Hoaxes

BrianD3 · 11-11-2003 8:59pm #1

Was listening to the Last Word today. There was a guy on from "Ritz Technology Consultants" warning about the dangers of mobile phone viruses, malicious text messages etc. Now I don't know much tech stuff but I am aware that most (all?) of these alerts are BS hoaxes. Is this correct?

If this is the case then what the hell is some muppet doing on the national airways spreading myths, making people paranoid and calling himself a "techology consultant". Did anyone here catch the interview and what did you make of it?

BrianD3

Duritz · 11-11-2003 9:17pm

not entirely, it hasnt happened to me, but i can see how you could get these kind of things.

For example: On the nokia.com website u can get them to send u configuration settings via sms for WAP/GPRS/MMS...and it then alters the settings on your phone once recieved. I dont know what kind of software/hardware does this, but if it was to fall into the wrong hands (which could possibly happen) then there could be some bad things going round.

Fidelis · 11-11-2003 10:12pm

Transmission of malicious code to phones via text messages et al is a very real threat. No one's exploiting this yet.

The Corinthian · 11-11-2003 10:50pm

Originally posted by Fidelis
Transmission of malicious code to phones via text messages et al is a very real threat. No one's exploiting this yet.

Not really. The only things that may be sent via text message are ringtones, operator logos, OTA WAP settings and the like. All of these require that the user accept them and none of these can really be called malicious.

One possible exception might be WAP push which uses SMS to sent the intitial service indicator or loader. Some handsets have been reported to accept WAP Push messages without prompting the user and could indeed include malicious WML or WMLScript code, although how malicious depends on the device - for example the old Siemens S35/M35/C35 (not WAP push compatible) phones included a security hole that meant that one could force the phone to initiate a voice call without prompting, however, newer phones (that are WAP push compatible) don’t have this flaw.

Again sending a jar, jad or sis file to a phone using WAP push could prove interesting in so far as malicious code could be written, especially in the case of a C++ based application that could theoretically then propagate itself using the victims own SMS (or better still Bluetooth).

However, again installation of any application is accompanied with numerous user prompts and confirmations, WAP push as a means of passing such data is flaky at best and the penetration rate of the phones that would support WAP Push, any significant implementation of J2ME and C++ applications is still very low.

So for the most part, transmission of malicious code to phones via text messages et al is not a very real threat. The exception to this, though, is the transmission of malicious code in the form of a sis file to a Nokia Series 60 phone via Bluetooth. It’s amazing how people will accept strange messages over Bluetooth in a bar or nightclub, without question - chances are they’d accept a game too if offered...

BrianD3 · 11-11-2003 11:12pm

Good. Thanks TC for your detailed explanation. So, basically, the guy on the Last Word was a clueless imbecile. It's amazing that "consultants" like that can get away with spouting such crap over the airways. Problem is, most people don't know any better and will believe any BS they're told because they automatically assume that the "consultant" knows his stuff. People are also very gullible - just look at the countless hoaxes and urban legends doing the rounds by email.

BrianD3

Fidelis · 11-11-2003 11:59pm

I'm getting punished for not being specific :rolleyes:

However, I'm afraid I can't be any more specific. Although I would tend to consider someone remotely powering off a phone as malicious. All I will say is that there are security threats to particular mobile phones cropping up frequently.

It’s amazing how people will accept strange messages over Bluetooth in a bar or nightclub, without question

Naughty

The Corinthian · 12-11-2003 12:27am

Originally posted by BrianD3
So, basically, the guy on the Last Word was a clueless imbecile.

I don’t know, I can’t comment on the case you described.

I do know from experience that journalists will attempt to manoeuvre you into supporting stories such as the threat of mobile viruses and similar. I also know that there are a lot of charlatans in the mobile technology industry. FUD (Fear Uncertainty Doubt) sells at the end of the day.

Originally posted by Fidelis
However, I'm afraid I can't be any more specific. Although I would tend to consider someone remotely powering off a phone as malicious. All I will say is that there are security threats to particular mobile phones cropping up frequently.

Almost all the devices have security flaws if you look for them. However often to exploit them you would have to set up a pretty unlikely scenario in a controlled environment to facilitate the exploit. Then there’s the market penetration of the phones themselves - hardly worth anyone’s while to develop an exploit for a phone that has a whole 2% of the market, is it?

Can it be done? Undoubtedly.

Can it be done outside a controlled environment? Possibly.

Is it presently a very real threat to Joe Public? Not really.

Mobile virus will become more of an issue the closer we come to having a standard OS on phones that allows third party applications. We’re beginning to see that, but it’s not really there yet.

As a caveat, however, self-propagating sis files for Nokia Series 60 Phones. All you need is a small Symbian application that propagates itself by hijacking the users Bluetooth and sending copies of itself out. However, the only reason why this may be a real threat is because of Nokia’s market share.

Naughty

I know

Hoaxes

Comments