UK CONTACT -- Claire Bowles, New Scientist Press Office, London
claire.bowles@rbi.co.uk
44-20-7331-2751
US CONTACT -- New Scientist Washington office
newscidc@idt.net
202-452-1178
Mobiles are fertile ground for e-bugs of the future
In the wake of the Love Bug virus attack, computer scientists are warning that future viruses aimed at intelligent mobile phones and personal digital assistants (PDAs) may be even worse. They could record your conversations and forward them to others, delete money from "electronic wallets", or perhaps rack up huge telephone bills. "These viruses could spread rapidly in future," predicts David Chess, an antivirus researcher at IBM's T. J. Watson Research Center in Yorktown Heights, New York.
Computer viruses attack devices that are programmable, and spread when there is some link between one device and another. Early viruses spread mainly via infected discs handed from user to user. Today the main avenue of infection is by e-mail.
"The thing that makes viruses a threat is that we're so well connected," says Charles Palmer, a specialist in network security and cryptography research at IBM. This suggests there is a huge potential for viruses to spread via future programmable mobiles.
In current and next-generation phones, and in PDAs, designers have several ways to prevent virus damage. First, they can limit the devices' programmability, leaving them without the capacity to run viruses. Current phones already fall into this category-but future generations will be much more capable.
Another option is to store important programs in read-only memory so that a virus cannot overwrite them. "The drawback then is that the phone cannot be upgraded," says Edward Felton, a computer scientist at the Secure Internet Programming Laboratory at Princeton University in New Jersey. And this strategy cannot protect data that the user adds, as it must be stored in a writable memory. "A virus that changes your mom's number to a premium-rate number in Nigeria could rack up huge bills," says Palmer.
Finally, it is possible to ensure that a phone's built-in programs are separate, so that one program cannot start another. If the virus cannot dial out, it cannot spread.
But researchers say there is huge pressure on cellphone designers to add functions, and that this will increase the chances of infection. "If somebody sends you a telephone number by e-mail, you want to be able to click on that number to dial it," says Avi Ruben, a specialist in Internet security at the AT&T Laboratories in Florham Park, New Jersey. "I know that there are prototypes in development that allow this kind of threat," adds Felton.
When e-mail attachments can trigger other applications, they could dial out, start recording software for personal surveillance, or wipe out the contents of files such as electronic wallets.
However, Charles Davies, chief technology officer for the British PDA maker Psion, argues that this scenario is unlikely, at least for devices that run the widely used EPOC operating system, which he helped to design. "I don't want to seem smug or complacent but I just don't see it as a big threat," he says.
Palmer sees the way forward in mathematical proofs that show whether a system is secure, and calls for more research into the area. "It's the only choice we have in the long run," he says.
Author: Justin Mullins
New Scientist issue: 20th May 2000
Please mention New Scientist as the source of this story and, if publishing online, please carry a hyperlink to: http://www.newscientist.com