​

CELL PHONES AND PERSONAL DIGITAL ASSISTANTS (PDAs), like BlackBerries, now offer a range of features that make them essentially equivalent to handheld computers. “They’re about where laptops were about 10 years ago,” says Gartner vice president and research director John Girard.

Called smart phones by the industry, these devices offer great convenience and can enhance productivity. But as with other technology, security risks come with that promise. Companies need to be aware of the risks and proactive in countering them to protect proprietary data that may otherwise be compromised by such mobile devices.

Risks

Part of the problem is that people still view these handhelds simply as phones or scheduling tools. They do not think, for example, about the data stored on a mobile phone and how easily that information could fall into the wrong hands if the phone were lost, stolen, or hacked. Lawyers can lose their client information, sales executives their marketing strategies, and doctors their patients’ health data.

Portability exacerbates the problem, because it makes these devices easy to misplace. A study by Redwood City, California-based Check Point Software Technologies found that over a six-month period, more than 21,000 PDAs were left in taxis in Chicago alone.

In another example of how these devices put data at risk, Trust Digital bought nine phones randomly off eBay. Engineers at the McLean, Virginia-based firm found nearly 27,000 pages of data on the phones including personal tax information, corporate sales notes, and business client records.

Malware. Added to loss or theft is the emerging risk that phones will become malware-infected. According to McAfee Avert Labs in Santa Clara, California, the current worldwide mobile malware tally is about 450. That’s not many compared to the company’s PC malware count of about 400,000. Many of those 450 were also proof-of-concept, meaning they weren’t actual attacks.

To date, mobile devices in Europe and Asia are attacked by malware more often than in the United States. One reason is that they tend to present a more profitable target; mobile financial transactions are more common in those regions. But the risk is likely to rise in the United States as Americans increasingly use handhelds to surf online, conduct commerce, and bank.

Simply visiting Web pages and downloading attachments creates new malware venues. “We do believe the reality today is changing. You’re going to start seeing targeted attacks in the way you do with other endpoints,” says Jeff Aliber, senior director of product marketing at Woburn, Massachusetts-based Kaspersky Lab.

All malware is becoming more profit-driven. Some recently discovered mobile viruses, such as three variants of the Viver Trojan detected by Kaspersky Lab, fit this trend. Written for Symbian OS—an operating system common outside of the United States—the viruses, once on a device, send text messages to premium-rate Russian numbers. There is a charge for each text message.

Such scams used to require user interaction, but the new viruses automatically send messages as soon as they are downloaded. The Trojans that carried the viruses reached targets through a popular photo and video file-sharing program for mobile users. One variant was downloaded more than 200 times before removal by the site administrator, according to Kaspersky.

Another form of malware, found earlier this year by McAfee, aimed to hold handhelds for ransom. Discovered in China, the malware would remove all the text messages from targeted Symbian Series 60 phones. It then displayed a warning message, threatening to cripple the phone unless users sent about $7 to an account in QQ, a Chinese instant messaging and virtual currency system. McAfee said it hadn’t found any examples where the attackers’ threat was carried out.

Of much more concern to companies is “snoopware” that silently embeds itself in systems before siphoning information back to a server. These programs are not evident to the user. “Today, when attacks hit, you almost never know it,” says Paul Miller, director of mobile and wireless at Cupertino, California-based Symantec Corp.

One such software program is FlexiSPY. Sold openly as a legitimate product by a Thai company called Vervata, it acts like a key logger. Capabilities include remote phone monitoring; logging of incoming and outgoing SMS messages; and viewing of call history, address books, and other data. Uses could range from the relatively benign (a parent monitoring a child) to more malevolent (spying on a top executive). While FlexiSPY installation requires physical access to a device, variants of the technology can be hacked into a Trojan.

Many smart phone threats have involved Bluetooth technology. In so-called Bluejacking, malicious text or multimedia messages are sent to other Bluetooth users. In Bluesnarfing, hackers connect to a Bluetooth device to access and modify data. A number of viruses have spread via closely proximate Bluetooth devices. With pairing, two nearby devices with discovery mode on can negotiate a connection.

Viruses can “spread like a biological function, person to person, like a common cold,” says Miller. “Typically you see flare-ups in small regions, such as airports. Someone might walk around Heathrow and infect people, then Charles DeGaulle, and JFK.” Some of the attacks have involved spam-like messages, asking users to sign up for dubious services.

Solutions

As with other IT security issues, there are two sides to solving the problem: policies and technology.

