Hackers Targeting Cell Phones

For malicious computer hackers and virus writers, the next frontier in mischief is the mobile phone.

A phone virus or “Trojan horse” program might instruct your phone to do extraordinary things, computer security experts say.

It might call the White House or the police with a bizarre hoax.

It might forward your personal address book to a sleazy telemarketing firm.

Or it could simply eat into the phone’s operating software, shutting it down and erasing your personal information.

Similar nasty tricks have already dogged cell phone owners in Japan and Europe.

“If a malicious piece of code gets control of your phone, it can do everything you can do,” said Ari Hypponen, chief technical officer of Helsinki-based F-Secure Corp., a computer security firm. “It can call toll numbers. It can get your messages and send them elsewhere. It can record your passwords.”

As cellular phones morph into computer-like “smart phones” able to surf the Web, send e-mail and download software, they’re prone to the same tribulations that have waylaid computers over the last decade.

“We should think of cell phones as just another set of computers on the Internet,” said Stephen Trilling, director of research at anti-virus software maker Symantec Corp. “If they’re connected to the Internet they can be used to transmit threats and attack targets, just as any computer can. It’s technically possible right now.”

In Japan, deviant e-mail messages sent to cell phones contained an Internet link that, when clicked, caused phones to repeatedly dial the national emergency number--equivalent to 911. The wireless carrier halted all emergency calls until the bug was removed.

In Europe, handsets’ short message service, or SMS, has been used to randomly send pieces of binary code that crashes phones, forcing the user to detach the battery and re-boot. A new, more sinister version keeps crashing the phone until the SMS message is deleted from the carrier’s server.

In the United States, relatively primitive cell phone technology keeps users immune from such tricks, for now.

Phone hacking is nothing new. In the 1970s, so-called “phone phreakers” made free phone calls--and even gained control of major phone trunk lines--by whistling certain tones into the receiver.

“It was easy,” said John Draper, 58, of Stockton.

Draper, now a designer of computer security software, is still known as Captain Crunch for pioneering the hacking of phone networks with the help of a plastic whistle that came in a box of the eponymous breakfast cereal.

“You could control the entire network, do anything an operator could do,” Draper said.

Now, at least three software companies have released personal security software for emerging smart phones, girding for a new wave of phone viruses and Captain Crunch-style tricks.

Hypponen’s F-Secure is one such firm, selling anti-virus and encryption software for smart phone operating systems made by Palm, Microsoft and the Symbian platform common in Europe.

Thus far, there have been no publicized reports of phone hacking or viruses, although viruses have attacked hand-helds running the Palm operating system. Microsoft predicts deviant code will soon emerge for hand-helds running its Pocket PC software. Both operating systems are expected to be used increasingly in smart phones.

A virus is a piece of malevolent code that self-replicates, while a Trojan horse does not but can be just as destructive. The pranks in Europe and Japan created virus-like havoc, but did not propagate like a full-fledged virus.

For virus writers who crave notoriety by wreaking maximum havoc, there are still too few smart phones, and no widespread software platform to attack, Hypponen said.

That is starting to change.

Until recently, cell phone operating systems were “closed,” unable to download software. But new smart phones--like the Nokia Communicator, Handspring’s Treo, Motorola’s Java Phone and Mitsubishi’s Trium-Mondo--are open to such third-party downloads.

At the same time, software developers’ tools available for designers of such programs as games and currency converters can also be used to create malicious applications, Hypponen said.

“It’s possible for anyone to make custom software for this platform,” he said. “Teens can download development tools and write their own software.”

It’s these third-party programs that worry experts. If one is disguised as a Trojan horse, an infected phone could make some calls on its own.

Soon, mobile phone owners will be obliged to install security software like “personal firewalls” that used to be reserved for Internet servers, said Prakash Panjwani, a senior vice president at Certicom Corp., a computer security firm in Hayward, Calif.

Cell phone users can avoid this, of course, by sticking with their old “dumb” phones, said Alan Reiter, a wireless consultant in Chevy Chase, Md.

“There are trade-offs,” said Reiter. “Do you want a phone with a tiny monochrome screen where you can only make phone calls? That’s much more secure.”