Mobile Phones

The expanded functionality of all mobile devices has also seemed to make them susceptible to all forms of attacks. Smart phones, which are cell phones that have some of the functionality of PDAs, can also be vulnerable to viruses. In June of 2000, Timofonica, a variant of the LoveLetter virus, spammed thousands of mobile phone owners in Spain. The virus routed mails through an Internet-to-cellular gateway. Virus hunters found themselves confronted with what might have been the first attempt to infect mobile phones. Somebody calling himself Timofonica—timo is Spanish for prank—sent a Short Messaging Service (SMS) message to a small number of subscribers to Spanish giant Telefonica's mobile phone network telling them that the company was ripping them off. Timofonica was relatively benign: Mobile phones can't run executable programs yet, so the virus couldn't replicate itself. However, many took this as a sign that mobile phones too, can be become targets of attack. Up to this point, mobile phones had been virus free.

Timofonica was a Visual Basic (.vbs) worm that used the Windows scripting host to infect the PC. For each address that Timofonica found in Microsoft Outlook, the worm then generated a random e-mail address for cellular phone users of MoviStar.net, a Spanish wireless e-mail provider. If the user clicked on the attached .vbs file, it became infected, and the worm then destroyed the user's CMOS settings the next time the machine rebooted. The majority of text in the e-mail message was in Spanish; however, the second part of the text was various links to Web sites that listed Spain's telecommunication policies. Although administrators are not sure where the worm originated, it is assumed that it was created in protest against the phone monopoly in Spain.

In Japan, an attack on NTT DoCoMo's I-mode phone system came in the form of a relationship quiz that was coded for this specific phone system. Users would receive this e-mail quiz on their phone. The questions were worded and designed so that most people would be dialing “110” on their phones when they responded to the quiz. “110” is equivalent to 911 here in the United States. Japanese police report that there were hundreds of these calls. Although no data or financial loss resulted, Japanese emergency services could have slowed down or been obstructed.

Today's cell phones might be reasonably safe, but tomorrow's smarter phones will be more vulnerable. As is the case with most new technologies, additional features and functionalities usually imply additional security vulnerabilities, not to mention bugs. In the not-too-distant future, your smart mobile phone might be used for everything from being an electronic wallet to functioning as a digital ID. In all likelihood, the more powerful and versatile a phone becomes, the less secure it will be. And the sheer number of people who will be using mobile devices means that the potential to create havoc, for thrills or financial gain, will be enormous.

The other area of concern is ensuring that transactions made over mobile phones cannot be intercepted. Much like we discussed regarding clear text transmission of data in computer cables, the ability to sniff this kind of traffic is also of concern. This issue must be addressed if the general public is going to accept wire mobile commerce. Although some phones require PIN codes and built-in protocols for activation, full-fledged wireless commerce requires a higher level of certainty. Use of strong encryption to guarantee confidentiality and digital signatures to ensure authenticity will be required. This form of encryption relies on a public key and a private key for a transaction to be completed. The private key identifies the consumer wanting to buy an item from an Internet retailer, whereas the public key holds the identity of a business like Amazon.com. The private key can also be used to create and verify a digital signature. Some analysts say it will be several years before transactions can be made in a trusted and relatively secure manner. Until then, most people aren't too concerned about Timofonica-type viruses that don't directly affect the mobile phone.

Disposable Phones

Disposable cell phones are becoming their own small industry. These types of phones are developed outside the U.S. and are slowing making their way into the U.S. market. From a privacy perspective, these types of phones can increase anonymity somewhat when making calls, but for this very reason, U.S. authorities are struggling to determine how law enforcement would be affected.

U.S. Attorney General John Ashcroft and FBI Director Robert Mueller cite disposable phones as potential roadblocks in the war on terrorism. Disposable cell phones come preloaded with a finite number of calling minutes, like a calling card. These slimmed down versions of phones are relatively inexpensive, such as $10–$30. They allow anyone to quickly and perhaps anonymously make phones calls, and the FBI relates this ability to terrorists using the technology for evil purposes.

Law enforcement's ability to eavesdrop on any phone conversation even without a wiretap warrant signed by a judge is being debated in the wake of the terrorist attacks on the U.S. The anonymity of the phones is still in question, and how they will affect or protect privacy is yet to be determined.