Hotel heiress Paris Hilton is used to having her private details broadcast across the Internet. But she was less than pleased in February 2005 when her privacy was breached by someone getting into her T-Mobile Sidekick II mobile phone and an email device. Celebrity friends’ phone numbers, personal notes and photographs were all copied and posted on the web by an intruder who either stole (or guessed) her password or hacked into the server at T-Mobile where the data was held.
The incident is a high-profile reminder of the threat that mobile devices present to data security. Yet the Department of Trade and Industry’s 2004 security survey found that more than half of UK businesses have done nothing about wireless security.
This is partly because the threat is both limited and misunderstood. Several viruses on mobile devices have been generated as proof-of-concepts in security labs, though few have made it into the wild thus far. Those that have appeared have largely arrived via Bluetooth short-range wireless connectivity. One technique, known as ‘Bluesnarfing’, actually activates Bluetooth in devices, allowing the reading or modification of address books and calendars.
Heeding the old axiom that the most secure device is one that is switched off, experts advise that any means of wireless connectivity that are not core to the device’s main use should be deactivated.
Bruce Schneier, founder and CTO of security services provider Counterpane, expects such threats to mount as mobile devices become as capable as laptops and as hackers start to exploit the developer kits that accompany mobile operating systems such as PalmOS and WindowsCE. “We’ll probably get more of it as phones get used for finance,” says Schneier. “It might be deducting the price of a soft drink from everybody’s cellphone, using automation. If you can do that fast enough, get the money and close the account, that’s a good crime.”
While many experts suggest that the first wave of mobile device attacks will not come till next year, all the main antivirus and security management vendors already sell mobile versions of their products – possibly playing on paranoia but also giving security managers a rare opportunity to gain a head start over malware authors.
Market watchers Burton Group calculated that the list prices for a complete set of security products for handheld devices – including antivirus, VPN, authentication and management – can cost more than the device itself. To reduce this expenditure as far as possible, Burton analyst Eric Maiwald recommends that managers extend their wired network security and management tools to devices and, as with all security, match requirements to risk and use.
Part of the problem with securing mobile devices is that, by their very nature, they are often out of the office, making it tricky to keep them up-to-date with antivirus signatures and changing security policies.
Vendors such as Check Point, Sygate and iPass provide management software that can quarantine devices that are connected to a network without the necessary precautions and push patches to them in a manner appropriate to their connection speeds. Gartner calls this approach “on-demand security”. It allows imposition of dynamic access policies, permitting devices access to certain parts of the network depending on their level of security.
The analyst group says basic mobile device due diligence includes: standardise hardware, tools and/or platforms; monitor and track devices using asset management; and draw up clear and strict guidelines for how much and what kind of business data can be stored on them. But until there are a lot more cases like Paris Hilton, many companies will simply give that due diligence a miss.
The biggest threat to WiFi or wireless local area network (LAN) security is misconfiguration. Some security vendors suggest that this problem is growing as employees install their own wireless access points at their desks. Either way, a study in March 2005 of nearly 2000 wireless LANs in London by security specialist Red-M found more than one-third were not secured – including hotspots in the Ministry of Defence and the Royal Courts of Justice.
Many more are likely to have been using wired equivalent privacy (WEP), the bare minimum encryption for wireless networks that was cracked in 2001. Organisations still using WEP are urged to upgrade to WPA (WiFi protected access) and its successor WPA2, based on the 802.11i standard.
Another simple wireless LAN security measure is to change its service set identifier (SSID), the default broadcasting name and address. This also relates particularly to a new kind of wireless network threat, the ‘evil twin’ hotspot, identified by Cranfield University cyber-crime expert Dr Phil Nobles. “The majority of public hotspots are set up without any security – by default they are public so they can’t have security to prevent the general public from connecting to it,” he says. “A hacker can set up a laptop with the right software and a wireless card to give all the same information and log-in pages as the hotspot, and can clone common websites that users visit like banks and webmail – even down to security certificates and browser padlocks.”
Conversely, a laptop plugged into a company network, with its wireless capability still enabled, could act as a conductor for hackers to enter the organisation, bypassing firewalls and DMZs (neutral zones between a company’s private network and the outside public network) to steal data or even cause a denial of service attack.