As the desktop once said to the cell phone, “Dont do anything that I wouldnt do.”
According to a group of panelists gathered Wednesday for the Ziff Davis Wireless Solutions Virtual Tradeshow 2005, as mobile devices become more widely used and take on increasingly sophisticated applications, they will likely be faced with the same raft of security threats that have plagued their PC brethren.
From corporate workers who unknowingly expose their companies to attacks by accessing unprotected wireless networks, to consumers that broadcast their location and device information via Bluetooth-capable phones, the industry experts agreed that the battle against mobile threats is only beginning.
Todd Thiemann, director of device security marketing for software maker Trend Micro Inc., said that the growing list of content services and business applications moving onto mobile devices will encourage hackers currently writing malicious code for PCs to cook up wireless attacks.
“To date, when you go out with a mobile device over a mobile operator network, youre generally using slow data speeds and consequently you dont see a lot of file downloads,” Thiemann said. “But things are going to take off and get into higher data speeds, and there will be a lot more people downloading. What that means is that it will be a lot easier for people to install malware, viruses and trojans in the same ways that weve seen on a PC, and it will happen a lot more frequently.”
Thiemann said that the increase in developers creating programs for wireless handhelds will also trigger a jump in the volume and complexity of potential threats. For instance, Microsoft Corp. claims that over 640,000 software coders are working on applications for the companys Windows Mobile operating system, while an estimated 417,000 people are developing tools for Palm Inc.s mobile OS. Another 2 million are estimated to be building software for devices running the Symbian OS.
As each of those platforms grows in size and sophistication, said Thiemann, so will the attacks crafted to target them individually. In addition, as with Microsofts Windows OS for the desktop computer, whichever software system wins the biggest share of the market will draw the most attention from hackers.
“Today, its more probable that attacks will come on (Symbian) or Windows Mobile platforms than a Palm OS platform,” said Thiemann. “Palm also announced that its next generation Treo (handheld) will use Windows Mobile, so you see (threats) coalescing around those operating systems.”
In the world of business, experts said, the mobile threat is rapidly becoming a serious headache for IT administrators. Unlike the lessons people have learned about using their company-owned computers more carefully, many business workers continue to take significant risks with their mobiles.
Brian Babineau, analyst with Enterprise Strategy Group, said that companies must begin treating mobile devices just as they treat other forms of computers, enforcing stricter wireless access guidelines and educating employees on the inherent risks of using handheld business applications.
“We dont just have laptops anymore, we have PDAs and iPods, and all of these devices, including cell phones, have memory or will soon,” said Babineau. “The unfortunate news is that were starting to see that as employees and their devices move further away from centralized IT resources, it gets a lot harder to protect them.”
Some of the pain points that may allow for mobile attacks are the same technologies that other experts have labeled as the leading catalysts for growth of the industry, including Bluetooth communications systems and even the many variations of the 802.11 wireless technology standard.
Bluetooth, which is already widely available in a number of cell phones, PDAs and laptops, is gaining a reputation as a weak point in some of the devices. Based on the location-oriented aspects of the technology, Bluetooth-capable machines not only carry the ability to download different types of applications but also transmit unique identification information. That data could conceivably be used to attack individual devices.
With 802.11, or Wi-Fi technologies, users can be threatened by publicly available hot spots such as the ones offered at Starbucks coffee shops. The panelists said that wireless access points that fail to use encryption, or lack authentication controls at the management level of their software, could make it easy for hackers to spoof devices Internet Protocol addresses.
“Previously Bluetooth was overlooked because any attacker would need to be close to their target to carry something out, but its been shown that Bluetooth attacks can now be carried out over a mile away from a target with use of a highly directional antenna,” said Andrew Lockhart, security analyst with Network Chemistry. “With 802.11, customers will often connect to whatever (network) they see with the highest signal strengths when preferred networks arent available. Thats a big mistake.”
Another threat worth noting is the possibility of having a wireless device physically stolen, along with all the personal data, passwords and network access information that users have stored on their machines, observed the analyst.
Despite the potential landslide of security implications, the experts agreed that many of the loopholes they cited can be largely avoided by maintaining vigilant device usage practices.
For Bluetooth, the security specialists recommend disabling the capability entirely when it is not in use, turning off device identification functions, and creating longer pin codes for network and applications passwords. People who dont plan to use Bluetooth at all may want to avoid devices that carry the function, the panel recommended.
With Wi-Fi, the experts said that users should only connect to trusted networks, use a virtual private network when available, and use the onboard security tools built into more sophisticated devices such as laptop computers or smart phones.
Business users and IT departments managing wireless devices should enforce the same rules they have in place for other computing systems, such as prioritizing data backup, establishing standards for recovery times, and choosing products and services that dont hold the potential to create unecessary problems.
There are also a slew of new technologies aimed at helping companies remain more vigilant, including software that continuously backs up device data to central IT systems, and applications that automatically synchronize data from PDAs and smart phones onto laptop or desktop computers.
“Theres not really a whole lot to protecting against attacks on mobile devices, it just requires a bit of common sense,” Lockhart said. “Treat devices that use (wireless technologies) like you would any other device that connects to the Internet.”