Mobile insecurity

For the UK’s ravenous national media, the story ticked all the right boxes: secret agents, sex, lost data, the incompetence of Gordon Brown’s office. Some senior officials called it a ‘honeytrap’ sting operation, others a harmless theft, but one thing was sure: the look on the face of Gordon Brown’s aide when he came clean must have been priceless.

Earlier this year, when accompanying the Prime Minister on a two-day trip to China, the hapless civil servant was compelled to report to the PM’s Special Branch protection team that his BlackBerry had disappeared, following an overnight encounter with a Chinese woman he had met at a Shanghai disco.

The device in question was protected by a password, in line with government policy, but not necessarily encrypted. Even if the contents were benign, security experts told the national media that the device could be used to hack into Downing Street servers and monitor the government’s email traffic.

The high-tech furore when the story broke in July, however, was gradually drowned out by hype surrounding the release of the Apple iPhone 3G. Despite the juxtaposition of events, however, few experts raised questions over whether the iPhone – or indeed other advanced devices that are the corporate-umbilical cords of many executives – posed a new security threat to the enterprise.

For Howard Schmidt, president of the Information Security Forum and one of the world’s foremost experts on computer security, the answer is a resounding ‘yes’.

As a former cyber-security adviser to the White House, ex-chief of security at both Microsoft and eBay, and a pioneer in computer forensics at the FBI, it’s a safe bet that if Schmidt is worried about something, other people probably should be too.

“These are nothing more than PCs in a much smaller format – and they have to be managed and secured and controlled to the level you control PCs,” he says. “They are not just something you issue and forget about.”

But forgetting they are. A recent survey of IT security decision makers by information management software company, Sybase, found that 71% of companies rely solely on their employees to secure their mobile device, even though 87% of them reported usability frustrations with security features.

Dave Hansen, former CIO of CA, and now head of the systems management software company’s security division, has firsthand experience of trying to forcibly implement mobile security on an obstinate audience.

“When I arrived in the CIO’s job we were not even forcing passwords on our BlackBerry users – hardly anyone was,” he says. “Now we have put it in our policy – we force a password on the device with a set expiration period. [But] we took a lot of heat from the end users for doing that.”

Hansen says IT can come under intense pressure to compromise on security, especially when senior executives “show up with an iPhone”.

“It’s not that hard to support the iPhone,” he says, “but it is hard to secure it – and that’s something people don’t understand.”

Compromised security

Mobile computing might be unshackling employees from their desks, but many organisations are erroneously treating laptops and mobile phones as very different animals.

“[Companies] are happily handing out smart phones, yet forbidding staff to use laptops outside the building for fear of theft and consequent negative publicity,” observes Scott Nursten, managing director of systems integration firm s2s. He suggests that poor management of such devices and complacency towards their capabilities constitutes “one of the biggest threats to corporate data security”.

Gartner analyst Ken Dulaney is of a similar opinion. “The cornerstone of security is consistency, whatever the device,” he says.

“If you lower the security footprint for [any particular] client device then you lower the security of the entire environment.”

And the iPhone and the current generation of smartphones have brought that issue to the fore. “It’s interesting to see how many companies are willing to compromise security for the sake of the iPhone,” says Dulaney.

The pressure on IT staff is real. Dulaney himself came under attack from Apple devotees for initially recommending that any enterprise valuing its information security should avoid the device completely. Following the release of Apple’s latest firmware patch he has mellowed his counsel to ‘with care and caution’, reminding the analyst firm’s clients that the iPhone is “first and foremost a consumer device”.

Despite the growing concern about the security of mobile devices – much of it vendor driven – with the exception of the occasional Mata Hari victim, very few incidents involving the compromising of such devices have made it to the public domain. This is surprising, considering how the loss of laptops,

CD-ROMs and USB drives grabs the attention of the media and the Information Commissioner’s Office.

“People should be more worried about the data than the device,” says David Porter, head of security and risk at Detica, the UK-based technology consultancy that works extensively on MoD, financial services and other high-security projects.

“The question is, if I’m a fraudster, am I interested?” he ponders. “[Mobile data theft] is a new area, and I’m still busy plundering the laptop. But fraud is like a balloon – squeeze it at one end and another part inflates. I’m sure cyber criminals are mobilising forces [against mobile devices] as we speak.”

