To many security experts, its an epidemic waiting to happen.
While most I-managers today have their hands full securing wired networks, their companies have been spending billions of dollars on wireless. By the end of this year, businesses will have spent $37 billion on wireless communications services, and 47 percent of the U.S. work force will use some sort of wireless device, including cell phones, pagers and mobile computing devices, according to Cahners In-Stat Group.
Thats good news for employee productivity, but bad news for companies ill-prepared to head off security breaches and debilitating viruses.
“The only reason the [wireless] viruses of today have not been more damaging is theres been a lack of functionality and a lack of mature infrastructure globally,” said Bob Hansmann, enterprise product manager of antivirus software vendor Trend Micro.
But thats about to change, he says. Hansmann uses a popular equation to help predict when and where problems will pop up: Popularity plus functionality equals vulnerability. Fill that equation in with analyst predictions for dramatic increases in wireless handheld use and the proliferation of new mobile capabilities – Cahners expects to see 1.5 billion handsets, PDAs and Internet appliances equipped with wireless capabilities by the end of 2004 – and you get a full scale epidemic in the works.
Simply put: “Its coming,” said Mike Vergara, product marketing director of RSA Security, a wired and wireless authentication provider.
The wireless world, with its often-incompatible alphabet soup of standards, may be new territory for many I-managers. Many enterprises have felt that protecting their wireless processes against viruses is one piece of the complicated puzzle they can afford to omit. Theyll soon need to think again, experts say, or face threats that could wreak havoc.
The good news is security vendors – even giants like IBM – are busy developing products to fight the viruses and security breaches of the future. Among them are those that head off problems on a network level, within applications and on devices.
To date, most wireless attacks have happened outside the U.S., in markets where wireless devices are more widely used. However, one virus that did hit U.S. handhelds was known as the Liberty virus.
Some personal digital assistant users received what they thought was a program that would allow them to play a certain game for free. But when they double-clicked on the link, it launched a virus that erased all the data on the devices.
For people who regularly back up their PDA information on their PCs, the virus wasnt devastating. More serious problems, however, have occurred overseas in the form of viruses, malicious code that forced phones to dial particular numbers, intercepted transmissions and data theft.
One virus was distributed in Scandinavia as a short message. When a user received the message, the virus rendered the buttons useless. Users had to take their phones in to their service providers to get them fixed.
Because many wireless devices also have telephony capabilities, new types of malicious code have been written that force them to make phone calls. One incident in Japan caught the attention of wireless operators and software companies around the globe. Users of NTT DoCoMos popular I-mode service received an e-mail with what looked like an embedded Web site link. When customers clicked on the link, their phones automatically dialed Japans emergency response number.
“Luckily they could stop it before it got too bad, but that could shut down a 911 system, and that could have life-and-death consequences,” Vergara said.
Similar viruses could be unleashed that, for example, might flood a companys call center, or cause phones to dial a 900 number. A corporation could be seriously affected if a virus that spread to all its mobile workers racked up significant charges.
Perhaps more alarming to businesses is the threat of data theft. All wireless transmission standards have security built in to prevent the interception of information as its being transmitted, but theyre known to be fallible. The developers of standards such as Wireless Application Protocol (WAP) and the wireless LAN 802.11B standard have included encryption technology designed to head off the threat of “sniffing.”
Sniffing is an inherent problem in wireless because the network is essentially everywhere. In the wired world, sniffers must have access to physical parts of the network in order to break in. “The problem is, with wireless, they dont even have to be in the network. They can be in a van outside with a transmitter,” said Steve Gottwals, product marketing manager of F-Secure, a company that specializes in securing enterprise wireless users.
The widely used wireless LAN standard, 802.11, came under fire recently when researchers at the University of California at Berkeley figured out how to crack its built-in encryption. Still, Gottwals is hopeful, because developers addressed security from the start and are working to beef it up before wireless LANs become more pervasive.
