Security in the Mobile Device Era
A few years ago, I wrote an article for this site called Securing your Pocket PC. Mobile security has come a long way since then, and the current Windows Mobile 6.1 operating system, new versions of Windows server products and third party software make it easier than ever to allow your users to enjoy the convenience of modern smart phone computing and connect to the company network via their mobile devices without compromising the LAN. But there still remain many challenges to security in an era when mobile devices are proliferating rapidly. In this article, we focus on how to secure Windows Mobile 6.1 devices and also touch on issues that arise when you incorporate non-Windows mobile products (such as the iPhone) into your Windows network.
Assessing the mobile threat
Smart phones, PDA phones and other handheld mobile devices can make our lives easier, making it possible for us to keep in touch with the office, family and colleagues regardless of where we are. With fast 3G networks and wi-fi capabilities, we can stay connected and check our email, access the Web and more, without having to carry around laptop computers. In fact, today's handhelds are as powerful as the desktop computers of a few years ago. My Samsung i760 Windows Mobile phone is a full fledged Windows computer. It has a 400 MHz processor, 64 MB of RAM and 128 MB of ROM, and 4 GB of storage on a mini SDHC card. Those specs are superior to the $3000 desktop computer I bought in 1995.
With all this computing power literally in the palms of our hands, many of us spend a lot of time, especially when traveling, working from our phones. We can use them to create, edit and store Word documents and spreadsheets, read PDFs and access other company files. But this poses a greater security risk than ever before. Not only may we be exchanging email messages that contain sensitive info, but we may also have confidential documents on the devices, as well as passwords for logging onto the company network or Web sites.
Some of the specific security threats associated with mobile devices include:
- Loss or theft of the mobile device, resulting in exposure of data
- Interception of data that passes over the wi-fi or 3G network
- Capture of data via Bluetooth connections
- Mobile viruses (including email viruses)
As with laptops, mobile devices can present unique security threats, especially when employees are allowed to connect their personally owned equipment to the company network. A July 2008 survey showed that 89% of respondents said they use either personally owned or corporate issued smart phones to access corporate email and other company information, and over half of those surveyed said companies that do not issue smart phones should allow employees to store and access company information using their personal smart phones. (Smartphones opening up enterprise risks)
This can result in a nightmare for the IT department, if you must implement security measures for many different types of hardware and software. If no restrictions are in place, you may find yourself trying to provide secure access to various versions of Windows Mobile, RIM Blackberries, Apple iPhones, Symbian devices, Palm devices and Linux-based devices such as Google's Android phones that are expected to be available in the near future (the HTC Dream is expected to be released this fall).
Mobile security issues and solutions
The first step, then, is to develop reasonable security policies to govern the use of mobile devices on your network. Your organization should have policies that are specific to mobile devices; don't just try to apply generic security policies. It's also important to educate your mobile device users about security issues, including physical security. Some security policies can be enforced technologically, but others are dependent on user compliance.
Mobile usage policies should address:
- Password protection: mobile devices on which company information is stored, or which are used to connect to the company network, should be password protected with strong PINs/passphrases. This prevents a thief from being able to boot into the device and access the information stored on it.
- Storage card protection: many mobile devices support the use of SD, mini SD, or other flash memory cards to add a large amount of storage space, up to several gigabytes. This is a great convenience, but if unprotected, the card can be removed from the device and the information on it accessed in another device or computer with a memory card reader, even if the thief is unable to access the device itself. You should require company information on storage cards should be encrypted.
- File encryption: Data files should be encrypted to further protect their contents. PGP Mobile and Aiko SecuBox are examples of third party data encryption programs for mobile devices.
- Backup: To protect against loss of valuable company data, data files on the mobile device should be backed up to a secure location off the device.
- Software restrictions: policies should address what software will users will be allowed to install on their mobile devices that connect to the company network
- Acceptable use: will you allow mobile devices to connect to the network via VPN? Will you allow users to connect their mobile devices to their company PCs via terminal services/remote desktop? Are users allowed to connect their devices to their company PCs via cradle, USB cable or Bluetooth to synchronize files? All of these issues should be addressed by your mobile usage policies.
Do mobile devices need firewalls and anti-virus/anti-malware software? Microsoft's Steve Riley says "no" to the first and "probably not" to the second. He argues that the purpose of a firewall is to block listening sockets and since Windows Mobile devices have none - the only traffic that can come in is in response to requests sent out - a firewall would be useless. Currently the malware threat to mobile devices is not high, but he concedes that could change in the future. See his talk on Windows Mobile 6 security in-depth. You will need to sign in with a Windows Live account to view the video.
In the same presentation, Steve also argues that strong PINs are dangerous, due to the possibility that users will be distracted by trying to unlock the device while driving. I see that one differently, since you can answer the phone without having to unlock the device and if you are going to initiate a call, you really should pull off the road or use a hands-free system.
