March 14, 2010— -- Malicious software for cell phones could pose a greater risk for consumer's personal and financial well-being than computer viruses, say scientists from Rutgers University.
The scientists have made a particularly resilient malware, known as a rootkit, that can turn a cell phone's microphone, GPS and battery against the phone's owner. The researchers say their work highlights the need for greater protection of cell phone software and greater awareness of cell phone vulnerabilities from owners.
"Rootkits have been around for desktop (computers) since the mid-1990s, but now smart phones are becoming just as complex and sophisticated," said Vinod Ganapathy, a computer scientist at Rutgers University. "We are seeing the same trends in terms of malware being extended to smart phones."
Ganapathy, along with Liviu Iftode, also a computer scientist at Rutgers, co-advised the rootkits' developers: Jeffrey Bickford, Ryan O'Hare and Arati Baliga.
A rootkit is different -- and more difficult to detect -- than other malicious software-like viruses. A computer virus is basically a tiny program that runs on a computer's operating system. A rootkit actually replaces part of the operating system.
The Rutgers' scientists developed a rootkit that affects three distinct parts of a smart phone: the microphone, the GPS and the battery. The rootkit wasn't meant to actually infect commercial phones; it was merely meant to show what was possible and encourage research to combat these threats.
Using the rootkit, the Rutgers scientists could turn on the phone's microphone anytime they wanted, eavesdropping on nearby conversations. The rootkit also sent the phone's location, using the GPS system, back to the scientists, allowing them to track the phone and the person using it anywhere. The researchers also used the rootkit to drain the phone's battery by activating power-hungry hardware like the GPS receiver and the Bluetooth.
Unless the phone's owner is paying special attention to their device, the user is unlikely to realize anything was amiss.
As More Use Mobile Phones, Interest in Attacking Devices Will Increase, Researcher Said
Manipulating these three systems alone can cause considerable damage, but this is just the tip of the iceberg, according to Ganapathy and Iftode.
Rootkits could affect other parts of the phone as well, including the camera, the touchscreen and even programs as seemingly sacrosanct as the number pad. When a person goes to dial, say, Bank of America to check their account balance, a hacker could redirect the phone call to another device, said Iftode. By the end of the conversation, the hacker could walk away with a person's bank account number.
It's easy to get carried away with the potential crimes that could happen, which only underscores the need to develop tools to fight off what could be a growing wave of cell phone attacks.
"We believe that as the population of mobile devices increases, there will be an increasing interest in attacking these devices," said Ganapathy.
Not that the rootkit developed by the Rutgers scientists can infect commercial cell phones; it can't. Their rootkit is based on open source software, and the scientists deliberately loaded it onto the test hardware. Additional software would be necessary before the rootkit could be loaded onto an unwitting consumer's phone. Even then, the target phone would have to use open source software, which most cell phones do not have.
That's not to say that consumers shouldn't be worried about rootkits and other forms of malicious cell phone software, said Patrick McDaniel, a computer scientist at Pennsylvania State University. Cell phones will soon be an even bigger target for hackers than computers, with even bigger vulnerabilities to exploit and with even bigger risks for consumers.
A desktop computer stays in one place. Even smaller and lighter laptops aren't carried everywhere. Most smart phones travel with their owners, from the bedroom to the board room, and are rarely more than a few feet away. Cell phones also have features many desktops lack like microphones, cameras, GPS and Bluetooth.
Bluetooth in particular is a feature smart phone owners should be wary of. Walking around with an open Bluetooth connection is "essentially walking around with your wallet open," said McDaniel, who related a story about a friend who had all of this cell phone information stolen through an open Bluetooth connection while waiting for a train in New York City. Thankfully, however, such incidents of cell phone information theft are still relatively rare, even if the problem is growing, said McDaniels.
"This really is a brand new area of research that the computer security community has recently become sensitive to," said McDaniel. "Luckily we have 50 years of computer security experience to draw on."