http://www.osnews.com/story/10099/Cell_Phone_Viruses_Real_Risk_or_Heavy_on_Hype_ Exploring the Future of Computing en-us Copyright 2001-2009, David Adams adam+nospam@osnews.com Tue, 10 Nov 2009 07:46:51 GMT http://www.osnews.com/images/osnews.gif http://www.osnews.com http://osnews.com/thread? http://osnews.com/thread? Does there have to be open-source Unix involved for a platform to become secure?

It seems like only Linux, BSD and the Mac (all of them Unix-toolset and libraries) achieve that, while Windows and mobile phone operating systems don't.

So maybe Linux on smartphones is the only hope we have for an infection-free phone? Fri, 25 Mar 2005 02:25:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? no OSS doesn't automatically make a system virus free.

One can still hack a Linux box.

What gets disabled. Worms, automatic installed trojans, and about 90% of the existing virus attacks fail automatically.

Phishing attempts though will greatly increase.

Just remember if 90% of your security is known only to you then you can't verify with 100% accuracy that there are no holes. Security through obscurity is no solution.

The only thing that should not be known ny anyone else is your password. Just for all those biometeric fans take a good look, most fingerprint scanners can easily be fooled. Fri, 25 Mar 2005 02:46:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? For example, brew devices (such as Verizon phones with Get it Now), only allow you to download apps from distribution servers controlled by the carrier, and apps go through much testing before being placed on the servers.. However, if something did manage to get passed the testing, the carrier could easily pull offending app from distribution.. there still may be ways around this, but it is definitely safer than nokia bluetooth phones that apparently allow you to download apps over bluetooth..

of course, with brew, you can only get apps from the carrier, and testing frees are expensive, so there arent likely to be any hobbyist/open source apps. And, you cant easily develop your own apps (without spending a decent amount of money, etc).. Fri, 25 Mar 2005 02:54:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? I think those would be rather safe in general, just like most binaries for Windows or the Mac are pretty safe.

One big problem are worms that propagate over your bluetooth. Turn it on and poof, there's your worm. Just like Blaster on Windows a year ago. Fri, 25 Mar 2005 03:05:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? I have a symbian series 60 smartphone and based on the reports I have read on the net it this virus/worms need your "cooperation" to work: Every application before installation requires the user to accept it, twice... and for an application to get access to your MMS/Bluetooth it also ask for your permition first to grant access to the application.

Again this is a case of user knowledge on when to trust sources of applications... where to download and what to trust.

At this rythim it does not seem very likely to get "infected"... Fri, 25 Mar 2005 04:13:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? What does it take for people to become aware that security holes are problems? How many times do famous people have to have their phones hacked and their private lives ruined online before they get the fucking point?

Next thing you know they'll just install 'doze on all of them and let the viruses and worms come alive. Fri, 25 Mar 2005 08:00:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? Maybe I should write a self replicating linux virus just to show it can be done. Tired of all these people thinking Unix is somehow immune to viruses. It just not a target, YET. If Linux catches on for desktop computing, you can bet on your life there will start to be problems with viruses. Fri, 25 Mar 2005 08:09:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? > Every application before installation requires the user to accept it
Thats right as long there is no security hole found.
But with a little social engineering it is very easy to get the user to accept the installation of the virus. And if the source of the MMS is from someone you know, it is very likly that you open it.
Symbian has no security, expect that the user has to accept to install the program. Once the virus is installed it has access to all phone functions, e.g. addressbook, open gprs connections, send sms/mms, bluetooth... Fri, 25 Mar 2005 09:05:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? It's a real threat on symbian phones and other units that run Java, because it could potentially compromise your address book, text messages and possibly even stored passwords from what I understand. However, as always, the BIGGEST risk in security, no matter what, is people.. not technology. Fri, 25 Mar 2005 11:26:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? The real problem right now isn't viruses. They are only a minor problem. The real problem is the radiation that is given off. The big companies have worked to push a 28 million dollar study linking cell phones to DNA scrambling under the table. There have been a few confirming it, and they fear they may cause cancer. That's the bigger story with cell phones.

