Anyone that’s ever had the less-than-pleasant experience of being cooped up in a cab with a taxi driver intent on educating you about the state of the world will surely tell you that when it comes to useful insights and analysis, cab drivers are not the best place to turn.
But, cabbies may just have something to offer when considering the security of mobile devices, after a survey conducted in 2005 by mobile security vendor Pointsec unearthed some startling data about the number of phones, PDAs and laptops left in the back of taxis around the world.
London leads the world in lost devices, with more than 60,000 mobile phones alone left in the back of black cabs. Sydney, the only Australian city surveyed, fared slightly better with a six-month total of over 13,000 phones accidentally abandoned in back seats, plus 1725 Pocket PCs and 977 laptops.
The most obvious consequence of these losses is inconvenience. It’s no fun going without a mobile for a few days or paying up for a new handset.
It’s a fair bet that many of the phones and other machines the study identified did not slip out of the pockets of late-night revellers on their way home, but instead exited the pockets of business people whose devices can often contain important information.
Corporate laptops and PDAs, for example, will often contain documents that are not intended for release to the wider public. Many portable computers will also contain settings for connection to a business’ private networks, making a lost laptop a tool capable of compromising data well beyond the C drive. A laptop can even contain a database.
When machines bearing this kind of data disappear, its spells trouble. Losing data that describes your customers represents a major privacy breach that can have legislative as well as reputation implications. Providing a way for potential attackers to reach even more of that kind of data has the potential for many negative consequences.
But the threat does not end with laptops. BlackBerries will more often than not allow reading and creation of emails without the need for a password, a daunting prospect given that most also include an extensive address book of clients and colleagues. And even humble mobile phones can at the very least generate a nasty bill if they fall into the hands of someone who decides that a stray handset represents an opportunity for a few hours worth of overseas calls to relatives.
If the devices end up in the back of a cab how do you make sure your business is not compromised ?
Start by insisting on password protection for every mobile device in your fleet, as this will at least ensure that when they fall into the hands of the curious they are largely inert and do not invite immediate exploration and exploitation.
Going beyond passwords to stronger authentication methods such as fingerprint readers is another options, especially now that biometrics are built into many portable PCs. Encrypting hard drives is another option, as this reduces the likelihood that a lost device will yield useful data to even a determined adversary.
Both of these security techniques are also worth considering given the wide availability of software that cracks a laptop’s startup routine and determines the system’s passwords.
Viruses are another risk to mobile devices that must be taken seriously.
It can be easy to be cynical about mobile viruses, given the disingenuous nature of some marketing in this area: the late 1990s saw anti-virus tools released for the Palm OS before a single virus had been detected!
Today, mobile viruses are very real and offer new attack vectors, one of which is mobile network providers. Research conducted in late 2006 for security vendor McAfee revealed that more than 83% of carriers have detected and repelled attacks that hoped to reach mobile devices connected to their networks. Some of the attacks involved spyware, others disabled some handset functions and resulted in customer complaints.
Other known mobile viruses infect a mobile device and cause it to silently send SMS to a service that charges premium rates. The perpetrators of the virus derive revenue from each SMS that is sent and therefore stand to clean up if the virus generates heavy traffic to their service.
Terrifyingly, this virus illustrates that malware writers have already figured out how to cross the barrier between mobile devices’ different functions. This virus could easily have used email as an infection vector but then perpetrated its SMS attack without ever denigrating the machine’s performance in ways detectable to the end-user.
Mobile viruses of this power are now sufficiently prevalent that Symantec released commercial software for devices powered by Windows Mobile in December 2006, partly in recognition that virus writers have learned how to use applications in common to mobile and deskbound platforms – especially email – to launch attacks from one platform to another.
The fact that mobile phones increasingly rely on a small pool of operating systems is another reason that mobile viruses are increasingly prevalent, as greater predictability in the platform makes it more sensible for malware authors to put time and effort into their “products.”
Another reason it is worth writing mobile malware is that mobile devices are temptingly vulnerable targets. Many mobile devices now offer mobile telephony, Bluetooth and WiFi connections in a single machine. That presence of three potential network attack vectors creates a need for defence that can work against threats to all three. Yet the resource-constrained environment of mobile devices is not one in which computer engineers have vast experience.
Fewer still have already created security tools that can defend these machines without denigrating the user experience and rendering them marginally useable, a factor that slows adoption.
Nor has there been a major mobile security incident to educate users about the potential perils. Most workers have experienced corporate virus outbreaks. Few have yet encountered a mobile threat.
This makes mobile security a challenge because user populations must still be educated. But the nature of the threats makes that education complex.
Bluetooth, for example, is a novelty to most users who may therefore lack the experience and skills to detect a potentially malign invitation to connect.
WiFi is another particular concern. Touted as a cheap and convenient connectivity option, WiFi has famously spotty security that generally relies on end-user intervention to achieve its safest state. When WiFi operates securely, its radio transmissions are effectively indecipherable. Without security, WiFi traffic can easily be intercepted and understood.
Yet with Wifi operators proliferating and generally offering subtly services, it is unreasonable to expect that end-users will develop with sufficient intimacy to ensure optimal security every time they connect.
Need for policy
Policy is therefore an important item in the mobile security armoury, as prohibiting and/or disabling access to such networks can be the most effective way of ensuring they do not pose a security threat.
Furthermore, many organisations report that mobile devices first arrive in their organisations thanks to individual staff buying the devices for personal use and then installing them without notifying the IT department. Policy can put a halt to this intrusion long before PC lockdowns make connecting a device impractical.
Of course policy alone cannot hope to secure mobile devices any more than it can hope to secure any other machines. With mobile attacks on the rise tools will be needed, and a market for those tools is already emerging and Juniper Research estimates that the market for those tools is set to accelerate markedly.
“Initially driven by the data hungry mobile business user who has seen the benefits of data services such as email, predominantly on their Blackberry devices, we will see mobile security products go mainstream by late 2008/early 2009,” says the company’s Alan Goode, author of a study entitled Mobile Data Security: Access, Content, Identity & Threat Management, 2006-2011. “This will result in a doubling of revenues from 2008 to 2010," with the market for mobile security tools reaching $US5 billion by 2011.”
The report notes that $US5 billion will exceed sales of PC-based security tools and that biometrics will become a big part of mobile security by 2011.
That could mean that come 2011 you won’t have enough money in your pocket to catch a cab. It could also mean that when you do, having a phone or PDA fall from your pocket is not as catastrophic as it can be today.
Whatever the outcome, however, one thing seems clear: mobile devices are only going to get more dangerous. Consider yourself warned.
Mobile security: Tips and tricks to protect business from threats
By Simon Sharwood on Mar 12, 2007 11:41AM