also offers the tools directly to the public.

Privacy

Privacy concerns span several areas, including your conversations, data, and location.

Conversations. The most obvious privacy issue is the expectation that your conversations are safe from eavesdropping. Today’s digital cell phones have made eavesdropping more difficult than it was in the past. When analog cell phones were common, listening in on a conversation was as simple as using a shortwave radio or a police scanner.

Digital cell phones use a number of techniques to prevent unwanted reception, including encryption and the use of spread spectrum (sending the signal over multiple frequencies), which together make it nearly impossible to casually intercept cell phone conversations.

Early GSM (Global System For Mobile Communications)-based cell phones were vulnerable to man-in-the middle attacks. This form of attack was theoretically possible, although there is no evidence it was ever used. In a man-in-the-middle attack, a phony cell base station is placed close to the target. A cell phone would connect to the closest, strongest signal: the phony base station. The fake base station would then tell the phone that it had connected to a base station in a foreign country, one where encryption is not allowed. The handset would dutifully switch off encryption and continue broadcasting the transmission in the clear. Current GSM-based phones use a new standard that makes a fake base station attack unlikely to be successful.

Data. Your data, in the form of your billing records, is nowhere near as secure as your conversation. In fact, this data seems to be up-for-sale to anyone with the cash to purchase it. This sad reality was catapulted into the news in early January, when the Chicago Sun Times reported that the Chicago police department was warning its officers that their cell phone records were available, for a price, online. The call records could help criminals track down informants who routinely place calls to officers, as well as reveal the identity of officers’ family or friends.

In March 2006 researchers at MARA (Mobile Antivirus Research Association; www.mobileav.org) received ananonymous proof-of-concept virus called Crossover that is designed to infect both PCs and mobile devices that run Windows Mobile.

A few days later, the story was picked up nationally, when the phone records of General Wesley Clark were made available to a national news source after purchase from a Web site that sells cell phone records. Even more outrageous was the FBI’s conclusion that it didn’t appear that any federal law had been violated. This type of sale of cell phone records has been known in the industry and Congress since at least 1998, when hearings were held concerning the issue of acquiring call records fraudulently. The recent news coverage, however, seemed to move Congress to serious action. By early March, the House and Senate passed legislation imposing penalties of up to $500,000 for fraudulent obtainment of calling records.

The passage of legislation does not remove the possibility of others obtaining your calling records. It only makes the brazen sale of them on freely accessible Web pages unlikely to continue.

What to do. Beyond the basics, there isn’t much you can do to protect your calling records. Don’t give out personal information freely, especially not your cell phone number.

Location. Until recently, location information was very general and not easily available in real time. It was possible to look through your calling records and see which cell tower your cell phone used at any specific time. But because these records were not available until the phone company ran a billing cycle, no real-time data was available.

Most new phones contain a GPS (Global Positioning System) chip, which can determine your coordinates fairly precisely. The GPS chips are being added in order to comply with the FCC’s E911 initiative, which requires a cell phone company to be able to pinpoint a customer’s location within 100 meters so that emergency response teams can reach a customer quickly in the event of an emergency 911 call.

This is a great use of the technology, but it also has the potential to disclose your location whenever your cell phone is turned on. This tracking capability has already been sought by justice department officials (so far, unsuccessfully), who have asked for warrants to be served to various phone operators, compelling them to provide real-time tracking information.

With the advent of E-911, other companies, such as uLocate (www.ulocate.com), soon started providing additional location services. These services range from using your phone’s GPS information to show your current location on a map to letting you know where your children are 24 hours a day. Some services even use text messaging to let you know when a specific event occurs, such as when your child reaches or leaves school.

Tracking services aren’t just for parents and friends. Companies that provide cell phones to their employees can receive tracking information about an employee’s current location. This type of tracking can be handy for a delivery but may also have ominous overtones, such as leading to a poor review for spending too much time in the lunchroom.

Currently, the privacy policies of most companies involved in location tracking restrict the use to the owner of the cell phone or the parent of a minor who owns or uses the cell phone. If you have a company-provided cell phone, be aware that you are not the owner. Your company can choose to use a location tracking service without your overt consent.

If you use your desktop PC for backing up your phone’s data, you must have antivirus software installed on both the PC and the phone before syncing any data. (Shown here is the Nokia N70 with Nokia Lifeblog 2.0; www.nokia.com.)

What to do. Most phones with tracking capabilities include settings for when the tracking system is enabled. In most cases, the options are Only During 911 or Always. Be aware that tracking capabilities can be active whenever a phone is turned on, not just when it is in active use. Every few seconds, a cell phone that is turned on queries cell phone towers to determine that it is in range and has service; this produces the information necessary for location tracking.

Spam

Your cell phone is as vulnerable to spam as your computer. Cell phone spam is insidious. Not only does it clog up your phone text messaging, but in most cases, as the receiver, you pay a few pennies for each incoming message. The majority of spammers launch their text message spam from overseas, making prosecution difficult.

What to do. Some cell phone operators have spam-filtering systems active within their networks. Most also have tools available that you can use to prevent text message spam.

If you receive a great deal of text message spam, document the calls and notify your carrier. The company should be able to help prevent the calls, as well as issue a credit for the message costs.

Keep It Or Toss It?

At this point, you may be having second thoughts about having a cell phone. But a few simple precautions can help keep your phone from being an attractive and accessible target.

by Tom Nelson and Mary O’Connor

Home Copyright & Legal Notice Privacy Policy Site Map Contact Us