So, be careful and use an earpiece to be safer! Fri, 25 Mar 2005 14:07:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? QUOTE:
One big problem are worms that propagate over your bluetooth. Turn it on and poof, there's your worm. Just like Blaster on Windows a year ago.
/QUOTE


What??? DO you even own a Bluetooth phone? You dont just "get" it when you turn on bluetooth! You need to be in the vicinity of an infected device, have bluetooth on, AND accept the file transfer and RUN the application in order to get infected Fri, 25 Mar 2005 14:10:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? When will people and companies get it through their heads. You SHOULD NOT have to buy virusprotection software for your phones or firewalls for your phones. Let's put pressure on the manufactures of these devices early to take SECURITY seriously.

Manufactures need to FULLY test and implement security aspects of bluetooth, beef up wireless network (GSM/CDMA) security, and do more code review on their smartphone OS implementation. They need to have more stable releases and take security and testing serious, not just worry about being the first to market. Unfortunetly this isn't going to happen unless users and companies start pushing back on the manufactures because of security concerns. And this isn't gonig to happen when the first reaction to a sidekick being exposed is for everyone to run to the store to buy one of these because they found out about the cool features from what info Paris had on her phone.

Ugh, it's never going to end. Just start saving to buy your virusscanners and firewall add ons for your smartphones in the near future, what was I thinking.... Businesses and the public are cattle... someone please prove me wrong... Fri, 25 Mar 2005 15:52:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? > Symbian has no security, expect that the user has to accept to install the program.

What a load. Tell me, how is this different from any other type of OS? People need to know the difference between root exploits and user-level exploit. If you're asked to install an application, it's essentially user-level. You're basically just granting administrative privileges to the users, rather than letting it be controlled by the Cell phone carriers and manufacturers.

It seems to me that people argue on both sides of the fence on this issue. There was recently some debate about how people hate that the carriers are interfering with Motorola wanting to allow users to download iTunes songs to the Cell. So... users having full control is good, right? Suddenly, when it comes to Bluetooth/Symbian worms, people are arguing that giving users the power to install programs makes them susceptible to attacks.

So what do you want? Control? or no control? The only way to assure unhappiness is to let the businesses make the decision for you. Fri, 25 Mar 2005 16:03:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? Why should I care? I will download and run any application I want, not install protection software and don't care about viruses at all.

If this makes my phone crash, I will return it to the store because it's broken.

If the phone displays ads where no ads should be, I will return it to the store because it's broken.

If my personal data is leaked to someone I didn't allow it to be leaked to, the phone manufacturer and/or the network company has possible broken the contract and certainly broken law. It is their task to fix the problem.

Should there be any resistance from the phone manufacturer or the network company to fix the mistakes they have done, it is most likely time to get into court - together with a million other disappointed users. Maybe the trial will be a success. Certainly, those users will switch their phone/network provider.

Remember: As a customer, you have the power to spend your money elsewhere. Fri, 25 Mar 2005 16:10:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? Actually the new release of SymbianOS, version 9 which IIRC is what Series 60 v3 and UIQ v3 is based of has security features implemented to prevent exactly these kinds of "applications". So while it seems to be an issue with older versions executing malicious code it should be substantially harder on version 9 based devices. Knock on wood. But you have to remember that this is a completely new field and traditional security models such as passwords, users and capabilities are probably not the ideal solutions for your smart phone. They have to be kept simple. Fri, 25 Mar 2005 16:37:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? QUOTE:
You're basically just granting administrative privileges to the users, rather than letting it be controlled by the Cell phone carriers and manufacturers.
/QUOTE


ehhhhh, no. I want neither the manufacturer NOR the carrier to have admin rights to my phone. That is just plain wrong. Fri, 25 Mar 2005 17:38:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? QUOTE -----
Why should I care? I will download and run any application I want, not install protection software and don't care about viruses at all.

If this makes my phone crash, I will return it to the store because it's broken.

If the phone displays ads where no ads should be, I will return it to the store because it's broken.

If my personal data is leaked to someone I didn't allow it to be leaked to, the phone manufacturer and/or the network company has possible broken the contract and certainly broken law. It is their task to fix the problem.

Should there be any resistance from the phone manufacturer or the network company to fix the mistakes they have done, it is most likely time to get into court - together with a million other disappointed users. Maybe the trial will be a success. Certainly, those users will switch their phone/network provider.

