As smartphones become more powerful, they become susceptible to even more sophisticated attacks from hackers. Researchers at Rutgers University in New Jersey recently used a special kind of malicious software, or "malware," called a rootkit to demonstrate just how vulnerable smartphones are.
Rootkits are not a new phenomenon. They have been used for two decades to infiltrate various kinds of computers.
"The point of this work is not to demonstrate a new kind of rootkit but to show the greater damage they can cause on smart phones," study team member Liviu Iftode, professor of computer science at Rutgers, told TechNewsDaily.
Today's smartphones are really just mobile computers. Many of them run the same class of operating systems as desktop and laptop computers, and as a result are just as vulnerable to malware attacks, the researches say.
In fact, they add, vulnerabilities in smartphones are even more dangerous because people carry them around at all times, making it easier for attackers to eavesdrop, track locations or even collect personal information. Also, features such as Bluetooth receivers and text messaging make it easier to deliver rootkits to phones.
Iftode and his colleagues recently demonstrated different kinds of rootkit attacks. For instance, the microphone on a smartphone can be turned on remotely using rootkits, allowing someone to listen in on anything going on around the owner.
Another attack uses a common smartphone feature: GPS receivers. A simple text message allowed researchers to track the location and activity of the owner.
"I can listen to all of your corporate meetings where trade secrets are released. I know where you are all the time," said study team member Jeffrey Bickford, also at Rutgers. "In the future, when smartphones are ubiquitous and everyone has them, they can be particularly dangerous."
Finally, the team used another exploit to turn on all power-hungry applications and features in order to run down the battery quickly, leaving the phone inoperable.
Malware defenses needed
The researchers say their intent is not to just scare people, but to inspire action. "What we’re doing today is raising a warning flag," Iftode said. "We’re showing that people with general computer proficiency can create rootkit malware for smart phones. The next step is to work on defenses."
The team used an open-source smartphone called the Openmoko FreeRunner running Linux software, but they emphasized that with enough time and effort, any smartphone operating system can be attacked with malware.
The Rutgers team plans to use their results to inspire developers to create new ways to detect and prevent rootkit attacks on smartphones because none exist right now.
"It turns out that solutions that can be used to detect rootkits on a traditional desktop [computer] environment are either not directly applicable or require modifications to make them applicable to smart phones," said Vinod Ganapathy, assistant professor of computer science at Rutgers.
The team will present their findings at the International Workshop on Mobile Computing Systems and Applications (HotMobile 2010) this week in Annapolis, Maryland.