by Deb Radcliff

Part 1  |  Part 2  |  Part  3

Tighten Control of the Handset

In the first  part of this three-part article, author Deb Radcliff outlined the rise of smart-phones risk, and why that risk has been less serious in the U.S. (so far). In part 2, you'll see how U.S. businesses are beginning to respond to this new threat to the enterprise, and how much still depends upon the user.

"A lot of carriers have the general idea that they're secure, given the threats out there. That may be true today. But moving forward, as you see more applications and features on cellular phones, business and personal data will be increasingly at risk," says Sandra Palumbo, senior analyst with the Yankee Group. "So, encryption is definitely a big area we need to address on feature-rich phones, especially as more and more people put personal and business-competitive data on their devices."

Businesses are handling encryption, authentication, and other important information protections in a piecemeal fashion with limited products that don't interoperate, she says. That is why a trusted hardware platform is sorely needed, says Janne Uusilehto, Chief Security Officer at Nokia and chairman of the Trusted  Computing Group's Mobile Phone Working Group. "We need a more reliable platform that is hard, or impossible, to crack by malicious software. But how do you realize security in a hardware device?"

As such, Uusilehto, together with industry heavyweights including Intel, Philips, Motorola, IBM, France Telecom, Vodaphone and others, are putting the finishing touches on a Mobile Platform Module based on the Trusted Computing Group's successful Trusted Computing Module for PCs, to be completed by mid-year.

The Mobile Platform Module sets standards that would enable network carriers to accurately identify and authenticate devices connecting into them, which is a big problem for carrier networks dealing with cloned phones today, he continues. It also enables applications like Public Key Encryption through secure key storage, digital signatures, and integrity checks of devices and applications.

"The trusted module provides a secure place to store secrets (keys) in a place they can't be compromised," says Lark Allen, VP of Wave Systems. "It also measures things, like a software module on your device, and compares that against a hash stored in its secure registers to see if it's been changed. It can also measure the configuration of the phone: Has it been altered? Is there malicious code? Are there unauthorized installs?"

With the mobile standards, he continues, carrier network operators and enterprise risk managers can exercise better controls over their valuable mobile devices. For example, they can package only approved applications with the phones, check the integrity of the telephone applications, and encrypt data that needs encrypting.

Wave Systems, which makes document encryption and secure storage products based on the Trusted Platform, demonstrated at RSA in February with Juniper and Nortel a proof-of-concept integrity check application on the Trusted Computing Platform that could do just that. With it, they measured patch level, status of anti-virus, and other security policy compliance points on a PC. Such an application can quickly convert to smart phone management once the mobile platform module is completed and security vendors start building against those standards, he adds.

"With a standard building block like the Trusted Mobile Platform Module, you can now put it into lots of platforms with a common security infrastructure to support all kinds of smart, feature-rich devices," Allen says. "In a mobile environment, this is important because every network operator has phones from a variety of different vendors that it needs to support."

In addition, as more robust handset applications are developed on the trusted mobile platform, companies such as F-Secure, Kaspersky, McAfee, Symantec, and others building anti-malware for smart devices will have more options for integrating their technologies into remotely-managed security platforms, which they're already deploying on PCs.

"That's the trick with mobile security. You want it to be easy for the end user or they'll ignore it. Users don't want to enter passwords to make calls. They don't want to manage their own encryption. And they don't want to deal with keeping their anti-virus signatures up to date," says Palumbo of the Yankee Group. "So a lot of this will have to be done by a gatekeeper."

Educate Users

Even if security is made easy, there will always be the problem of human error. Already, users are demonstrating the same gullibility they have demonstrated over PC-based social engineering attempts at getting them to click or load something and to turn over information that they shouldn't. What's to say they mobile phone users will be any different, asks Longstaff.

"We're seeing cases all over the place using Bluetooth (Cabir, Lasco, others) and Multi-Media Messaging Service (Comwarrior) to spread," he says. "That involves some level of social engineering to get people to accept them."

So the best defense is to set some type of responsible use policy -- one that can be enforced manually until we see further automation -- to educate users about safe cell phone usage in a way that they can understand, say experts.

"Just as in the PC world, we need to teach users not to accept applications and downloads that they didn't ask for. Same with links. And they should not give out personal information," says Nick Ianelli, Internet security analyst on mobile malware for US.CERT (Computer Emergency Response Team), based at Carnegie Mellon. "We need to show our users that their phones and the data on them are valuable. Get them familiar with its features."

The theory goes that someone could let loose a Bluetooth virus in a crowded stadium and spread itself throughout the crowd, adds Marcus Sachs, who directs the Cyber R&D Lab for the Department of Homeland Security. The reality is, you still have to get them to accept the download, he adds. And, even with the best of education, users will always have questions about Caller ID, authenticity of phone calls, and integrity of data being moved around, he contends.

"If it comes from someone they know and trust, they'll allow it (a download). If they're swept up in an event at a crowded stadium and their phones keep ringing up asking them to accept something, they'll download it. In fact, this has already happened. Someone let loose a Bluetooth worm that spread through the crowd at the World Cup," Sachs adds, referring to the Cabir worm, which spread  through the World Athletics Championships at the Olympic Stadium in  Helsinki, Finland in August, 2005.

Not to mention that it's only a matter of time before mobile malware stops playing nice by asking for permission to load, contends Nokia's Uusilehto. Soon, he says, criminals will try and spread their wares without the user's knowledge by using hiding and changing technologies to avoid even automated detection. (Already, we've seen Skulls.K attempt to do this last May by trying to disable security on the devices.)

The reason for all this trouble coming at our cellular phone users is because phones are essentially becoming PCs, say Sachs and others. This makes policy, education, and muti-layered protections just as vital to data and device protection as it is on networked PCs.

"The problem's not new: How do you handle all the consumer gadgets inside the enterprise?" he says. "You see this convergence of phone, e-mail, and entertainment, and soon, Voice over IP that communications providers are jockeying to bundle over a variety of devices. The smart enterprise would get ahead of this technology, embrace it, and actually lead the charge to drive that technology securely into the enterprise."

--

Deb Radcliff is an award-winning freelance writer, educator and speaker based in Northern California. She's been covering online crime and security ever since working as researcher on a book about infamous hacker, Kevin Mitnick back in 1995.