Remember: As a customer, you have the power to spend your money elsewhere.
----- QUOTE


again... NO
YOU install an application on your phone from a non-carrier source - the phone breaks, the carrier has no obligation.

If your phone gets spam from places other than your carrier - its your problem not the carrier's

If your personal data is leaked AND you don't own a Sidekick then you have no right to sue the operator, it again is your problem (sidekicks are different because it is all stored on the server)

If there is any resistance from the carrier to fix it, go somewhere else, but the other carriers willtell you the same thing - and the court is NOT on your side on this.


Carriers are out there to provide services, they make NO money on handset sales. Manufacturers cannot be sued either, because there is something called a warranty. You do something to void it, you get no help.


People like you baffle me sometimes Fri, 25 Mar 2005 17:43:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? > again... NO

Any carrier or manufacturer that arguments this way, and convinces me that a trial is of no hope, will just make me exercise my power to spend my money elsewhere.

> People like you baffle me sometimes

I expected that. If you think that virus-infected cell phones are a fair reward for the money you spent, go on by all means. The same goes for virus-infected computers, BTW. Fri, 25 Mar 2005 17:52:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? >Any carrier or manufacturer that arguments this way, and convinces me that >a trial is of no hope, will just make me exercise my power to spend my >money elsewhere.

I can only see you declaring to make your own cell phone company
NO mobile carrier will deal with what you described



>I expected that. If you think that virus-infected cell phones are a fair reward >for the money you spent, go on by all means. The same goes for virus->infected computers, BTW.

If you buy a device that is already infected, you are perfectly within your rights to return it. IF it became infected because of the consumer's negligence, then its your problem. Virues are made by malicious people who are out there to skroo you just for fun (or money). OEMs and ISPs of any sort don't owe you anything except what is in their TOS - period Fri, 25 Mar 2005 18:36:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? It depends on what exactly I spend my money for. If I spend money for a phone that can be extended by downloading software, and the packaging and manuals don't mention virii, then it should not be infectable. If it is infectable anyway, they simply didn't give me what I paid for, just as if I had opened the box and there was no phone at all inside. I would simply go to the shop and return it for that reason (which is perfectly legal in most countries AFAIK).

On the other hand, if it is declared as infectable, I would not buy it at all. Fri, 25 Mar 2005 19:16:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? Of course the ISP has nothing to do with downloaded viruses. I mentioned the network provider for cell phones because I don't know how much the installation of software on cell phones is divided between the network and the phone itself.

This is clearer for desktop computers. They are not declared infectable by the vendors or manufacturers, but they clearly are. It has become some kind of common sense though, that "computers can catch viruses and never work anyway". Obviously, users are unconcious that they can vote with their money, otherwise the whole situation wouldn't exist. Fri, 25 Mar 2005 19:23:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? >Of course the ISP has nothing to do with downloaded viruses. I mentioned >the network provider for cell phones because I don't know how much the >installation of software on cell phones is divided between the network and >the phone itself.


Bluetooth has absolutely nothing to do with your provider's network. It's just a mechanism to create your own PAN (personal area network) and connect one device to another, or send a file from one device to another. It doesn't use CDMA, GSM, iDEN or any other cellular standard.

IF and only if an ISP pushes an update out to you without your knowledge -then and only then you would be able to take the phone back. Look at what happened with Danger, TMobile and their Sidekick, users were offline for two weeks! That is a legitimate "I'm goine elsewhere" stance, but if you don't protect your bluetooth, and you go download apps that might contain virues from the net, then as I said you are on your own :-) Fri, 25 Mar 2005 20:08:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? To be honest, I'd probably not buy such a phone even if it's not declared infectable, since it would lead to the same result as buying the phone and then returning it (and with a lot less hassle) Fri, 25 Mar 2005 20:20:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? There is an article in All About Symbian by Steve Litchfield that is woth reading about this issue.

http://www.allaboutsymbian.com/features/viewarticle.php?id=146 Sat, 26 Mar 2005 05:18:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? isnt the plural of virus "virii"? Sun, 27 Mar 2005 17:29:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? "isnt the plural of virus "virii"?"

no its viruses Mon, 28 Mar 2005 01:24:00 GMT donotreply@osnews.com (Anonymous) Comments