Policy. The earlier IT gets involved and considers a security strategy, the better, says Eric Maiwald, a vice president at Midvale, Utah-based Burton Group. Sometimes the matter arises when a department requests phones, he says. “We’ve also seen IT say we have a problem and need to control these things.” By planning early, companies can avoid the difficult situation of telling employees certain devices can’t be used, he says.

One of the first steps is identifying existing devices. “You don’t want people using devices you’re not aware of,” says Mark Blowers, a senior research analyst at the U.K.-based Butler Group.

Employees may hook up their iPhone to certain devices or synch their PDA to Microsoft Outlook throughout the day. “You could just walk around the enterprise and see what’s connected,” he says. A more efficient way could involve scanning for Media Access Control (MAC) addresses connected to the network, he says. Other tools could periodically scan desktops, looking for synched-up gadgets. IT managers should ask employees whether the devices are used mainly for work or for personal reasons.

Many firms opt to provide employees with company phones, disallowing personal devices. If companies want to let some users access the network and download data with their own handhelds, such devices should be required to run company software, says Gartner’s Girard. This kind of centralized policy can simplify security administration and save money, he says.

IT departments should aim to lock down data at all times and to administer policies centrally, according to some analysts. Carrying out this policy involves the use of technology.

Technology. The BlackBerry Enterprise Server (BES) lets IT administrators remotely control more than 400 device configurations. For non-BlackBerry users, the Microsoft Exchange Server also permits significant mobile control.

Rod Ochs, IT director at the Atlanta law firm Needle & Rosenberg, says a primary reason he chose the Windows Mobile system for his firms’ Palm handhelds was its compatibility with the MS Exchange. While the MS server isn’t required for Windows Mobile, it helps create simple and granular remote device control. Through the server’s ActiveSync function, for instance, Ochs can synchronize policies on e-mail and other information between desktop and mobile devices. Device users must then accept changes to connect to the server.

Even with the MS Exchange, however, many enterprise users buy more holistic security solutions from third-party providers. These cover Bluetooth issues, passwords and authentication, encryption, remote data wiping, system configurations, and antimalware solutions.

Bluetooth. Securing Bluetooth is mainly about making it less visible, says Girard. Users should only turn discovery mode on when seeking a connection, he says. He also recommends that companies have a policy on closing unneeded ports.

When contacted by another device’s Bluetooth, BlackBerries and other phones now automatically produce a dialogue box. “Users are told that another device wants to make a connection, and [they are] asked whether they want to approve it,” says Scott Tozke, a security director at BlackBerry parent company Research in Motion.

Certain phones have additional safety features, including a limited period in which a phone can be in discovery mode. Some software also lets administrators remotely block Bluetooth functionality.

Passwords/authentication. Handhelds can be set so that a password or PIN has to be entered before any applications are enabled or data revealed. Phones can also be set to go to sleep after a certain period of time, subsequently requiring PIN re-entry.

Whenever Ochs provides an employee with a Palm, he ensures that they set up a PIN. He says he considers it one of the handheld’s most important security features. Ochs also advises staff to timeout the phone after 5 to 15 minutes of inactivity.

Some experts advise a longer timeout range. “If you set it for every five minutes, the device becomes unusable,” says Dr. Chris O’Connor, director of Medical Informatics at Toronto-based Trillium Health Centre. O’Connor led the effort to buy BlackBerries for all 40 members of his intensive care unit team in 2005.

“A reasonable period is maybe an hour,” he says. “Then you basically enter the password once or twice a day.”

Ochs tells staff that the PINs are to protect the firm as well as attorney-client privilege. Staff generally understands, he says, noting: “We rarely get any push back.”

BlackBerries, Microsoft Windows Mobile 6, and other systems also offer bruteforce protection. After a certain number of failed password attempts, usually 10, devices can be configured to lock or wipe their memory.

Another authentication option includes fingerprint readers from vendors such as Addison, Texas-based CREDANT Technologies and Germany’s Utimaco Safeware. Other organizations are using two-factor authentication.

Some corporations and government agencies, including the Departments of Defense and Homeland Security, are using a system where users enable their handheld by inserting a smart card into a lightweight, wearable reader. The system, which is based on an encrypted version of Bluetooth, locks phones when the handheld is more than 10 or 12 feet from the reader. Since the user wears the reader, this helps in situations where the handheld is lost or stolen.