Also, companies will have to secure wireless transactions. “There will be attacks on the devices themselves, but they quickly will be focused on transactions,” said Brian OHiggins, chief technical officer of Entrust, an Internet security company.
These threats are expected to grow more serious and frequent as devices develop more capabilities.
“Typically, we look to the past to predict the future,” Gottwals said. “Every time there is a technology advancement, along with it comes new possible threats.”
In the PC environment, each time software companies release popular technologies, people use them to write malicious code. The same is expected with regard to wireless. For example, a Windows program can currently run on a Windows CE device, but CE doesnt yet support macros. “So, because the device doesnt support macros, the ability for viruses to spread is nil,” said Vincent Gullotto, senior director of research at McAfee AVERT (Antivirus Emergency Response Team).
But wireless devices are rapidly developing other capabilities.
“In the beginning the PDA was just something used to store contacts. But today they are little computing devices,” Gullotto said. “As you create more functionality, theres more of a chance of things being used improperly.”
So far, most viruses have been regional. But as regions of the world begin to standardize wireless technologies, the threat of viruses spreading around the globe grows. NTT DoCoMo, for example, plans to open its network globally by 2003, Hansmann said. “Then, NTT DoCoMo threats can spread worldwide.”
Also, the more capabilities supported by devices, the greater the potential for viruses to spread between PCs and mobile devices, which could enable viruses to spread very quickly. In the future, Hansmann expects that Windows CE will support Java script so that the same applications can run on PCs and handheld devices. Then viruses can spread easily via e-mail or programs that synchronize PCs and handheld devices. Some wireless phones, including versions Nextel Communications sells primarily to businesses, already support a version of Java.
More security measures and products are becoming available. Still, uncertainty about how to address potential threats is preventing some enterprises from deploying wireless, said Omar Javaid, chairman and co-founder of Mobilocity, which advises enterprises on setting up wireless solutions.
Many companies are still contending with wired security issues. And the fact that both the wired and wireless worlds change quickly makes it difficult for I-managers to stay on top of new developments. “Its a tremendous challenge for them to understand the space and the issues and what are the solutions to address it,” Javaid said.
Because wireless viruses havent been widespread, many enterprises arent yet concerned about protecting against them. Technicians at Allegiance Telecom, a competitive local exchange carrier, use interactive pagers that operate over the Cingular Wireless network to receive trouble tickets. “We havent heard about viruses, and the people at Allegiance who use the devices say its not an issue,” said Jim Synhorst, procurement director of Allegiance.
Although the data from those devices passes through the corporate firewall, additional security isnt necessary, because the information wouldnt be valuable to anyone else, Synhorst said.
At Final Mile Communications, a professional services company, field service workers use Nextel phones to receive trouble tickets and report status back to the dispatch center.
They havent seen any viruses yet, but “when and if [a virus] does present itself, it will be a serious issue to be dealt with,” said Kim Dixon-Burrows, dispatch director.
Other companies are more concerned about the possibility of data being stolen. The first decision an enterprise must address when implementing a secure wireless system is to define its security model by determining whats acceptable and what isnt, Mobilocitys Javaid said.
“Part of the problem is, its ponderous,” he said. For example, in the wired world, encryption based on public key infrastructure hasnt taken off because it is difficult to use, Javaid said. An enterprise that wants to give a field service worker access to important data is aiming to make that worker more efficient. “But if security introduces more error and takes longer to use, youve negated the advantage of going after it. You have to take a holistic approach,” he said.
Products purporting to provide end-to-end security that starts with the device and includes transmission and the software that runs applications are coming to market, giving companies more options that fit their specific needs.
One of the simplest problems, though, has not been widely addressed: Few mobile devices have mechanisms for protecting information stored on them should the device be lost or stolen. There are some early products that companies can add to user devices to encrypt stored data so that only the owner can access it, Javaid said.
