Dial V For Virus

Last week, reports emerged that virus writers had added the Cabir worm, which first appeared earlier this year, to Skulls. Cabir targets Symbian users—estimated earlier this year at 7 million by research firm the Yankee Group—and spreads through the radio network standard Bluetooth. Cabir by itself continually seeks other Bluetooth devices and eventually runs down a device's battery, but there's no indication it does lasting damage. By adding it to Skulls, the worm found a new way to spread through unwitting downloaders. That's what's most alarming about Cabir: It's capable of infecting other Bluetooth phones within a range of about 30 feet, meaning the worm could literally pass between two cell-phone users simply standing near each other. It's generally believed Cabir was written as a proof-of-concept worm designed to demonstrate that wireless transmission is possible. "This was a scary one," says Mikko Hypponen, global director of antivirus research for F-Secure.

Neither Cabir nor Skulls appears to have spread widely, but the growing sophistication of hackers and the rising use of smart phones could present a very different landscape in the near future. "Sometime around 2006, a worm like a Slammer or a Blaster is likely to hit cell phones," predicts John Pescatore, a security analyst with research firm Gartner, referring to worms that have caused widespread damage on business computing networks. "And 2005 is the year to architect what you're going to do about the problem."

More than 2 million smart phones were shipped in the first half of this year, Gartner says, and it predicts smart-phone shipments will outnumber conventional PDAs by year's end. Analysts expect companies increasingly to integrate smart-phone access into their databases and customer-relationship-management, supply-chain, and custom applications. At Advo, most employees use cell phones only to make calls and maybe do E-mail, but the company is evaluating ways to tie smart phones or other handhelds into networked business applications. "This is where you have to be really cautious," McMurray says.

While no cell-phone virus attacks have come close to the epidemics all too familiar on the Internet, security companies report anecdotal evidence of hackers increasingly turning their mischief to mobile devices. "We've seen attacks in Asia where malformed URLs were sent and crashed the mobile-phone devices. We've seen attacks in Japan that caused cell phones to dial out to emergency numbers like America's 911," says Vincent Weafer, senior director of Symantec's security response team. The Cabir worm has shown up in Canada, China, Finland, and Singapore, traveling along with cell-phone-carrying airline passengers, he adds.

Security pros have seen enough to take such emerging threats seriously. "When an executive has a PDA or a smart phone with contact information and business documents, my main concern is keeping the information stored on the device secure," says Adam Hansen, manager of information security for law firm Sonnenschein Nath & Rosenthal LLP. Still, while virus attacks on cell phones are a concern, Hansen worries more about the 700-plus portable devices containing sensitive information used throughout the firm, including Pocket PC Phone Editions, BlackBerrys, and iPaqs. "All of the sexy and glitzy stuff is still less common than traditional thievery," he says.

That's why Sonnenschein set up a centralized, 24-hour hot line so any employee who loses a mobile device can have it instantly deactivated. And Hansen is working with security companies to acquire additional protection. "We're looking at ways to encrypt all of the storage on the device," he says. "We're keeping a close eye on mobile security. There are even more phones coming out that can handle Word and Excel documents. It's all converging quickly."

Expect mobile security to move up the priority list at many companies in the months ahead. Until mature security tools become widely deployed on these devices, many businesses will rely on existing business-technology security infrastructures to make sure nothing wicked—whether Skulls, Cabir, or something new—slips onto their network. "We're making sure all of our defenses are beefed up—your standard antivirus and intrusion-management portfolio—so that they're as good as they can be in case these devices let something in," McMurray says.

Experience shows that as soon as people get a taste of what the latest smart phones can do, security concerns won't be enough of a reason to slow their spread. Says McMurray, "Once you roll technology like smart phones out into your environment, you can't pull it back."