QUESTION & ANSWER

Protecting phones, handhelds from attack

By Jim Rendon, News Writer 16 Mar 2004 | SearchMobileComputing.com

Digg This!     StumbleUpon     Del.icio.us

We caught up with Avi Greengart, lead wireless analyst with New York-based Jupiter Research, to find out more about the latest potential dangers that threaten the security of mobile phones.

What are the biggest security concerns when it comes to mobile phones?
Avi Greengart: Enterprises need to be aware of multiple security issues. There is the security of the network, the security of the device being used and, most importantly, there's the person using the device. There are now regulations like HIPAA [the Health Insurance Portability and Accountability Act of 1996] that require encryption on mobile devices. Security is mandated in the networks themselves, and cell networks don't necessarily include encryption, though digital networks are tougher to hack than analog.

Whether it is GPRS, EDGE, 1xRTT or EvDO, security is not built into these protocols, so encryption must happen in the device. For example, one vendor that is building a credit card-swiping attachment for a Nextel phone built encryption into the hardware on the device, so the data is encrypted before it is ever sent.

If an employee just spent $400 on a device, and the IT department tells him that he can't use it, he will probably just ignore the policy. Avi Greengart Jupiter Research

What about the handsets themselves. How safe are they?
Greengart: Device security is equally important. If you have a mobile device with sensitive information on it, the user could easily lose it, or break it. Those are important security issues. One way to address that is to never have any data reside on the device. Some companies have developed programs that lock down the device, or encrypt the data on the device. One of the problems with these approaches is that the user has to log on to the device over and over again. A better approach would be biometrics -- if you had a handheld that could read a thumbprint to authenticate the user, it would be easier.

Have there been concerted attacks on mobile devices?
Greengart: Everyone writes for Microsoft [because] it is more exciting for a virus writer to take advantage of many users. Microsoft's share of the mobile market is fairly low. The overall percentage of people who are using PDAs is low. But there is a possibility that smart phones will take off in Europe and that people might start to exploit security holes there. But, given the current market, they will target Symbian devices much more quickly than [Microsoft-based devices].

What about a step below smart phones, the cellular data phone?
Greengart: That market is fragmented by so many different operating systems that it is almost impossible for software vendors to target it, let alone hackers. BREW has the lion's share of the market in the U.S. But every single phone is different at the hardware level. It would be difficult for someone to write a virus to exploit vulnerabilities in phones. The issue with data-enabled phones is not the operating system, but Bluetooth.

What sort of vulnerabilities does Bluetooth open up?
Greengart: There is bluejacking, bluesnarfing and bluestumbling. Bluesnarfing is the latest way to use Bluetooth to annoy people and steal contact information. Using Bluetooth, you can look in at someone else's address book. Bluestumbling is a way of monitoring and logging visible Bluetooth devices, and bluejacking is when you send random messages to a bunch of people with Bluetooth-enabled devices. But these are all implementation problems, not problems with the Bluetooth technology itself.

For more information Learn about Bluetooth in our Bluetooth learning guide. Read why wireless handhelds need defense in-depth.

Recently a low-risk vulnerability was reported with the Motorola T720 cell phone. The phone essentially shuts down as a result of a denial of service attack. Is that a security concern?
Greengart: My reaction is a resounding 'so what?' As far as I can tell, this means that, if an evil, malicious hacker knows your phone's IP address and attacks you while you're using the WAP browser (not exactly a common activity anyway), he can annoy you and overload your phone. Your phone will shut down, and you will then have to follow the arduous procedure of pushing the 'on' button to make phone calls again.

How should businesses plan for deploying wireless devices so that they are sure they are secure?
Greengart: There are a multitude of approaches. One is to just open the checkbook and provide employees with devices and the software wrappers around them to ensure that they are secure. Some of that is happening at the trial stage in a minority of companies.

A lot of problems arise with people that buy their own devices to access e-mail and calendar information. Sensitive information ends up roaming around freely. Some companies ban mobile devices outright, but I question how effective such a policy can be. If an employee just spent $400 on a device, and the IT department tells him that he can't use it, he will probably just ignore the policy. Some companies are reimbursing a portion of the purchase of a new device, and that approach can work, but it also has limitations.

Tags: VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Mobile Security Regulations that affect your mobile security policy RFID continues to raise security concerns Step 1: How it can happen Step 2: How to crack a laptop Step 4: Laptop security summation Step 3: How to secure a laptop An RFID strategy, chapter 7 RFID tagging Is wireless security pointless? Feds beset by wireless security problems Mobile Security Research

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary