As recently as this spring, the idea of a virus that infects mobile phones was a scary bedtime story for the wireless industry, viewed in a similar vein as the threat of global warming: important but not imminent. All that changed in June when the world got a glimpse of the first mobile phone virus, Cabir. Since then, the industry has been scrambling to prepare itself for Cabir's offspring, hoping to divine the best defense strategies before the scary bedtime story becomes reality.

Cabir uses Symbian Series 60 phones to replicate itself, sending a clone to the first bluetooth-enabled device it can find in the area (even a printer) when a user OKs two installation prompts. It was launched as a “proof of concept” by a member of 29A Labs, a group of Eastern European hackers who develop innocuous viruses with the benevolent aim of exposing security weaknesses. Their incentive to create Cabir was likely the notoriety of boasting the world's first mobile phone virus. (Security nerds call Cabir a worm, not a virus, because it does not attach itself to a host program. Even bigger security nerds point out Cabir is not a worm because it cannot propagate itself; it relies on the user to do so by actively installing it. Symbian refers to it as malware.)

Cabir had no real payload — no harmful effect other than the word “Caribe” displayed on infected devices — and it was sent directly to security experts rather than the general population, but it proved its concept as planned and sparked a wave of fear that a less scrupulous group of hackers would build on Cabir's design to unleash something far more sinister. It was a mid-summer wake-up call to the mobile phone industry, said Richard Wong, general manager of messaging and anti-abuse at software vendor Openwave Systems.

“[Before Cabir] the mentality of most operators was, ‘Yeah, [viruses] will be a problem someday, and we've got to stay on top of it, but it's not my biggest problem today,’” Wong said in July. “But in the last 60 days, mobile operators have become very aggressive, saying, ‘We absolutely need to find a proactive solution now.’ It's become a major issue.”

Carriers have good cause to be concerned about the next virus, said John Summers, global director of managed security services for Unisys. “I wouldn't be surprised if we saw some denial-of-service (DOS) attacks on phones in the near term,” he said. “It will be short-term painful. But most phones can be reprogrammed over the air.”

Summers believes handset manufacturers will guard against DOS attacks by moving the phone's critical functions into a separate, protected memory slot in the phone. But Wong isn't as optimistic about handset-based defenses, and he is even less optimistic about the potential effects of a true mobile virus outbreak, a scenario Summers describes as a looming “trial-and-error period.” It's not unheard of for a viral outbreak in the personal computer world to affect 30% to 40% of computers and to disable 30% to 40% of the PCs it affects, Wong said. A mobile phone virus with comparable penetration could conceivably disable 20 million of the nation's 100 million mobile phones. If each phone costs $100 to fix (factoring in call-center time), Wong said, “That's a $2 billion problem right there.”

Symbian, for its part, is developing an initiative to digitally certify safe software applications from known developers to discourage those apps of unknown origin that could be carrying the next Cabir.

Wong's plans are more ambitious. In January, he helped launch the Messaging Anti-Abuse Working Group, also known as the MAAWG, a consortium of wireless and wireline carriers and Internet service providers united to adopt common, consistent methods of defending against viruses, spam and similar threats. (Wong refers to it as “the MAAWG,” not just “MAAWG,” which somehow makes it sound more formidable.) Especially mindful of the vulnerable points at the intersection of networks — where wireline and wireless networks converge, as well as the handoff points between mobile carrier networks — the group hopes to help the industry manage those handoffs securely.

First, the MAAWG discourages operators from designing security defenses specific to particular media or applications (messaging or e-mail, bluetooth or DSL). Instead, carriers should guard all those media without favoritism from inside a perimeter at the edge of the network. So-called “choke-point” gateways at the edge of the network are the best place to fight abuse, Wong said.

“We use the metaphor of a soccer game,” said Wong, the MAAWG's chairman. “If you wait for the goalie to reject all the shots, you've lost the game for sure. If you let the defense be the phone, you've lost for sure. You have to have network-based controls.”

Wong's argument feeds a long-running debate about exactly what role carriers and service providers should have in the fight against viruses and spam. There are steps users can take to defend themselves, of course (Cabir, for example, is harmless without the help of end users to activate it), and carriers can do their best to educate users about how to protect themselves from abuse. But users can't be relied upon to present a consistent, united front against viruses.

Still, network-based defenses could raise thorny legal issues for mobile operators, according to Summers. Once carriers take responsibility for the content of the data passing through their networks, he said, they may be held liable for other types of harmful content, such as pornography, which opens a whole new can of worms, so to speak, for carriers.

“Carriers don't like legal liability,” Summers said. “They've been sued by firms trying to get them for kiddy porn distribution. So the carriers say, ‘We're not responsible for the data on our network.’”

That's why carriers are more likely to rely on third parties to offer security, a notion not necessarily in contradiction with the MAAWG's philosophies.

One of MAAWG's biggest challenges may be consensus. Wireline and wireless carriers and ISPs — not to mention competitors within each group — all have to agree to the same methods for combating viruses.

“If you have really good security at La Guardia [airport] but bad security at JFK, it doesn't solve the security problem for the airline industry,” Wong said.

To that end, among the MAAWG's first initiatives is a code of conduct meant to serve as a consistent set of rules for service providers to follow to not only prevent attacks but also disputes among carriers who may find themselves receiving hazardous content from their peers. For example, if Cingular Wireless notices a surge in spam or otherwise suspect traffic from, say, Sprint PCS (rising above a level specified by the code), Cingular could block incoming messages from Sprint PCS until the latter has remedied the problem through a series of actions enumerated by the code, such as the publishing of SPF (“sender permitted from”) records, which identify friendly traffic. The code will be unveiled in full at a MAAWG meeting in Atlanta on Aug. 31.

Concurrently the MAAWG is developing a set of “best-practices” recommendations, urging carriers toward a mix of proactive and reactive defenses, including scanning gateways and virtual databases that share information about spammers and virus-senders among service providers the way Interpol shares information about criminals. But as it relies on a plurality of members, the MAAWG must be careful to stay vendor-neutral in its recommendations, Wong said.

“There's been a big debate in industry about squawk box protocols” such as SPF, Wong said, to illustrate an example. “We've been very careful not to pick one, per se, because even the protocols have some vendor bias to them.”

Though the MAAWG's 20-long list of members includes some big names, such as Cox Communications, Bell Canada and Adelphia, BellSouth is the only Baby Bell member so far, and Verizon Wireless is the only major American mobile operator. “Stay tuned on that in the coming few months,” Wong said, noting that representatives from several mobile operators have participated in MAAWG conference discussions.

The MAAWG is not the only group trying to get carriers and vendors working together to fend off spam and worms. (The U.S. Internet Service Provider Association, the Institute for Spam and Internet Public Policy and the Coalition Against Unsolicited Commercial E-mail are fighting for the same cause.) And even if they are successful, Wong admits, some viruses will still get through.

“The good news is that it's very early days in mobile abuse,” Wong said. “You just have to wake up to the threat. If wireline had woken up to this problem just five or six years ago, we could have stopped it. Now it's sort of inside the matrix.”