“If you leave your phone in a cab, it will lock automatically,” says Tozke. Some of BlackBerry’s corporate smart card customers already have token policies for computers and other access points. “They see the smart phone as just another terminal.”

Encryption. As PINs can occasionally be bypassed with specialized tools, encryption provides added protection.

BlackBerries and Palms offer inherent AES 256-bit encryption that can be configured on the devices. BlackBerry’s Enterprise Solution also stores data using AES 256, but provides the slightly less strong Triple Data Encryption Standard (Triple DES) when its software is combined with IBM’s Lotus Domino and Novell servers. Private encryption keys are securely generated and assigned to each BlackBerry holder. Data is encrypted at the server with a user’s key and then decrypted with a second key stored on the phone.

The latest Windows Mobile version also now offers data encryption. External removable storage cards can be safeguarded with AES 128-bit encryption; a key is stored on the device’s internal flash memory. One criticism of this new feature is that if users do a hard reset, the key is also permanently erased. Some third-party solutions have emerged, giving users the ability to encrypt data directly on devices and to backup the key on external storage.

Many enterprise users obtain device encryption through a broader security offering. Vendors include Baltimore, Maryland-based Bluefire Security Technologies, CREDANT, and St. Louis-based Mobile Armor.

Bluefire Mobile Security encrypts device data and storage cards with the AES 256-bit framework. It also includes a “logout and encrypt” feature—automatically encrypting data at power-off. The product also includes authentication technology, a firewall, logging capability, and the ability for administrators to remotely block features including Bluetooth, the speaker/ microphone, USB drives, storage cards, cameras, and ActiveSync.

What about when data is being transmitted? Most operating systems and many phone carriers also provide secure tunneling of various strengths.

Palms and Windows Mobile support several encryption protocols, including Secure Sockets Layer (SSL), Transport Layer Security (TLS), and IPsec (Internet Protocol Security). E-mail can be secured with either SSL or TLS. The latter, like SSL, requires a root certificate but also provides users with public and private keys at varying encryption levels.

Firms using more Web-based applications or that want to further harden communications at areas such as public Wi-Fi hot spots, can use a virtual private network (VPN). A handful of companies offer add-on VPN clients that can be remotely administered and integrated with SSL or IPsec. IPsec clients include Mobile VPN from Bluefire; Secure Entry CE from Germany’s NCP Engineering, and Antha-VPN from Ireland-based Anthasoft. Bluefire licenses are about $80 each, with an additional $12 for annual support; prices decline with orders of 100 or more.

Only one SSL client is currently available for Windows Mobile and Palms: Aventail from Sunnyvale, California-based SonicWALL. In addition to SSL session security, it includes user authentication and digital certificates as device watermarks. A basic Aventail Application with 25 included users is about $5,500. The first year of service costs an additional $900. BlackBerries include IPSec-based software and can add VPN clients from vendors including San Jose, California-based Cisco Systems and Check Point Software Technologies.

Some administrators rely partly on their e-mail client’s existing security. Ochs says that one reason he chose the Windows Mobile platform for the law firm was so that he could continue using Outlook Access on mobile devices. The handheld user interface is similar to that on notebooks and desktops, he says. He says he also appreciates Access’ strong 256-bit AES SSL encryption.

Remote data wiping. Using servers or other third-party solutions, IT administrators can also remotely wipe devices’ memories. “If you lose the phone, you telephone IT, and they wipe it,” says O’Connor. “If I drop it in a ditch somewhere I know someone won’t be able to get into the device.”

When handing out a Palm, Ochs says he tells employees that the firm’s policy is any missing device should be immediately reported to IT. The wipe is then done through the MS Exchange Server. While the firm has lost a few phones, says Ochs, the combined PIN and wiping policies mean “all we’ve lost are some pieces of hardware.”

Antimalware solutions. In the past few years, a handful of antivirus (AV) heavyweights have rolled out mobile antimalware solutions. Vendors such as Symantec, McAfee, and Kaspersky have all launched suites with antivirus, firewall, and antispam. Some solutions can scan for riskware, such as FlexiSPY.

Most devices allow over-the-air installation, configuration, and updating. An example is Symantec AntiVirus for Handhelds; running on Palms and other PDAs, individual licenses are about $40 annually. Features include real-time malicious-code protection, virus scans at regular intervals, desktop synchronization, and alert logging.

Mobility is a part of twenty-first century business, and handhelds are here to stay. It’s up to security professionals to ensure that wherever the information goes, it remains protected.

John Wagley is an associate editor at Security Management.