A growing number of PDAs and smartphones are being used for business, but most lack the basic security measures currently used to protect mobile worker laptops. ISPs may be able to capitalize on this opportunity to re-sell and deploy mobile security products to individual subscribers, SMBs, and enterprise customers.
In Part 1 of this series, we introduced the network and application capabilities associated with mobile devices running Windows Mobile, Symbian, Palm, and BlackBerry.
Here in Part 2, we explore mobile security threats and built-in defenses.
Mobile security threats
Mobile devices, whether used for business or pleasure, require security measures to neutralize inherent threats. Many of these threats are also faced by internet-connected laptops, but aggravated by mobile device size, capabilities, default security posture, and user behavior.
For example, data losses due to laptop theft have been making big news recently—see these AIG, Fidelity, and VA headlines. Many employers are obligated by law or industry regulation to deter data loss and/or notify customers impacted by data loss. Individuals who lose their laptops feel the sting of compromised logins and credit card numbers through identity theft.
Like laptops, mobile devices can carry gigabytes of data. But mobile devices are even easier to lose. A Pointsec study reported tens of thousands of mobile devices lost in taxis over a six month period, including 40 PDAs found by just one Chicago cabbie! According to Pepperdine, 1 in 4 users have experienced PDA loss or theft, while 4 out of 5 PDAs contain data that users deemed valuable.
Most laptops are (at least to some degree) protected against network-borne attacks, including port scans, viruses, trojans, and the ever-increasing tide of spyware. But very few mobile devices can detect or block these kinds of attacks.
Intruders like to prey upon populous-but-weak victims, and mobile devices are ripe for the picking. A stream of new mobile malware and wireless attacks have emerged over the past two years. For example, the Doomboot trojan corrupts Symbian devices, while the Commwarrior worm spreads this malware to others over Bluetooth or Multimedia Messaging Service (MMS).
Many smartphones can be Bluebugged—exploited by commands, received over Bluetooth, that place calls, send messages, or retrieve data. For more examples, see this list of mobile viruses and this database of wireless vulnerabilities and exploits.
Wireless connections themselves pose many threats, from eavesdropping on unencrypted data over Wi-Fi or Bluetooth and service theft caused by cracked credentials, to using wireless as a vector to penetrate upstream networks and systems. Many users do not even realize that Bluetooth and MMS are enabled on their smartphones. Some companies mandate Wi-Fi security on laptops, but entirely ignore PDA Wi-Fi. Most do not realize that a PDA with active wireless cradled to a PC can create a back door onto the company LAN. Mobile devices are not uniquely affected by wireless threats; they are just more likely to have multiple active interfaces and far less likely to be secured.
Whether these threats pose significant risk depends on how a mobile device is used. Older devices presented less risk because they held little data and had limited communication capabilities. Today’s PDAs and smartphones pose more risk because they store and access more sensitive data and services. However, many companies cannot even assess their risk exposure because they do not know if or how employees use mobile devices for business. This “blind spot” is itself a business threat.
Early mobile devices were largely devoid of security measures. Most had
optional PINs, but few users could be bothered to enable them. Beyond
that, mobile security largely meant adding third-party solutions. Furthermore,
due to their limited resources and lightweight operating systems, mobile
devices were easily compromised. While attacks were relatively rare, those
that existed (e.g., PalmOS/Phage) had little trouble crashing PDAs, overwriting
system files, and programmatically invoking hard resets.
Fortunately, mobile operating systems have made significant security
improvements in recent years. Security protocols and capabilities are
being added to each new OS release, improving default posture and creating
a more robust foundation for security add-ons.
Access Controls are the first line of
defense against lost or stolen mobile device compromise. Many power-on
locks have been augmented to deter PIN-guessing and encourage use. For
example, BlackBerry protection levels can enforce minimum password lengths.
Windows Mobile can render a stolen device useless without the user’s
SmartCard. BlackBerries and Symbian phones can be remotely locked with
special messages (i.e., “kill pills”). Palm 6 beefed up its authentication
manager to support third-party fingerprint readers that speed unlocking
by authorized users.
Stored Data Encryption can stop private
data from being lifted from an unlocked mobile device—including
those that are resold without being wiped clean. Today, all major mobile
operating systems include crypto services for use by programs that need
to encrypt data. RC4, DES, and 3DES cipher support are common; only
Palm lacks built-in AES. Devices can use these crypto services to protect
sensitive system files, but (except for BlackBerry) third-party programs
are still needed to encrypt user data.
Backup/Restore capabilities are important
to speed recovery after device loss or failure. Centralized backup for
BlackBerries is provided through BES. Most other PDAs can be backed
up to a desktop with supplied programs like Microsoft ActiveSync, Symbian
Sync ML, or Palm HotSync. Enabling synchronization over wireless is
making mobile data backup more convenient, but all sync interfaces (whether
local or remote) must be secured to stop intruders from exploiting them.
Secure Protocols authenticate communication
partners and deter eavesdropping. All major mobile OSs now support web
browsing over SSL. Secure browsing through a carrier’s Wireless
Application Protocol (WAP) Gateway is also relatively common. Symbian
and Windows Mobile can encrypt e-mail exchanges with SSL/TLS, or scramble
traffic to a corporate VPN using built-in IPsec. BlackBerries use proprietary
encryption to scramble traffic to a corporate BES, with optional PGP
or S/MIME protection for mail messages. Wireless security varies by
interface, but Wi-Fi Protected Access (WPA) support is increasingly
common, and most vendors are taking steps to resist Bluetooth attacks.
Authorization is improving, prompted
in part by the recent rash of Bluetooth trojans. For example, the “Symbian
Signed” program now helps users differentiate between legitimate digitally-signed
code and unsigned software that could potentially be malware. Symbian
OS 9.2 can limit the capabilities granted to unsigned programs and prevent
programs from accessing each other’s data. Trust/privilege level enforcement
has also been added to Windows Mobile 5 and Palm OS 6.
These built-in OS capabilities have created a more secure ecosystem
for mobile business applications, but they do not satisfy all mobile security
requirements. Like laptops, PDAs and smartphones can be augmented with
after-market security programs that fill in functional gaps and/or provide
centralized control and monitoring.
In Part 3 of this series, we will explore mobile security add-ons that
can be used to meet the needs of individuals, small businesses and large
This article was first published on ISPPlanet.com.