Security on mobile devices keeps hitting the headlines for all the wrong reasons. A recent report in The Times suggested that two of the most popular Bluetooth-enabled mobiles – Sony Ericsson’s T610 and Nokia’s 6310 – could be vulnerable to criminals, who use the Bluetooth wireless technology to copy information stored in the phones.
Chances are, such information would have limited commercial value, although it may include contact details and corporate emails as well as pictures, ringtones and text messages. But copying the content of a laptop or personal digital assistant (PDA) could be far more damaging. As devices such as smartphones become more powerful, storing documents in Word or Excel format as well as simple address and contact books, companies could become more vulnerable to information theft.
Nor is the problem restricted to Bluetooth devices, or even those with more powerful, wireless Internet (WiFi) cards.
Much has been made of the potential security risks posed by wireless networking, but although there are dangers, hacking into a wireless connection requires a degree of technical know-how as well as close physical proximity. WiFi connections only work over a few hundred metres, and Bluetooth links are shorter still.
For a criminal to target a wireless connection for information theft – rather than just to gain free surfing on a wireless access point – they have to find the person they want to target and know when they will be sending sensitive information.
Luckily, relatively straightforward technology such as virtual private networks can prevent most snooping. But protecting networks does little to protect data against a casual thief who steals the device itself.
“There has been an awful lot of attention paid to wireless networks broadcasting information. We know how poor the security is on WiFi, but focusing on the wireless side has taken the attention away from the real issue, which is having end-to-end security,” says Nigel Deighton, a Gartner analyst.
Deighton likens the focus on wireless network security to “locking the doors but leaving the windows open”. He points out that many corporate users of smartphones and PDAs fail to set up even the basic PIN code security for their machines. And handheld computers and smart phones pose security risks at several levels.
More powerful PDAs, equipped with large built-in memories and removable storage cards, could also become Trojan horses and help hackers and other criminals gather sensitive information. And it is not just PDAs that pose a risk: Deighton warns that with devices such as Apple’s iPod, capable of holding tens of gigabytes of information, whole databases could be copied and stolen.
But perhaps the greatest threat comes from the data that employees legitimately store on their handhelds or smart phones. As mobile devices handle larger amounts of sensitive data, loss or theft becomes more serious. Although most CIOs are now aware of the need to provide at least basic security for laptop computers, handhelds and smartphones seem to receive less attention.
Even the physical design of some handhelds and smartphones increases the risk. “A data card could even fall out of a Pocket PC’s slot,” says Deighton. “They are not encrypted, and security has not, so far, been a priority for the manufacturers.”
There are, though, third-party encryption programs, strong authentication utilities and firewalls available for handhelds, especially for equipment running the Pocket PC operating system. And the industry itself is taking the issue more seriously.
But improving security means striking a balance between a safer way of working, and ease of use.
Graeme Proudler is a senior researcher at HP Labs in Bristol, and chair of the technical committee of the Trusted Computing Group, an industry body. He says that people using handheld computers have tended to run fewer open applications than, say, laptop users. This made handhelds a less attractive target to hackers or criminals. “Once the handheld becomes a fully-fledged computer, you are vulnerable to all these problems,” he says.
Proudler adds that security for a closed environment – as until recently mobile phones were – is relatively trivial. “The complexity arises from a rich environment where users can run multiple applications.”
The IT industry is working to build far higher levels of security into the hardware and operating system for handheld computers and smartphones, but experts such as Proudler caution that there is still some way to go.
In the meantime, he suggests that awareness of the security issues among IT directors is rising. Until the makers of handheld devices produce the next generation of more secure hardware and operating systems, third-party encryption and authentication software will be essential for anyone who carries sensitive information on a PDA or smartphone. And a robust policy on the type of information that should be on the device would also come in handy.