F-Secure has encryption and antivirus software for Pocket PCs, and Palm and Symbian devices. F-Secure also offers antivirus engines for WAP gateways at the operator level.
Trend Micro has antivirus software for devices and guards against all entry points, including beaming, synching, e-mail and Internet downloading. Earlier in the summer, a wireless ASP in the U.K. said it would use Trend Micros antivirus technology to protect its wireless applications.
Gottwals said that programs similar to those available on laptops could be developed to allow a user whose device is lost or stolen to remotely destroy information or make it useless to anyone else. Such capabilities can be crucial to protecting important information stored on devices.
Activity has begun to create virus protection software that lives on devices, although serious threats arent expected for some time. “We think the CE environment will probably be the first to see viruses written on a constant basis,” Gullotto said. “But I dont think itll happen on a regular basis for perhaps 9 [months] to 16 months.”
Creating antivirus software for devices isnt easy. “On phones, the real estate is owned by the operating company and theres a turf battle over what software can do,” Entrusts OHiggins said. That patchwork on the phones makes it difficult for a virus scanner to cover all parts of the device; virus protection could be required for each piece of software.
F-Secures PDA solution includes antivirus software for PCs that is constantly updated via the Internet and uploaded to PDAs when users synch with their PCs.
Software on devices becomes an important component of an antivirus campaign because short-range communications techniques, such as Bluetooth or infrared connections, bypass networks. Users can beam information – and viruses – directly to one another without sending the data through a server.
Phones sold by NTT DoCoMo since December incorporate software to defeat viruses like the one that commanded the handset to automatically dial the emergency phone number.
I-managers can also protect the devices of mobile workers by buying handsets that have authentication technology built in. RSA Security is one company working with handset vendors to make phones capable of accepting digital signatures. I-managers that send out updates or regular messages to mobile workers could program workers devices not to accept messages unless they have the I-managers digital signature.
Such authentication technology is being built into handsets, and phone makers are interested in adding such capabilities, because they represent the potential for additional revenue. A device manufacturer could charge an enterprise per user for the complete authentication platform.
In addition to virus protection on user devices, another line of defense is at the servers accessed by mobile workers.
Currently, most platforms that support mobile e-mail carry antivirus and antispam software. Trend Micro helps enterprises and wireless operators detect threats as they pass through firewalls using the same technology thats been used to detect viruses in the PC environment. As new threats arise, Trend Micro will give its customers updated tools that can block viruses, usually within an hour, Hansmann said. Trend Micro believes that stopping viruses in the infrastructure is the best way to block their spread. “The device is the last line of defense,” Hansmann said.
But in the future environment of always-on communications that will come with next-generation packet wireless networks, that type of protection gets more difficult. “Unlike a mail client, applications like IM [instant messaging] and location- or presence-based applications are chatty. So the number of messages and the frequency go up by a factor of 10,” said Michael Serbinis, chief technical officer of Critical Path, a company that offers Internet messaging platforms. The sheer number of applications and messages being sent will make antivirus efforts more complicated.
For the seriously paranoid, some space-age solutions are already available. Siemens has introduced an add-on capability for phones that can encrypt conversations, Javaid said. Such technologies are used primarily by government workers, but he said he believes that certain industry segments might be interested in such rigorous precautions. Oil companies, for example, spend billions on exploration and want that information kept confidential. “Some of their security is more stringent than [that of] governments,” he said.
There have also been some products designed for Palm devices with fingerprint-identification technology, he said.
Even more far-out ideas could be morphed from their original intent to fit the wireless security needs of some corporations. Some law enforcement agencies have been working on a technology that could render a handgun, such as one carried by a police officer, useless if someone else tries to use it. Such technology could be ported to a handheld device, Javaid said.
Still, after all of these impressive security solutions are created and deployed, no one actually believes that theyll stop the troublemakers. “Im not saying that with a sense of resignation,” Javaid said. “Its a battle of attrition. It requires constant vigilance and understanding.”