Windows Mobile 6.x security mechanisms
If the mobile devices on your network run Windows Mobile 6.x, they can benefit from the security mechanisms built in, which include the following:
- Password protection: Windows Mobile devices give you the option of using a simple 4 digit numerical PIN or an alphanumeric password up to 20 characters in length, which can be comprised of upper and lower case letters, numbers and symbols. The device should be set to lock after a reasonable period of time following power-down (you can set a Windows Mobile device for a password prompt after 0 minutes to 24 hours). You can even configure the local device-wipe feature to do a hard reset and remove all the user data if the wrong PIN or password is entered more than a specified number of times.
- Support for digital certificates: Windows Mobile can use digital certificates to control which applications are allowed to run based on the digital signature.
- Certificate based authentication: For better security, Windows Mobile supports authentication using Transport Layer Security (TLS) with an encryption key up to 2048 bits. Desktop Enrollment is performed by connecting the Windows Mobile device to a PC in the domain where the certificate server resides. The certificate is installed on the mobile device through the PC
- Local data encryption:
- You have even more control over mobile device security if your network runs Exchange Server 2007. Here's how this combination can address the issues raised above:
- Password protection: With Windows Mobile 6, Local Authentication Plug-ins can be used to allow Exchange Server to enforce password policies such as length, strength and history. For example, if you allow 4 digit PINs, you can enable pattern recognition that will prevent users from using simple PINs such as "1234." Or you can prevent the use of PINs and require passwords of a specified length and strength. You can set expiration periods for passwords and you can prohibit reusing previous passwords.
- Digital certificates: Windows Mobile can use digital certificates for network authentication, whereby the Exchange server checks the mobile device's root certificate in order to create an SSL connection so that communications between the server and device are encrypted.
- Remote wipe: You can perform a remote wipe of the Windows Mobile device via Exchange synchronization or Outlook Web Access (OWA). All user data, keys and passwords and configuration settings are overwritten.
- Storage card protection: With Windows Mobile 6, you can encrypt the data on the storage card. When you do so, it can be read only on the device that encrypted it. This can be done via Exchange Server 2007 policies so that it can be controlled by the administrator, not left up to the user. Exchange Server 2007 can also perform a remote wipe of the storage card.
- Propagation of policies: Enterprise policies can be delivered to Windows Mobile devices when they synchronize with the Exchange server. Devices that do not comply with policies will not be allowed to synchronize with Exchange.
Microsoft's System Center Mobile Device Manager can make it much easier to manage a large number of Windows Mobile 6.1 devices. It is integrated to work with Active Directory/Group Policy and can provide secure always-on VPN access from mobile devices. Administrators have control over the devices and can disable Bluetooth, Infrared, WLAN, POP/IMAP email and built-in cameras for better security. You can also enable full file encryption, track inventory data for all devices, and perform immediate remote wipes if a device is lost or stolen (without waiting for the device to sync with the server).
Non-Microsoft mobile devices on a Windows network
Windows Mobile devices are built, from the ground up, to integrate into a Microsoft network infrastructure and work with Exchange, Office Communications Server, SharePoint, etc. in a secure fashion. Inevitably, however, some users will want to connect their own favorite mobile devices such as the Apple iPhone, and soon Google's Android-based phones, to the company network. In companies where employees must buy their own phones (and may or may not be reimbursed by the company), many will go for the "cool" factor of the iPhone or the low cost of phones running an open source OS. There are also Symbian models, Palm Treos running the Palm OS and Blackberries in the mix. Supporting so many different mobile platforms can be a security nightmare.
In August, a major security flaw in the iPhone's password protection was demonstrated by which you could easily access private information in Mail, SMS, and Contacts on a supposedly locked phone. Apple's prohibition on loading third party software that does not come from their app store may reduce the likelihood of malware, but its Web connectivity provides an attack surface for hackers, and the very popularity of the device may make it an attractive target. It is very important to keep the phone software updated. A September firmware update (v2.1) addressed numerous security vulnerabilities, including DNS cache poisoning, TCP spoofing and remote arbitrary code execution.
The Android phones work a little differently and can be deployed so that little or no confidential information is stored on the phone itself; instead, it accesses enterprise applications via the browser. That means browser security will be of utmost importance.
The proliferation of mobile devices in today's corporate environment makes life more convenient for users, and more complex for IT administrators who are trying to protect their networks from the threats that can be introduced when unmanaged user-owned devices connect to it. By establishing and enforcing mobile device usage policies and carefully considering what types of devices will be allowed, and by using the security technologies built into Windows Mobile 6.x devices and the features incorporated in Microsoft Exchange Server 2007 and System Center Mobile Device Manager, you can provide accessibility without compromising security.