Handheld Security Still Unresolved

Yankee Group warns against decentralized wireless handheld adoption

Look out: here come the wireless handhelds -- in all their vulnerability.

Over 50% of large U.S. companies will roll out mobile, wireless devices this year, with such features as 801.11b wireless networking, Bluetooth, and always-on GPRS (General Packet Radio Service), according to.Matthew Kovar, director of security solutions and services for Boston-based analyst firm The Yankee Group. Mobile wireless devices will also help drive the total number of enterprise wireless nodes from 7 million last year to 43 million in 2007.

“This new computing platform will really extend the perimeter of the corporate network and the corporate security area,” said Mark Komisky, CEO of Bluefire Security Technologies Inc. in Baltimore, during a Yankee/Bluefire mobile and wireless devices best practices Webcast last month.

Yet few organizations actually centralize handheld administration. Fewer still use software to help wireless handhelds resist an attack. Anyone who has ever heard about war drivers cruising the Interstates for unsecured wireless access points -- easy back doors into corporate networks -- knows many wireless networks today are not secure, and that includes wireless handhelds. “The big question now is: How do you protect mobile data that is about as private and secure as yelling across the room?” asks Kovar.

One option comes from Bluefire, which makes two products for protecting PDAs running Microsoft’s PocketPC 2002 operating system: Mobile Firewall Plus provides firewall, intrusion detection, integrity management, and other security features to enable the safe use of mobile and wireless applications; Bluefire Enterprise Manager lets handheld administrators implement security policies and update handhelds whenever they synchronize, as well as logging all security logs to a centralized device.

Virus scanners are also essential for resisting such attacks, and various companies make PDA anti-virus software. For the Palm or PocketPC, there’s the free PC-cillin 2003 from Trend Micro or VirusScan from McAfee. For Palm only, there’s InnoculateIT from Computer Associates.

The ability of handhelds to work wirelessly -- newer PocketPC computers can use plug-in 802.11b cards to connect to wireless networks -- will only exacerbate existing security holes. A compromised, wireless handheld, for example, might be used to gain access to a corporate network.

Handhelds are only part of the problem. There’s also the wireless access points themselves. The 802.11b specification does incorporate security features, such as WEP (wired equivalent privacy), which provides 128-bit encryption in the newer versions of 802.11b products. (Older versions only had 40 bits, which is much easier to break.) While 802.11b security doesn’t have unbreakable security, the point is moot for many companies. “Over 40% of companies do not turn on WEP,” says Kovar. Unfortunately, since all 802.11b networks broadcast their presence, logging on to one is as simple as finding an unsecured network. In addition, many administrators don’t adjust the default settings of wireless devices, and many devices ship with identical default settings and passwords. When users of unsecured wireless devices go to trade shows or hotels with access points, they are at risk.

“One question we hear from companies that are looking into buying handhelds is, ‘So you're trying to protect my $300 device, what are you doing to protect my $300 worth of info on this device, and the $3 million worth of info that sits on my corporate network?’” says Komisky. “Folks need to begin thinking about their security policies for these devices now.”

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.