General

Mobile Security:
Where risk meets opportunity, Part 2:
Threats and Defenses

As your most valuable customers adopt the latest mobile devices, you will need to know how to protect them. This article describes the solutions available to protect a road warrior's most vulnerable devices.

by Lisa Phifer VP Core Competence, Inc. [July 21, 2006]

A growing number of PDAs and smartphones are being used for business, but most lack the basic security measures currently used to protect mobile worker laptops. ISPs may be able to capitalize on this opportunity to re-sell and deploy mobile security products to individual subscribers, SMBs, and enterprise customers.

In Part 1 of this series, we introduced the network and application capabilities associated with mobile devices running Windows Mobile, Symbian, Palm, and BlackBerry.

Here in Part 2, we explore mobile security threats and built-in defenses.

Mobile security threats
Mobile devices, whether used for business or pleasure, require security measures to neutralize inherent threats. Many of these threats are also faced by internet-connected laptops, but aggravated by mobile device size, capabilities, default security posture, and user behavior.

For example, data losses due to laptop theft have been making big news recently—see these AIG, Fidelity, and VA headlines. Many employers are obligated by law or industry regulation to deter data loss and/or notify customers impacted by data loss. Individuals who lose their laptops feel the sting of compromised logins and credit card numbers through identity theft.

Like laptops, mobile devices can carry gigabytes of data. But mobile devices are even easier to lose. A Pointsec study reported tens of thousands of mobile devices lost in taxis over a six month period, including 40 PDAs found by just one Chicago cabbie! According to Pepperdine, 1 in 4 users have experienced PDA loss or theft, while 4 out of 5 PDAs contain data that users deemed valuable.

Most laptops are (at least to some degree) protected against network-borne attacks, including port scans, viruses, trojans, and the ever-increasing tide of spyware. But very few mobile devices can detect or block these kinds of attacks.

Intruders like to prey upon populous-but-weak victims, and mobile devices are ripe for the picking. A stream of new mobile malware and wireless attacks have emerged over the past two years. For example, the Doomboot trojan corrupts Symbian devices, while the Commwarrior worm spreads this malware to others over Bluetooth or Multimedia Messaging Service (MMS).

Many smartphones can be Bluebugged—exploited by commands, received over Bluetooth, that place calls, send messages, or retrieve data. For more examples, see this list of mobile viruses and this database of wireless vulnerabilities and exploits.

Wireless connections themselves pose many threats, from eavesdropping on unencrypted data over Wi-Fi or Bluetooth and service theft caused by cracked credentials, to using wireless as a vector to penetrate upstream networks and systems. Many users do not even realize that Bluetooth and MMS are enabled on their smartphones. Some companies mandate Wi-Fi security on laptops, but entirely ignore PDA Wi-Fi. Most do not realize that a PDA with active wireless cradled to a PC can create a back door onto the company LAN. Mobile devices are not uniquely affected by wireless threats; they are just more likely to have multiple active interfaces and far less likely to be secured.

Whether these threats pose significant risk depends on how a mobile device is used. Older devices presented less risk because they held little data and had limited communication capabilities. Today's PDAs and smartphones pose more risk because they store and access more sensitive data and services. However, many companies cannot even assess their risk exposure because they do not know if or how employees use mobile devices for business. This "blind spot" is itself a business threat.

Go to page two: Built-in Defenses >