Wireless PDAs and Smartphones: A Hacker's Heaven
May 7, 2004 5:30 AM PT
A real security threat is looming with wireless PDAs, WiFi devices and smartphones. These are the electronic marvels that are pushing the goal of wireless telecommunications to new limits. Industry watchers report that people are dropping their older PDAs like hot potatoes and snapping up the latest generation of wireless devices like crazy.
The new PDAs and smartphones can receive e-mail and text messages just like desktop and laptop computers. That makes their users just as vulnerable to social engineering to obtain passwords and access stored data as their computer-using cohorts.
These devices are susceptible to viruses and other rogue codes when they are synched to computers and office networks. Security experts told TechNewsWorld that these wireless devices lack antivirus protection and message-filtering software or encryption programs to lock in security.
"We are starting to see spam showing up on these devices," said James Kott, director of product management at MessageGate. "It's low level now, but it is starting." MessageGate provides a software solution for corporate e-mail security.
According to reports from the Protect Data Group, about half of all data on corporate handhelds have no security protection. A survey Protect Data conducted recently revealed that some 25 percent of enterprise users polled said their PDAs had been lost or stolen.
The Survey Says...
Pointsec Mobile Technologies, a security company providing secure data, conducted a survey of 230 business executives in early March. That study revealed that half of those polled said they did not have security measures protecting their PDAs. PDAs offer users an option to enter a password when turned on. Other than that option, no other security was available.
Of those surveyed, 81 percent said they considered the stored information on their PDAs somewhat or extremely valuable. But many of them said they weren't worried much about security issues on their PDAs, even though 31 percent of them stored sensitive corporate data. Nearly three-fourths of the executives expressed more than a moderate degree of interest in security systems for their pocket devices, however.
Cost does not appear to be a factor in security for PDAs and smartphones. Almost 70 percent of the surveyed executives said they would purchase a more expensive PDA if it had security features.
Those are significant findings. Enterprise PDAs and smartphones are quickly becoming the primary telecommunications tool of choice. In many instances, they are replacing portable computers. About 38 percent of executives polled said they used their PDAs to connect to a corporate network or multiple networks.
Another window on the potential for disaster this lack of security could cause is data storage on these devices. The survey indicated that some 30 percent of the respondents said they use removable storage with their PDAs. The survey showed a wide range of storage data was being entrusted to the PDAs and smartphone devices.
Ninety-nine percent said they stored names and addresses. Eighty-three percent said they used the calendar function to track meetings and project details. Thirty-six percent said they received and viewed e-mails on their pocket devices. The smallest percentage of respondents, 15 percent, said they used their PDAs to create documents or spreadsheets.
Security Needs Differ
Security issues pose different concerns, depending on whether the device is used for enterprise or consumer purposes, said Kap Shin, founder and CTO of AirPrism. AirPrism MMS provides authentication functionality to enterprise systems, access control systems and corporate firewalls.
"On the enterprise level, PDAs and smartphones are used for mission-critical applications and data storage. We can address those security concerns with software-encryption solutions. But on the consumer level, there are no products yet available," Shin told TechNewsWorld.
He cited an example of hacking incidents already taking place in Japan. Somebody sent out a link to all smartphone users. Each time somebody clicked on that link, rogue code in the link activated automatic calling to a targeted business number. The excessive traffic those calls created crippled the telecommunications system.
"We will soon start to see those kinds of things happen in this country," said Shin.
Depending on the types of phone directory entries and personal data stored by consumers on their pocket wireless devices, a lost or stolen PDA or smartphone can cause consumers just as much trouble. Just consider a recent sale reported to have occurred on eBay.
Somebody placed an advertisement on eBay that advertised a BlackBerry RIM "sold as is." A Seattle computer consultant sent in a bid of US$15.50. His bid was accepted, making him the new owner of the pager-size wireless pocket communicator with 4 MB of memory.
He soon discovered that he was the not-so-proud owner of a stolen BlackBerry. It contained a hoard of corporate data.
A Security Nightmare
Jeffrey Guilfoyle doesn't always speak in a complimentary way about Windows CE PDAs and smartphones.
"They reflect a lot of technological advancement. They are fairly new but are not heavily tested," said the vice president for systems and security at managed security services firm Solutionary. "I expect some pretty significant flaws to be found."
His concerns about security headaches stemming from these new devices is based, in part, on past incidents involving pagers. "People were able to spam pagers. That caused outages. The existing infrastructure is built to handle a limited amount of traffic," he said.
Guilfoyle's concern is also based on the worsening virus and worm infections. He worries about the loss of critical information, call logs and identity theft.
"These are all real-world scenarios. Sending e-mails from phones and PDAs can become infected. This is the same code used on computer infections," he told TechNewsWorld.
The Solutionary security executive wants to see the telecommunications industry profit from past mistakes with security on computers. The computer industry created protocols as the technology developed, but security was left to the individual vendors. He doesn't want to see that happen with always-on smartphones and Internet-capable PDAs.
"Security needs to be a core component of the infrastructure. It has to be bolted into the new devices," said Guilfoyle.
Rumors are circulating about a few cell-phone attacks. So far, he said, they are only urban legends. But the industry is definitely aware of the need for security.
"We probably will see smaller attacks that vendors will react to. Our hope is that these attacks will be something that consumers will ask vendors to protect them against," Guilfoyle said. "There is so much competition with all of these handheld devices, but we are not seeing much movement for security."
Historically, he said, consumers have not been concerned about security issues.
"Everyone has underestimated the risk until it was too late," he said.