Mobile Device Security
By Phil Kernick
Mobile devices are not new – the first PalmPilot was created more than a decade ago. Managing the security issues related to mobile devices is also not a new problem – the first publicly disclosed vulnerabilities in Palm OS happened in 2000, with Windows CE and Symbian following soon thereafter. The first proof-of-concept virus for a mobile phone was demonstrated in 2004.
What is new is the level of penetration of mobile devices into the corporate workplace.
Mobile device use in corporate workplaces is a case study for the workforce enabling themselves to work seamlessly anywhere and anytime, and bringing the IT department along kicking and screaming. The initial corporate use of mobile devices was by technically savvy workers bringing in their own PDAs, and using them to synchronise with the corporate calendar. As companies discovered this unauthorised extension of the enterprise security barrier they reacted in the time honoured way of banning them, and writing policies forbidding their use.
The PDA resurfaced as a business tool for the mobile workforce, with salespeople needing to work effectively out of the office without a traditional notebook computer. Forced to integrate mobile devices into traditional IT, a containment strategy was typically developed that allowed their use only in a stand-alone and disconnected mode, and only for a select group of approved users.
The release of the BlackBerry in 1999 entirely changed the mobile device landscape. The periodic synchronisation of calendars and contacts was replaced by an always-on e-mail client. Executives loved them. The IT department hated them. But the result was never in doubt, the enterprise security barrier was torn down and corporate information was in the hands of a mobile workforce, but without strong security controls. The security model had to change.
As the 20th century drew to a close, the paradigm for enterprise security was reshaped. Instead of protecting the network, it was necessary to protect the data. The triple-play of PDAs, VPNs and wireless networks had finally enabled the truly mobile workforce.
This newly liberated workforce realises a number of existing security threats in new ways, and introduces others. The challenge of today’s corporate IT department is to deliver the functionality that the users require, whilst effectively managing the risk to corporate information.
The most obvious, but counter-intuitively, the lowest risk security threat for mobile devices is virus attack. Modern PDAs and mobile phones have all the technological perquisites for a virus outbreak: fast processors, a generic operating system and many network connections (including WAP, Bluetooth, and Wi-Fi). But to date there are very few mobile device viruses in the wild, and those that do exist propagate slowly and ineffectively, usually requiring close contact and human interaction, much like biological viruses.
One of the key reasons for the lack of viruses for mobile devices is the lack of a mono-culture. Today there are multiple mutually incompatible platforms for providing mobile services: Palm OS, Windows CE, Symbian, BlackBerry, Linux; and multiple processor architectures underlying these operating systems: ARM, Intel, Motorola. As in a human population a virus outbreak can only occur if there are enough susceptible hosts in close proximity, and the diversity of the mobile device market largely inoculates us against that.
If any vendor does manage to dominate the mobile device market this will change, but for today anti-virus on mobile devices is a solution still waiting for a problem.
While virus attack on mobile devices is a real threat, it is a new variant on a problem that is well understood. The highest risk created by the mobile workforce is to the corporate data stored on their devices. While the network security paradigm may have changed from network protection to data protection, this approach is much less well understood, less mature, less well implemented and in many organisations non-existent.
Most people have either lost a mobile device, or know someone who has. When your mobile device was just a phone, the most sensitive information that it contained was your contact list, containing the phone numbers of your family, friends and colleagues. The average PDA or mobile phone of 2007 has the capability of storing gigabytes of data on removable storage cards the size of a thumb nail. The average corporate document is still less than one megabyte in size, so a mobile device may have thousands of confidential documents and tens of thousands of confidential e-mails stored on it.
The traditional solution to managing sensitive data is to physically protect it or to encrypt it. In the case of mobile devices the only way to physically protect data is to not have it on the phone at all. In today’s corporate environment this is an untenable position. To assess the risk of compromise of sensitive data from a mobile device it is necessary to know where the data is stored and how easily an attacker can recover it.
There are two choices for storage, either on the internal flash memory, or on a removable storage card. In the case of a removable storage card there is no effective protection for the data as an attacker can insert the card into any other PDA or computer and read the filesystem. Data stored in the internal flash is theoretically harder to access, but only if the mobile device is password protected, and then only if the password is strong. Many corporate users do not password protect their mobile device as they find it bothersome to enter the password. This is precisely the same problem solved by password protected screen savers on desktop computers – anyone who gains physical access to the console has unlimited access to the data. Those users that do choose – or have enforced – a password on their mobile devices typically require only a four digit number to gain complete access. This can be brute-forced by hand in less than a week, and much more quickly using a number of available tools.
The other approach to protecting data is to encrypt it. Encrypting data stored on mobile devices is currently only available by using third-party applications for most devices. This feature is one of the key new benefits of Microsoft’s Windows Mobile 6, but this will not be available as an upgrade for existing devices and will require the purchase of a new supported device to enable it.
In a corporate environment the best defence is a good offence. Most mobile devices that are in constant communication with corporate messaging services have a remote wipe capability. If a mobile device is lost, the user can alert the corporate helpdesk and have the device remote wiped the next time it establishes a connection. Unfortunately in a Microsoft environment unless the device is running Windows Mobile 6 a remote wipe will not wipe the storage card, so it is essential that sensitive information only be stored on the internal flash memory.
Unless a mobile device is protected by a strong password, and the device has a remote wipe capability and the data stored on external storage cards is encrypted, there is little chance of maintaining confidentiality against a dedicated attacker.
All of the technical requirements to deliver secure mobile communications exist today, but unless they’ve been implemented correctly, your mobile phone may be the biggest single risk to your company’s information.