The Sleeper Cellular Issue

IT organizations are highly exposed to security breaches through their information worker's mobile devices.

Late last year, an alarmist report predicted a sharp uptick in cellular or smartphone hacking in 2010 (see: http://esj.com/articles/2010/01/05/cellular-security.aspx).

A new report from market watcher Forrester Research adds grist to the alarmist mill, predicting that IT pros will soon have their hands full supporting a smartphone-equipped workforce. The upshot, writes analyst Charles Golvin on his Forrester blog, is that 2010 "will be the year of the smartphone."

Golvin sees the widespread availability of Google Inc.'s Android platform as the smartphone tipping point. Multiple carriers now offer Android; iPhone service provider AT&T is expected to join the Android ranks, too.

What's more, Golvin notes, Forrester's own research indicates that 17 percent of adult U.S. subscribers are already smartphone-equipped. That's up from 11 percent in 2008 and 7 percent in 2007. More to the point, smartphone use among "information workers" (at 14 percent of all subscribers) clearly outpaces smartphone usage among consumers (at 11 percent of all subscribers).

That's just the tip of the iceberg, says Forrester, which predicts that nearly one-third of information workers will be smartphone-equipped by 2013. More generally, Forrester finds, almost half -- 46 percent -- of large shops currently support (in some way) the mobile habits of their end users.

The Forrester study, which was authored by analyst Ted Schadler, largely focuses on the budgeting and IT support issues -- particularly with respect to accommodation and enablement -- associated with a projected surge in smartphone usage. The upshot: IT organizations are sitting on what might be called a "sleeper cellular" security issue.

According to a late-2009 survey from wireless watcher ABI Research, for example, fewer than one in five enterprises -- 18 percent -- has actually implemented mobile security safeguards.

This is in spite of the fact that fully 80 percent of senior business executives say they're aware of the risks posed by hacked, compromised, or intercepted cellular communications. Aware, yes; protected, no: just over half (55 percent) of executives believe their organization has taken the appropriate steps to safeguard its cellular presence. Once they look into the matter, however, they discover that the opposite is true.

"Our research shows most businesses do not apply anything like the same level of robust security to cell phone calls," said ABI vice-president and practice director Stan Schatt, in a statement. "Equally concerning is that a significant number of people who identified themselves as being responsible for cell phone voice call security incorrectly believe the organizations' mobile calls have been protected when they have not. This perception that they are protected when in reality they are not suggests a serious hole in the information security of many businesses."

ABI's concerns are worth heeding. The firm points to at least one ongoing effort -- trumpeted by the Chaos Computer Club, or CCC, a celebrated German cracking group -- to defeat the encryption scheme used to protect GSM (Global System for Mobile communications) traffic. Although not as prevalent in the United States, GSM is the de facto standard for global cellular connectivity; market watchers say it powers about 80 percent of the world's cellular traffic.

Globally, GSM's ubiquity makes it an exceedingly high-value target for crackers. Although GSM has been cracked before -- as in February 2008, when Pico Computing Inc. (a manufacturer of FPGA chip solutions) announced plans to market hardware capable of cracking A5/1, GSM's voice privacy encryption algorithm. Things could get much more interesting in 2010.

In August of 2009, for example, the CCC told the German edition of The Financial Times that it planned to release GSM-cracking software at some point in the not-too-distant future. That has companies such as Cellcrypt -- the cellular security vendor that sponsored ABI's survey -- raising all sorts of alarms.

"In light of this summer's news that a GSM cracking codebook will be made widely and freely available very soon, and [that] sub-$1,000 interception equipment [will be] available soon after, this lack of security is particularly worrying," said Cellcrypt CEO Simon Bransfield-Garth, in a release. "Businesses must plan now for the eventuality that their mobile voice calls will come under increasing attack within the next six months."

comments powered by Disqus