Security flaw may threaten cell phones

Microsoft and U.K. carrier Orange are investigating whether hackers are sending rogue software to cell phones using the Smartphone 2002 operating system.

Ben Charny Staff Writer, CNET News.com
Ben Charny
covers Net telephony and the cellular industry.
Ben Charny
2 min read
Microsoft and U.K. carrier Orange are investigating whether hackers are sending rogue software to cell phones using Microsoft's Smartphone 2002 operating system.

Instructions about avoiding the security catches inside the smart phone, which Orange sells and calls the SPV, were made public the last few days, Orange spokesman Stuart Jackson said Wednesday. The SPV is the only wireless device on sale that uses Microsoft's operating system for advanced phones.

A source familiar with the situation said most SPV owners won't know whether they have been affected. To launch the rogue programs, an SPV owner will have to know how to "unlock" a cell phone, a difficult process that sometimes involves taking the phone apart. "It's not something that my granny is about to do," said the source who requested anonymity.

Microsoft's Security Response Center, the team that looks into security vulnerabilities affecting the company's products, began "thoroughly investigating the issue" on Tuesday, according to a Microsoft representative. The investigation is ongoing.

"At this point, we feel speculating on the issue while the investigation is in progress will be irresponsible and counterproductive," the representative said.

Orange is joining the investigation, Jackson said. But so far, there have been no reports of damaged phones.

"Orange takes these reports very seriously," he said. "Orange and Microsoft are working together to investigate this issue. Until the outcome of that investigation is known, we are not in a position to comment any further."

The possibility of rogue software flooding through cell phone networks is among the worst fears that carriers have, said Alan Reiter, an analyst with consulting company Wireless Internet & Mobile Computing. Cell phone networks became vulnerable to such attacks when carriers began selling phones that can download software and games, ring tones and business tools became available for download, he said.

"Carriers will have to offer as many different applications from as many different vendors and make downloading as easy as possible," Reiter said. "But the easier it is to transmit and receive data, the more likely it is to get a virus or some rogue code."

To his knowledge, however, no one has accomplished on cell phones anything that even compares to the virus attacks that often cripple computer networks. "Obviously, the carriers can't stand this happening," Reiter said. But it's only a matter of time, he added.