In Part 1 of this series, we introduced the network and application capabilities associated with mobile devices running Windows Mobile, Symbian, Palm, and BlackBerry.
Here in Part 2, we explore mobile security threats and built-in defenses.
Mobile security threats
Mobile devices, whether used for business or pleasure, require security measures to neutralize inherent threats. Many of these threats are also faced by internet-connected laptops, but aggravated by mobile device size, capabilities, default security posture, and user behavior.
For example, data losses due to laptop theft have been making big news recentlysee these AIG, Fidelity, and VA headlines. Many employers are obligated by law or industry regulation to deter data loss and/or notify customers impacted by data loss. Individuals who lose their laptops feel the sting of compromised logins and credit card numbers through identity theft.
Like laptops, mobile devices can carry gigabytes of data. But mobile devices are even easier to lose. A Pointsec study reported tens of thousands of mobile devices lost in taxis over a six month period, including 40 PDAs found by just one Chicago cabbie! According to Pepperdine, 1 in 4 users have experienced PDA loss or theft, while 4 out of 5 PDAs contain data that users deemed valuable.
Most laptops are (at least to some degree) protected against network-borne attacks, including port scans, viruses, trojans, and the ever-increasing tide of spyware. But very few mobile devices can detect or block these kinds of attacks.
Intruders like to prey upon populous-but-weak victims, and mobile devices are ripe for the picking. A stream of new mobile malware and wireless attacks have emerged over the past two years. For example, the Doomboot trojan corrupts Symbian devices, while the Commwarrior worm spreads this malware to others over Bluetooth or Multimedia Messaging Service (MMS).
Many smartphones can be Bluebuggedexploited by commands, received over Bluetooth, that place calls, send messages, or retrieve data. For more examples, see this list of mobile viruses and this database of wireless vulnerabilities and exploits.
Wireless connections themselves pose many threats, from eavesdropping on unencrypted data over Wi-Fi or Bluetooth and service theft caused by cracked credentials, to using wireless as a vector to penetrate upstream networks and systems. Many users do not even realize that Bluetooth and MMS are enabled on their smartphones. Some companies mandate Wi-Fi security on laptops, but entirely ignore PDA Wi-Fi. Most do not realize that a PDA with active wireless cradled to a PC can create a back door onto the company LAN. Mobile devices are not uniquely affected by wireless threats; they are just more likely to have multiple active interfaces and far less likely to be secured.
Whether these threats pose significant risk depends on how a mobile device is used. Older devices presented less risk because they held little data and had limited communication capabilities. Today's PDAs and smartphones pose more risk because they store and access more sensitive data and services. However, many companies cannot even assess their risk exposure because they do not know if or how employees use mobile devices for business. This "blind spot" is itself a business threat.