WAPjacking And The End Of Innocence

Here’s a new kind of cellphone scam (via Mike Masnick of Techdirt, writing in TheFeature): WAPjacking (well that’s what he calls it, and I like it):

Taking a page from the still popular redialer scam on PCs – where a secretive trojan tries to disconnect your modem (assuming you’re using dialup) and reconnect you secretly to a premium rate phone number in some distant country – the WAPjacking scam basically does the same thing. It involves an SMS message that overwrites the WAP settings on your phone, replaces the standard WAP home page with something else – and then switches the call to a premium rate number.

The original article on NewMediaAge in the UK says ”the issue is considered so severe that operators have raised the prospect of banning all third party binary, or data, SMS messages, which would kill the content industry”. The article points to these dialers making calls to 0700 numbers, which in the UK are about 40p ($1 or thereabouts) a minute. But I imagine the real threat would only occur if the numbers being dialled were offshore, otherwise these kind of locally-based scams could be shut down quite quickly.

In his article Mike compares the scam to to Bluejacking and Bluesnarfing, which, he says “both seemed to be hyped well beyond any real threat”. While I’d agree there’s been some overkill in the British press, I don’t agree that neither represent “any real threat”. The point is always about stealing data and compromising communications, something the two processes do quite well. It’s not up to us to decide whether this represents a threat: If someone stands to lose valuable, sensitive or private data this way, it’s a threat for them.

Similarly, I wouldn’t put WAPjacking in the same category, at least for now. Diverting someone’s phone so the user loses money is not the same thing as losing the combination to your office safe, or a competitor grabbing all your contacts. But I think what all these cases have in common is that we’re just beginning to understand the vulnerability of holding in our hand an object that contains so much information, an object that can be hijacked to connect with anyone or anything without our knowledge. As Mike puts it: “It’s safe to assume that the wireless data industry has lost its innocence.”


All opinions are my own, and not necessarily those of Thomson Reuters.



RSS loose wire blog