Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Don't Touch that Dial

Don't Touch that Dial

by Nikola Strahija on October 30th, 2002 Mobile phones packing Java virtual machines are gaining in popularity, and are headed for American shores. Will they be the next arena for malicious hacking?


Java phones are coming to the U.S., bringing with them a second chance for
mobile applications, and, experts caution, a new platform for malicious
code.

"It's going to be an issue," says Tony Davis, acting CEO of Tira Wireless, a
Toronto startup that certifies and publishes J2ME (Java 2 MicroEdition)
applications. Davis already uses a Trojan horse program when he makes sales
calls. "When I meet with European carriers, I pull up a phone and show them
a car racing game that's actually not just that, it's sending a huge amount
of traffic back and forth," Davis says. "I tell them, your customer is going
to get a bill for 500 pounds at the end of the month, and who are they going
to come after? You."

Davis didn't get his racing game in the wild. He uses it to make his point
that carriers should offer certified applications. At the same time, "it's
very, very simple and easy to do."

Malicious code can be used to cause cell phones to freeze up, or to connect
to Web sites. Data interception is also possible, and theoretically a virus
or worm could attack a device, though replicating itself seems unlikely.

Java phones have been in European and Asian markets for some time, and are
gaining popularity -- largely because of their ability to play interactive
video games downloaded from the Internet.

Davis notes that the world's biggest handset maker, Nokia, expects seven in
ten of its phones to ship with J2ME by the end of 1st quarter 2003. The
first Java phones are now shipping in the U.S., in phones used by Nextel,
Sprint and others.

On a one-to-five scale, where five means no problem, "right now, the issue
is a four," says Andy Seybold, president of Outlook4mobility. Seybold thinks
it won't get much worse, because Sun Microsystems has told him it plans to
step in and build certification services and other elements around J2ME,
much like what Qualcomm has done with its BREW (Binary Run-Time Environment
for Wireless). But he does note that if Sun moves too slowly, the security
issues won't be just a game.

Seybold says the longer term issue will come as Java transforms phones into
data devices, even in the U.S.

"You're going to see lots of them, and you're going to have lots of Java
applets."

The J2ME platform itself is fairly secure -- for instance, code runs in a
virtual "sandbox" that prevents it from accessing other data stored on the
phone. It also runs most applications locally, limiting data transfer. But
if the technology sees Java applets take off in the way other wireless data
applications have not, there are potential issues.

Multicasting applications require better security provisioning in general,
and some parts of J2ME, such as the Mobile Information Device Profile, or
MIDP, can't use certain security features of standard Java, largely because
of limited memory. Companies also might build proprietary extensions to
J2ME, which may offer potential for virus writers or other malicious
hackers. Seybold expects that someone will write an effective virus for Java
phones, over time. But for right now, the signal is clear.

By Michael Fitzgerald

- article available at http://online.securityfocus.com/ -


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »