The Best of Business Week Online: Computer Security
Is That a Virus in Your Hand?
The Liberty Crack bug that hit Palm Pilots gives a hint of how vulnerable the wireless Net is to vandals
Sometime during the last week of August, a software program called Liberty Crack hit the Internet Relay Chat, a corner of the Internet chat system that serves as a watering hole for some of the savviest Web users. The program was designed to look like one of the thousands of so-called crack programs that provide free and illegal access to myriad software packages. Liberty Crack seemed to promise to let users crack the nifty Liberty console, which lets users play Nintendo Game Boy programs on personal digital assistants and the smallest notebook computers.
Instead, downloaders of Liberty Crack got a nasty surprise. Rather than save the $16.95 price of the legitimate program, they caught a bug that erased data and applications on their Palm OS personal digital assistants (PDAs). The outbreak rocked the close-knit Palm operating world, which had suffered no serious attacks by viruses or other software pathogens creeping through the Net. The episode has turned into a troubling glimpse at the future of viruses on handheld devices. And it serves stark notice of the problems waiting in a wired future where handhelds will vastly outnumber desktop PCs and play an essential--sometimes life-or-death--role in the lives of billions.
The Liberty attack differs in some respects from the recent Love Bug epidemic, which targeted everyone who uses a PC. Liberty was designed just to retaliate against "crackers" looking to steal software. In fact, the virus was created by Swedish software designer Aaron Ardiri, who helped write the original Liberty console package for Palm. He says he scripted the virus as part of his anti-cracking research, but computer experts say it can set a risky precedent. Assaults on mobile devices are appearing elsewhere. Take the Aug. 8 attack on NTT DoCoMo's wildly popular i-mode cell-phone system in Japan, which delivers Internet access. The attack came in the guise of a game quiz coded for i-mode phones. But when the quiz takers answered in the affirmative to one of the questions, their phones automatically called 110, Japan's equivalent of 911. Although no one was injured by the prank, Japanese police reported that hundreds of calls flooded their switchboards. If more people had taken the quiz, the bug might have swamped Japan's emergency-response services. Earlier this year, a virus called Timofonica affected cell-phone subscribers of Spanish phone company Telefonica, bombarding them with bogus messages from users of Microsoft Outlook Express e-mail.
The spread of virus-like attacks into the wireless realm is the dark side of the inexorable growth of networks. As the Web expands its wireless reach, "each node on the network not only increases value and utility but also exponentially increases vulnerability," says Srivats Sampath, president and CEO of online antivirus company MacAfee.com. These days, the number of nodes is skyrocketing. By 2005, according to the Telecommunications Industry Assn., there'll be 1.26 billion wireless-phone users around the world, a fair share of them connected to the Internet. This compares favorably with estimates that fewer than 500 million desktop PCs will be logging on to the Internet at that time.NASTY GAG. Meanwhile, the PDA market continues to mushroom. Palm expects sales of its handhelds to double this year. By the end of June, Palm sales had matched the 1999 full-year total of 1.3 million devices, according to a survey by market researchers NPD Intelect. Increasingly, PDAs and wireless phones can connect to the Internet. In Japan, 12.7 million of 60.2 million cell-phone subscribers had logged on to the Net at least once this year as of July, according to the Telecommunications Carriers Assn.
And the growing computing power of these phones and PDAs is fertile breeding ground for nastier viruses. Compaq Computer Corp.'s red-hot iPaq handheld device boasts 32 megabytes of RAM, as much as some lower-tier desktop computers. As the operating systems for wireless handhelds expand their capabilities, "I believe that we will see an increase in threats against these platforms," says Ron Moritz, chief technology officer at Symantec Corp., maker of the popular Norton AntiVirus program. Unlike the Love Bug, the simple Liberty Crack and other wireless viruses that have appeared so far can't self-replicate or transmit themselves from one wireless device to another. But that could change, as computing power in the devices expands and as sophisticated communications capabilities are added.
One factor discouraging mobile viruses right now is the variety of operating systems--such as Windows CE, various flavors of Linux, and Palm OS--that make up the landscape. Viruses thrive in monocultures such as Microsoft Corp.'s world. In handheld devices, the number of viruses found so far remains in single digits, while tens of thousands of PC viruses have appeared.
But the spread of universal languages such as XML and HTML, designed to work across all software platforms and devices, means that viruses, too, could be scripted in the future to affect multiple types of handhelds. While antivirus companies have rolled out protective software for PDAs, consumer awareness of the threat remains scant. And many of the new wireless services have subpar security measures, according to Symantec's Moritz. "We have a group of people rushing forward to deliver new services on new platforms without stopping to think about the security implications," he says.
Such concerns could grow as wireless devices gain a larger role in providing emergency services. After all, people don't perish just because their PCs freeze up or crash. But an infected cell phone or a switchboard jammed with fake 911 calls raises an ugly specter. The new threats should be uppermost in the thinking of companies furiously pushing the wireless Web as the ultimate network.By Alex Salkever