I was attacked at an airport in Europe. It happened a few years ago while I was minding my own business near a departure gate.
The attack was targeted at my smart phone, so I wasn't physically harmed. And, fortunately, my phone wasn't harmed either. The attack was an attempted Bluejacking, a technique in which nearby users try to push through malicious data via Bluetooth. A similar type of attack is called Bluesnarfing, which aims at copying the contents of your device.
In my case, I escaped harm because I rejected the persistent connection attempts. But these types of attacks on mobile phones, as well as many other threats, are becoming increasingly common in Europe and Asia and are coming to North America, experts warn. So beware.
Experts describe the threats
Bill Hughes, a principal analyst at US-based In-Stat, which recently published a report about wireless security issues, noted that wireless attacks against mobile devices are inevitable.
"The wireless environment is no more or less secure than the wire-line environment," said Hughes. He noted that there is a high level of misunderstanding about mobile security risks, including where the threats are coming from. For example, he said that 60 percent of mobile phone users still believe voice calls are insecure even though current digital networks are inherently safer than old analog networks.
Many users, however, are correctly concerned about how attacks on mobile devices can hurt them. The In-Stat report pointed out that 69 percent of wireless users are concerned about identity theft and that 60 percent of users fear that their contact information could be stolen.
Antti Vihavainen, F-Secure's vice president for mobile security, said that most mobile malware is distributed via Bluetooth or in MMS (Multimedia Messaging System) messages. So far, his lab has identified 360 samples of harmful mobile software or content, most of them Trojan horses or worm programs. He estimated that they have infected up to 100,000 devices in Europe and about as many units in Asia, but a considerably lower number of devices has been compromised in North America.
Security experts from F-Secure, Symantec and Trend Micro agreed that the worst-case scenario for individual users is to install a piece of malware that keeps sending premium-priced text messages, often without intervention. This can generate a small monthly charge that is easily hidden on your phone bill.
For enterprises, the worst situation is to lose a device that's configured for intranet access and that may hold business-sensitive data. Perhaps one reason that this hasn't happened widely is that, so far, many devices used by corporations are running on a different software platform than their PCs use.
Specifically, Todd Thiemann, director of device security marketing at Trend Micro, said that there are approximately 127 malware programs in the wild targeted at Symbian OS smart phones, while only 12 have been identified for Windows Mobile devices, which are commonly used in North America.
Caution is advised
The attempted Bluejacking I described above isn't the only attack I suffered. Earlier this year, I received a text message from someone I didn't know, and she was kind enough to send me a free ringtone. To get it, I just had to click a link included in the message.
Fortunately, I was suspicious and decided to explore where the link led before opening the Web page in my phone's browser. The originating phone number was hidden, but the domain name in the link was registered in Germany. Yet, I don't have a German phone number, and the message wasn't written in German.
Researching this matter further, security vendor F-Secure's blog confirmed that the free ringtone message was a scam. Had I clicked the link and downloaded the free ringtone, I would have unknowingly subscribed to a dubious service and would have added a small fee to my phone service.
Fortunately, there are ways to avoid these threats. One boon - so far - for both business and individual users in the US is that mobile carriers are trying to help, according to Mats Aronsson, a senior business development manager at Symantec. He said many carriers look for and filter malware, "even if they are not legally responsible for it. The user experience of a problem-free device is their livelihood."
F-Secure's Vihavainen agrees that carriers have a high stake in mobile security and that they should act accordingly.
"The US operators seem to be driven by the possibility that malware could block subscribers from critical services such as the emergency service numbers," Vihavainen said.
Symantec's Aronsson offers this advice: "Disable all unnecessary services such as Bluetooth and Wi-Fi when you are not using them. Don't install unknown programs from unknown sources. Don't let the device communicate without your permission. Use mobile antivirus software, and update it continuously."
A more basic precaution, In-Stat's Hughes said, is to hang on to your mobile device. The best protection is not to lose the device and use a password or personal identification number that automatically locks the device.
Also, be sure which applications you install and where they come from. If you get a text or multimedia message or a download link that you didn't request, be careful. If you are unsure, don't click the link, and above all, don't install anything that you don't intend to.
The good news is that the developers of mobile operating systems have learned some lessons from PC security problems. For instance, Windows Mobile will refuse to install applications received as e-mail attachments. The Symbian OS tries to prevent malware with numerous, persistent confirmation prompts when installing a new application on a smart phone.
Users of BlackBerry and Linux devices should keep in mind that even though their devices haven't been the primary targets for viruses and worms, Web links included in text messages or attacks via Bluetooth or Wi-Fi pose a risk for them as well.
Still, while wireless communications may be slowly but surely becoming more prone to security vulnerabilities, it is still safe to receive text messages, browse the Web and install new applications on your phone. Just make sure you know what you are doing.
A consulting and marketing career of more than 20 years has taken Ari Hakkarainen across the world in high-tech business. In addition to having authored a book about smart phones, he is the mobile expert at Avec Mobile.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.