Warning: Your smartphone may be even smarter than you think.
The device may be revealing where you are, where you're headed – and recording every word spoken at your meetings.
A team of researchers at Rutgers University this week revealed that smartphones such as the Blackberry or iPhone potentially are vulnerable to hijacking by software viruses that can turn them into eavesdropping or tracking devices – or allow remote control activation of battery-draining applications.
For the study, the team infected a phone with a type of malware called "rootkit," which attack a computer's operating system. The program allowed them to send standard text-message commands to the phone, activating functions such as calling another phone to listen in on meetings.
Currently, rootkits only can be detected by a specialized tool known as a virtual machine monitor, which requires more processing and battery power than the phones currently can support.
Rootkits themselves are nothing new – they've been around infiltrating various kinds of computers for at least 20 years. But today's smartphones are really just mobile computers, some of which run on the same kinds of operating systems as desktops and laptops – and so they are vulnerable to attack.
"The point of this work is not to demonstrate a new kind of rootkit but to show the greater damage they can cause on smart phones," said Liviu Iftode, a Rutgers computer science professor who worked on the study. (To watch a video about the research, click here.)
Just how vulnerable the phones are is hotly debated – especially because the study authors found no security flaws in any current phone operating systems; they only showed what sort of damage malicious code could do if one wormed its way onto your phone. Some analysts say features such as Bluetooth receivers and text messages make it easy to deliver rootkits to phones. A 2006 University of Toronto study found that wireless worms were easy to spread once a vulnerability is found. "An attacker can bring an infected device into a typical urban mall and discover many potential victims," the researchers wrote.
Others say that the lack of a dominant mobile platform – especially in the U.S. – means the risk of attack isn't immediate. And Graham Cluley, a senior technology consultant at security firm Sophos, blogged that malware is tough to sneak onto a phone – digital thieves would either need physical access, a security vulnerability, or a way to trick you into installing it.
Despite last year's iPhone worm designed to steal information from users of online banking services – and a 2009 security firm study revealing that less than a quarter of smart phone users bother with security software – Cluley said he's not losing sleep over the threat of mobile menace.
"If I was [sic] responsible for securing my company's mobile phones I would be much more worried about the real security threat of staff losing their phones in taxis or on the train, rather than the theoretical risk of surveillance rootkits," he wrote.
Said Iftode in a statement: "What we're doing today is raising a warning flag. The next step is to work on defenses."