In-Depth

Taming Smart Phones

If your phone is so smart, why is it an enterprise security risk?

• By Mathew Schwartz
• 03/30/2005

If your phone is so smart, why is it an enterprise security risk?

Security experts have been sounding the security alarm on PDA devices for years. Smart phones, which combine mobile phone and latest-generation PDA technology, make more attractive targets. Thanks to Bluetooth, attackers don’t have to steal the device; they only have to get close enough to try to wirelessly steal data.

The distance needed to establish a Bluetooth connection is steadily decreasing. Security researchers at Los Angeles-based Flexilis, for example, recently demonstrated a “Bluetooth rifle”—think of a parabolic microphone but for wireless networking—able to establish connections with Bluetooth devices over a half-mile away.

Despite the security threat, most businesses, at least in the United States, don’t buy, own, or actually control the mobile phones their employees’ use. Security Strategies spoke with John Pironti, a security consultant at Unisys, about enforcing security policies for smart phones used in the enterprise.

Are smart phones a security risk?

We’re finding the devices are becoming a target of opportunity. … Now that we’re enabling Bluetooth and some other wireless capabilities in these devices … [an attacker] can be up and running and only 30 feet away from you. At a conference, how nondescript is it if you can sit with a Bluetooth-enabled laptop in the corner? No one thinks anything of it. …

We’re essentially moving to these mobile platforms, but we’re moving more sensitive data, too. Especially in European nations, you find that people in a lot of cases use their phones and mobile devices as a primary business tool.

So the notion that it’s just a phone no longer exists. The day I can start storing stuff on it besides phone-type stuff is the day it becomes something an adversary might find interesting. And phones will only be given more functionality; we’ll only provide more capabilities … [so] the question becomes, what controls can we put in place to not make them so risky?

What kind of information is stored on mobile phones today?

[Take] the Treo smart phone and Microsoft Smartphones. … A lot of times people connect them with Outlook—it’s pretty popular—and typically people copy the notes over [from their PC]. And they keep notes for their passwords, because we’ve made passwords too hard to use today. So … the thing people don’t realize a lot of times is that their notes files are being transferred over.

So an attacker could sniff data during synchronization?

Right, or you could even grab it [in a] Bluetooth scenario, from certain badly authenticated devices—a “bluejacking” attack. … Essentially to the phone [Bluetooth] is a transport layer, and … the phone doesn’t know what’s good or bad. People have to enable the authentication layer.

What about camera phones? What’s the perceived threat?

Just the idea of intellectual property issues: taking pictures of the factory floor or the threat of bad PR. … We’re also seeing [in customer service environments] … guys pulling up screens of account information for certain individuals. They’re not allowed to write the stuff down, because they’re checked for paper on their way out … [so] they’re taking pictures with their camera phones. …

How can organizations better secure the mobile phones their employees use?

Even though you can make the argument that there is a new threat and there’s a high-threat scenario for the organization, you’re not going to stop it. A lot of organizations don’t issue phones on their own behalf. They tell individuals to purchase their own phones and expense it back.

Now the organization gets into a quandary: how can I mandate something I don’t have control over? So there becomes this question of threat versus cost … they don’t want to have to manage this and [by not owning the phone], they also lose a lot of legal liability over the use of the phone as well. The downside is the organization needs to decide what usage policy it will set over phones … because the organization can legally only enforce policies for things they own.

Can companies write security policies to cover devices they don’t own?

We do this a lot for laptops and home computers … It [basically] says, know that intellectual property is still important. For example, at Unisys we have a policy that allows employees to use home computers, but we also have policies that govern use of those home computers. One thing we say is we want you to have antivirus on the computer … So what Unisys does is it actually has a license to allow users to put antivirus on their home computers.

So companies need to offer incentives for employees to practice effective security?

Yes, but there’s also a higher cost there, because the antivirus company wasn’t going to just say sure, go ahead. … [And] to have something that was enforceable, and for litigation purposes, we had to say, here’s what you have to do, and here’s how we’re going to help you do it. That’s where a lot of companies miss the boat. They say you have to do this or that, but don’t provide the tools to help employees do that or say what it means to the organization. In the smart-phone scenario, now you’re opening up that same thing—all a mobile phone is is a mobile platform, so you can apply the same scenario.

If you think back to the early '90s when we first started issuing laptops to individuals, there were a lot of laptops going missing. Now the level of awareness needs to be raised [for smart phones] … and we need to provide tools and technologies to help assist them, because I don’t see organizations going to employees and saying, “We’ll issue all smart phones.” And in time, you won’t be able to buy a non-smart phone.

What’s the easiest way to quickly improve mobile-device security?

A lot of what I’ve found is the easiest to do with small devices now is education. Even if you don’t [control] these devices, you can give education on devices. Things like, "Hey, you bought a Treo smart phone. Here’s what we’d like you to do before you connect to the network." So, you can have FAQs for devices … before you connect, please go through a checklist with us. … And you can also have tools that won’t allow you to connect before you go through the checklist. People are usually happy to help.

[Also] people put both their personal and business e-mail in these address books, and they want to ensure their personal information is protected as well.

What about encrypting all information on the device?

Encryption is a really good solution for data at rest, but not data in transit. And when the device is at rest, it’s important to encrypt the data, but the encryption is only as good as the password protecting the device. The key can’t just be built into the system.

Related Articles

Lack of Messaging Controls = Regulatory Risk
http://www.esj.com/Security/article.aspx?EditorialsID=1323

Mobile Phone Virus Arrives in U.S.
http://www.esj.com/Security/article.aspx?EditorialsID=1292