Rupert Goodwins: Mobile phone viruses are coming

There's no question of whether a mobile phone virus will appear - the question is when

For any hacker intending to write the first mobile phone virus, there are many obstacles to overcome. The modern GSM cellphone is a smart terminal on a complicated network with lots of security features, but at heart it is a computer that can download and run software -- get viral code in there, and you've cracked it.

The key to GSM viruses is the SMS or Short Message Service. This is the mechanism most users know as text messaging -- a way of passing notes of up to 160 bytes or so to be displayed on a friend's phone -- but is also used by network operators to send applications, security updates and other information to the SIM or Subscriber Identity Module. The SIM holds the phone's number and ancillary information, but it also contains a processor and memory. A standard, called the SIM Toolkit, defines how applications can be written for transferral to the phone and such applications have full access to dialling functions and phone book entries: all you need to write a self-replicating virus.

However, it's not just a matter of writing a virus to the toolkit specifications and sending it to a random phone via SMS. There are various layers of security to prevent this -- your phone will only be able to generate ordinary text SMSs, the network will be set up not to forward other kinds originating from phones, and there are encryption, digital signature and other checks built into the GSM standard that defines how a phone should verify and react to an SMS that comes bearing application data. If all this works perfectly, it will be practically impossible to create and distribute a mobile phone virus.

But the real world is rarely perfect. Many of the security and protection mechanisms depend on the inviolability of the SIM card, and SIM cards can and have been tampered with. The network is also accessible via Internet to SMS gateways: although these are ostensibly set up with the same limitations as phone-originated SMS messages, they are a point of vulnerability. It's not known how secure these systems actually are: although the design as specified in the GSM system specifications looks safe, implementation errors aren't unknown. There is no current approval process for phone security, unlike the various classifications available for servers and other computing devices.

This situation will get worse. As phones get more intelligent and programmable, the potential to write viruses that bypass the SIM security altogether becomes greater. Imagine a phone that happens to run a full-featured Exchange client with scripting facility: that would be just as vulnerable to the Love Bug as were PCs. Phones are acquiring Java, EPOC, Linux and other very flexible and capable operating systems, and complex applications that run alongside. Without any official security testing to ensure the quality of phone software design and implementation, there's no question of whether a mobile phone virus will appear. The question is when.

For full coverage, see the Mobile Phone Virus Roundup