Bugwatch: Mobiles catch the security bug

Each week vnunet.com asks a different expert to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.

This week Sal Viveros, wireless security evangelist at McAfee, argues the case for antivirus protection for mobile devices in the wake of the first wireless worm.

Last month's Cabir worm, the first aimed specifically at mobile phones, was a significant milestone in the evolution of the computer virus.

Although it was essentially harmless, Cabir was a warning to handset manufacturers and service providers that mobile devices and networks could be at risk from a new generation of mobile viruses.

It is clear that mobile devices are the next obvious target for virus writers and hackers. And the increasing sophistication of these devices makes them even more vulnerable to attack.

The latest smartphones, which combine PDA and mobile phone functionality, are effectively mobile PCs in disguise, which makes it all the more alarming that they exist without any antivirus protection whatsoever.

There can now be little doubt among the mobile and security industries that mobile viruses are a very real threat, and it cannot be long until we see a mobile virus with malicious intent out in the wild.

Historically, virus writers have been quick to adopt and adapt proof of concept viruses similar to Cabir and put them to much more destructive use.

There is every reason to believe a similar pattern will emerge in the mobile world.

The consequences for mobile phone users might include contacts stolen from address books, spam or offensive text messages, huge phone bills or simply a handset that no longer works.

So where do the mobile operators, service providers and handset manufacturers stand on the threat of mobile viruses?

After all, these are the companies that will have to deal with the fallout when users' phones are infected.

Research conducted by McAfee predicted that malicious code attacks on wireless networks, including mobile phones, could cost European mobile operators as much as $2.2bn per attack by 2005 and affect up to 30 per cent of the mobile population.

It is the responsibility of the mobile industry to acknowledge that a real threat exists and to bundle antivirus solutions with the mobile devices they sell.

At the same time antivirus vendors need to work with the mobile industry to provide the kind of protection users will require, and develop similar relationships to those established in the wired world.

But even with all these elements in place, mobile phone users must still be educated about the threat that exists.

Without demand for protection from consumers, most of the mobile industry will not bother to take a proactive approach to security.

This probably means that until a mobile virus causes significant damage the mobile industry and consumers alike will be content to live in ignorant bliss.