A growing number of PDAs and smartphones are being used for business, but most lack the basic security measures currently used to protect mobile worker laptops. ISPs may be able to capitalize on this opportunity to re-sell and deploy mobile security products to individual subscribers, SMBs, and enterprise customers.
In Part 1 of this series, we introduced the network and application capabilities associated with mobile devices running Windows Mobile, Symbian, Palm, and BlackBerry.
Here in Part 2, we explore mobile security threats and built-in defenses.
Mobile security threats
Mobile devices, whether used for business or pleasure, require security measures to neutralize inherent threats. Many of these threats are also faced by internet-connected laptops, but aggravated by mobile device size, capabilities, default security posture, and user behavior.
For example, data losses due to laptop theft have been making big news recently?see these AIG, Fidelity, and VA headlines. Many employers are obligated by law or industry regulation to deter data loss and/or notify customers impacted by data loss. Individuals who lose their laptops feel the sting of compromised logins and credit card numbers through identity theft.
Like laptops, mobile devices can carry gigabytes of data. But mobile devices are even easier to lose. A Pointsec study reported tens of thousands of mobile devices lost in taxis over a six month period, including 40 PDAs found by just one Chicago cabbie! According to Pepperdine, 1 in 4 users have experienced PDA loss or theft, while 4 out of 5 PDAs contain data that users deemed valuable.
Most laptops are (at least to some degree) protected against network-borne attacks, including port scans, viruses, trojans, and the ever-increasing tide of spyware. But very few mobile devices can detect or block these kinds of attacks.
Intruders like to prey upon populous-but-weak victims, and mobile devices are ripe for the picking. A stream of new mobile malware and wireless attacks have emerged over the past two years. For example, the Doomboot trojan corrupts Symbian devices, while the Commwarrior worm spreads this malware to others over Bluetooth or Multimedia Messaging Service (MMS).
Many smartphones can be Bluebugged?exploited by commands, received over Bluetooth, that place calls, send messages, or retrieve data. For more examples, see this list of mobile viruses and this database of wireless vulnerabilities and exploits.
Wireless connections themselves pose many threats, from eavesdropping on unencrypted data over Wi-Fi or Bluetooth and service theft caused by cracked credentials, to using wireless as a vector to penetrate upstream networks and systems. Many users do not even realize that Bluetooth and MMS are enabled on their smartphones. Some companies mandate Wi-Fi security on laptops, but entirely ignore PDA Wi-Fi. Most do not realize that a PDA with active wireless cradled to a PC can create a back door onto the company LAN. Mobile devices are not uniquely affected by wireless threats; they are just more likely to have multiple active interfaces and far less likely to be secured.
Whether these threats pose significant risk depends on how a mobile device is used. Older devices presented less risk because they held little data and had limited communication capabilities. Today's PDAs and smartphones pose more risk because they store and access more sensitive data and services. However, many companies cannot even assess their risk exposure because they do not know if or how employees use mobile devices for business. This "blind spot" is itself a business threat.
Early mobile devices were largely devoid of security measures. Most had optional PINs, but few users could be bothered to enable them. Beyond that, mobile security largely meant adding third-party solutions. Furthermore, due to their limited resources and lightweight operating systems, mobile devices were easily compromised. While attacks were relatively rare, those that existed (e.g., PalmOS/Phage) had little trouble crashing PDAs, overwriting system files, and programmatically invoking hard resets.
Fortunately, mobile operating systems have made significant security improvements in recent years. Security protocols and capabilities are being added to each new OS release, improving default posture and creating a more robust foundation for security add-ons.
Access Controls are the first line of defense against lost or stolen mobile device compromise. Many power-on locks have been augmented to deter PIN-guessing and encourage use. For example, BlackBerry protection levels can enforce minimum password lengths. Windows Mobile can render a stolen device useless without the user's SmartCard. BlackBerries and Symbian phones can be remotely locked with special messages (i.e., "kill pills"). Palm 6 beefed up its authentication manager to support third-party fingerprint readers that speed unlocking by authorized users.
Stored Data Encryption can stop private data from being lifted from an unlocked mobile device?including those that are resold without being wiped clean. Today, all major mobile operating systems include crypto services for use by programs that need to encrypt data. RC4, DES, and 3DES cipher support are common; only Palm lacks built-in AES. Devices can use these crypto services to protect sensitive system files, but (except for BlackBerry) third-party programs are still needed to encrypt user data.
Backup/Restore capabilities are important to speed recovery after device loss or failure. Centralized backup for BlackBerries is provided through BES. Most other PDAs can be backed up to a desktop with supplied programs like Microsoft ActiveSync, Symbian Sync ML, or Palm HotSync. Enabling synchronization over wireless is making mobile data backup more convenient, but all sync interfaces (whether local or remote) must be secured to stop intruders from exploiting them.
Secure Protocols authenticate communication partners and deter eavesdropping. All major mobile OSs now support web browsing over SSL. Secure browsing through a carrier's Wireless Application Protocol (WAP) Gateway is also relatively common. Symbian and Windows Mobile can encrypt e-mail exchanges with SSL/TLS, or scramble traffic to a corporate VPN using built-in IPsec. BlackBerries use proprietary encryption to scramble traffic to a corporate BES, with optional PGP or S/MIME protection for mail messages. Wireless security varies by interface, but Wi-Fi Protected Access (WPA) support is increasingly common, and most vendors are taking steps to resist Bluetooth attacks.
Authorization is improving, prompted in part by the recent rash of Bluetooth trojans. For example, the "Symbian Signed" program now helps users differentiate between legitimate digitally-signed code and unsigned software that could potentially be malware. Symbian OS 9.2 can limit the capabilities granted to unsigned programs and prevent programs from accessing each other's data. Trust/privilege level enforcement has also been added to Windows Mobile 5 and Palm OS 6.
These built-in OS capabilities have created a more secure ecosystem for mobile business applications, but they do not satisfy all mobile security requirements. Like laptops, PDAs and smartphones can be augmented with after-market security programs that fill in functional gaps and/or provide centralized control and monitoring.
In Part 3 of this series, we will explore mobile security add-ons that can be used to meet the needs of individuals, small businesses and large enterprises.