“It’s funny that there haven’t been any big stories already,” agrees Hansen. “You’d think that people who are having data stolen this way would have to disclose it, but people aren’t talking about it yet. It’s inevitable – it just is,” says Porter.

Currently criminals seem preoccupied with the devices rather than the data, says Nursten, despite the data stored on them usually being of far greater value to the business than the device itself. “In most cases where a phone is stolen, the first thing people do is delete everything before putting it up on eBay.”

Schmidt acknowledges that establishing a link between a stolen device and data theft is very difficult, but suggests many incidents go unreported.

“Anecdotally there are people who have lost a BlackBerry or mobile with data on it, but no one has directly said ‘yes I lost it and a week later my bank account was emptied,’” he says.

But for a corporate executive in the throes of M&A negotiations or reviewing unreleased financial results or about to make a restructuring announcement to Wall Street, “the keys to the kingdom are in there”.

“Emails, Word documents, PowerPoint presentations – access to them is one of the biggest things you need to worry about.”

According to Schmidt, the risks to mobile devices come in three flavours: the loss or theft of a device containing sensitive data; connecting to insecure or potentially fraudulent networks; and vulnerabilities created through poor application development and support.

Data loss

Lost laptops frequently make the headlines – especially when they contain data that might be useful to identity thieves or when they involve the loss of sensitive government information.

But it’s not just the government that’s losing data; a survey of 2,000 taxi drivers across 11 countries found Londoners among the most forgetful, leaving just over 3,000 laptops in the back of taxis over a six-month period.

That figure is clearly concerning, until you consider that the number of phones left behind in the same period was a staggering 55,000, and these were significantly less likely to be claimed by their owners. As phones begin to include much of the functionality of their larger, better-protected laptop cousins in terms of storage, browsing capability and connectivity to the workplace, clearly a massive problem is brewing.

“I don’t like being the doomsday guy, but the amount of storage you can get on some of these devices is a key factor,” says Hansen, holding up a new BlackBerry he is evaluating for CA. He points to the card slot on the side of the device that can give it well over 4GB of capacity.

Any security built into the operating system of such a device is simply bypassed by removing the card and plugging it into a reader, explains Nursten.

Furthermore, encryption is less attractive for smaller devices. Forcing a meaningful level of encryption can cripple the battery life and lessen usability, warns Dulaney. “Research in Motion [with BlackBerry], Microsoft (Windows Mobile) and Apple (iPhone) all offer encryption, but good security in this way is a product of background processing,” he says.

“The more intense the encryption the higher number of CPU cycles, and the less battery life you get,” agrees Nursten.

Users concur, according to Sybase’s survey: 21% of respondents with managed security on their devices said that speed of decryption was an issue and 27% complained of the length of time taken to access their device on powering up.

Wipe out

Many enterprise-level mobile devices can be configured to remotely wipe data stored on them the moment it connects to a network – assuming the SIM isn’t removed before it is turned on.

“One phone call can remotely kill the device so you can’t even load firmware on it,” explains Hansen, “although that doesn’t account for data on the SD card.”

A further problem is the issue of data ownership where an employee either buys a device or a company allows it for personal use. “We can’t just selectively nuke their email and leave their MP3 collection,” Hansen explains.

As for authentication, “by accessing the phone through a physical port, standard passwords and PINS can be bypassed and all data on the phone accessed,” warns Nursten.

“It doesn’t take an evil hacker type – any 15-year-old knows how to do it,” he says, offering the example of a popular iPhone hacking and unlocking tool called ‘Pwnage’. “You download it, plug in the phone, hold down the power and the home button and Pwnage takes over the phone allowing you to overwrite data, access the application system or even unlock the SIM [from any network]. There’s a lot of [similar] one-click tools you can download.”

Schmidt also raises the issue of device disposal – “Like many people who follow technology I may keep a mobile device for less than a year before I recycle it or give it to someone. There’s only one or two types of devices that can totally wipe the data stored on them,” he says.

Network access

Mobile devices’ increasing capability to access WiFi networks for high-speed data connections and IP telephony is a major concern for many security executives – Schmidt included.

