Grip on Security Weakens

 
 
By Dennis Fisher  |  Posted 2001-02-19
 
 
 

As handheld devices such as PalmPilots and cell phones have become ever more popular, virus writers and other hackers have begun to focus some of their attention on this large and comparatively easy unsecured target.

In the past six months, two Palm OS viruses—one more of an annoyance than anything else—have hit the handheld community. Experts say viruses and hacks written for Palm OS, which is open by design to encourage third-party application development, are just the beginning of security issues facing handheld users.

Once a virus resides on a handheld, the real problems begin. When users sync handhelds with desktops, they can easily transfer a virus or worm into a corporate network, where it can do significant damage.

"Were a long way from seeing the kind of problems on handhelds that we see on desktops, but its coming at some point," said Graham Cluley, senior researcher at anti-virus vendor Sophos plc., in Abingdon, England. "The problem arises when people bring things into the network. Right now, youll have to rely on your desktop anti-virus software to work as a firewall to weed that stuff out."

The problem with this strategy is that existing desktop anti-virus products arent designed to look for or block Palm OS-based viruses or worms. This leaves IT managers with few options when it comes to protecting networks.

But thats beginning to change.

Symantec Corp., the Cupertino, Calif., anti-virus vendor, will introduce next month a new version of its Palm OS-based anti-virus software. Symantecs AntiVirus for Palm OS software will scan all incoming files and applications for viruses and will download updated virus signatures to the handheld each time it is synced with the users desktop. Although there hasnt been a big, defining security event in the wireless world as yet, Symantec officials said they believe that its only a matter of time.

"These devices are built with convenience in mind over security," said Steve Trilling, director of research at the Symantec Antivirus Research Center, in Santa Monica, Calif. "Its not far-fetched to believe that given the low bandwidth available on wireless networks, someone could take down a companys entire wireless infrastructure without much trouble. Viruses are just the beginning."

As with conventional desktop anti-virus software, Palm OS-based applications will suffer from being only as good as their last update. Anti-virus software is reactive, and most of it has no mechanism for recognizing new viruses or worms.

This is a large concern in the Palm community, where much of the software that people download to handhelds is freeware or shareware. There is ample opportunity for hackers to embed a Trojan horse or virus in an application masquerading as a new version of a datebook program or game.

"I can see where this is going to be a looming problem," said Palm user Steve Durst, research engineer at Skaion Corp., in North Chelmsford, Mass. "Whats to prevent someone from beaming you some malicious code or sending an e-mail to your Palm that has some embedded code in it that executes once you sync it up with your PC?"

Security consultants at @stake Inc. said they are getting more and more requests every day for wireless security services.

"Wireless security is going to be critical in the next few years," said Christopher Darby, CEO of @stake, in Cambridge, Mass. "Were not impressed with the state of wireless security in general. These are open systems, and the more open you are, the more risks there are."

Rocket Fuel