Despite a general perception that doing so is safe, he argues that such devices currently have far fewer security features than the average laptop – something people should be aware of when using one to connect to the corporate VPN.

“While we call PCs personal computers they aren’t really personal, because they can be accessed [through a VPN] from all over world,” he says. “With a mobile there is a perspective that this is ‘my mobile in my pocket or briefcase’, but in reality it is just as exposed as anything else connected to an IP-based network. I don’t think people are fully cognizant about that when they are using them.”

With devices commonly used in locations like hotels and airports, Schmidt observes there is nothing preventing someone from spoofing a wireless point and monitoring traffic.

“In many cases when I turn on my mobile there are different wireless networks around. I might recognise one like ‘BT Openzone’ that I trust, but there’s nothing precluding someone from setting up an access point called, for example, ‘BT Freezone’. It sounds similar and it’s trusted – but now I’m connecting to their network, through a VPN into my corporate network, booking tickets online and doing online banking.”


The popularity of the iPhone has in part been attributable to the army of third-party application developers who have expanded its capabilities exponentially since Apple opened up its software architecture earlier this year.

And the promise of being able to escape the platform limitations of more closed devices, such as BlackBerrys, with the aim of developing bespoke, company-specific applications might be one reason why some companies are considering alternatives.

In August, Brenton Hush, chief information officer for HSBC in Australia and New Zealand, said that the bank was considering a switch from Blackberrys to iPhones – a move that might be extended to its worldwide workforce of 300,000.

Hansen predicts that the capability to develop enterprise-scale apps on open mobile platforms could be “a very good play for the return of internal application development”.

However, Schmidt is cautious. “When you look at the attacks people are doing [on the PC], they are attacking applications,” he says. “Microsoft might provide patches for their products, but what about the small independent software vendors (ISVs) or in-house development where people are not doing the diligence they need to do? The distinction between application security and protocol security is one of those things we continue to struggle with.”

Actual mobile device malware is rare beyond the odd proof-of-concept program, says Dulaney. “There are very few consumer-facing malicious applications. Traffic [for devices such as Blackberrys] goes through giant data centres, and operators have a vested interest in security – they have a great investment in security products. If a platform becomes dominant it will attract virus writers as well as developers.”

As operators relinquish control of mobile platforms and open them up to development in the wake of the iPhone’s success, Schmidt predicts that “the same basic protections we developed with PCs, such as code signing, we need to make available for mobile devices. I don’t see a lot of movement in that direction.”

Mobile management

Managing the proliferation of mobile devices is becoming a considerable challenge for IT managers, and yet another infrastructure headache.

“I have one customer with 50 different types of phone in the hands of their workforce,” Nursten says, “and as a result they have 50 different security applications. When you support laptops at least you just have Windows, Linux and MacOS – even if you drill down into variations of each, you are still going to have a methodology to follow.”

One touted solution is mobile device management (MDM) software, a young but booming sector which enables remote device configuration and largely considers security as a side-effect of good infrastructure management. Analyst firm Ovum predicts by the end of 2009 MDM products like OMA DM and FOTA will be an established part of the handset technology landscape, with penetration in over half the installed base of handsets and in 84% and 69% respectively of new mobile phone shipments.

But for those currently responsible for herding mobile devices through an enterprise, the challenge will continue to require as much diplomacy as software.

“Sometimes you have to take a hard line,” says Hansen. “When you ask someone ‘why do you want an iPhone?’ and they answer ‘so I can watch video on it sideways,’ then that’s not a compelling argument.”

Standardisation is key, he explains. “Say: ‘if you want a phone with data access to the company, then this is the device you will use.’ If you take that policy to the audit committee or the board they’ll say ‘hell yeah’.”

At this stage, as mobile communication devices have made the leap from single function devices to small-form factor computers, the industry is working its way through a period of near anarchy during which corporate security is being threatened. Over coming months and years, organisations need to address the new security challenges that they throw up – before the onset of large-scale device hacking, viruses proliferation and data loss.

Further reading

RIM touts BlackBerry’s uncrackability

Securely speaking
Two newly launched services are about to bring voice verification technology into the mainstream

Related Topics

Mobile Security