It's Time to Get Smart About Smart Phone Security
In 2008, I published an article on this site about the threats that mobile phones can pose to business networks and steps you could take to secure Windows Mobile 6.1 phones. The smartphone market has boomed since then and companies are faced with a plethora of employee-owned handheld devices may have access to your company's resources. Along with new iterations of Windows Mobile and the iPhone, we have Android based phones - along with those that run Symbian, Palm and Nokia's new Maemo operating systems. With these new and improved models come new security issues.
The good news is that, as we enter a new and probably even more mobile decade, the industry seems to finally be getting smart about smartphone security. A recent survey from Goode Intelligence indicated that more than half of respondent organizations planned to deploy mobile anti-virus products in 2010. But anti-virus is not enough; if you have smartphones on your network, you need a comprehensive strategy for ensuring that they are as secure as the full-fledged computers that access your servers.
In this article, we will look at what is new in mobile device security threats and solutions, including our "wish list" for Windows Mobile 7 from a security point of view.
The Growing Market
A few years ago, the smart phone market was limited; most owners were executives with Blackberries or techies with Windows Mobile phones. Often these were paid for by the company; most individual cell phone users did not want to shell out hundreds of dollars for a phone. The introduction of the iPhone in 2007 changed all that. Its incredible popularity brought the smart phone concept into the mainstream and motivated competitors to develop new and better and smarter phones and to market them more widely. Prices have fallen, too.
Now you'll find that in the typical company, a significant number of employees will have their own smart mobile devices. The debut of new Android-based phones like Motorola's Droid, Google's Nexus One and the latest WinMo phones such as Samsung's Omnia II and HTC's HD2 provide plenty of choices for those who want to carry around a smart computer in their pockets. And make no mistake: that's exactly what these devices are. With the latest Snapdragon 1 GHz processor, plenty of internal memory (the HD2, for example, has 448 MB of RAM and 512 MB of ROM), and many gigabytes of storage space (most of the newest phones support 16 or 32 GB micro SD cards), there's a lot of computing power in those small packages.
Although the global recession put a damper on smart phone market growth and analysts disagree on the rate of recovery, most predict a return to growth in 2010 and chip maker ARM (whose chips power a large majority of mobile phones) estimates 20-30 percent growth for the market in the coming year.
The Growing Threat
It is inevitable, then, that there will be more smart phones in the workplace, both company-owned and employee-owned, and workers will want to use those phones to connect to the company network to get their email and use other resources. However, many workers who routinely take security precautions with their desktop and laptop computers do not realize that they need to do the same with their phones. This poses a potential threat to those networks to which they connect. Some of the threats include:~
- Viruses and malware transferred from the phones to the network
- Lost or stolen phones that contain credentials for connecting to the network
- Lost or stolen phones that contain confidential company data in the form of email messages, documents, photographs, etc.
- Malware that allows outsiders to eavesdrop on voice calls
- Close proximity attacks that use Bluetooth and wi-fi based attacks
- Cross-service attacks that exploit the interaction between different networks, such as a wi-fi network and a 3G network
Because hackers have been slow to target phones, some smart phone users and network administrators may not think the threat is real. But last summer at BlackHat 2009, a pair of security experts demonstrated a security flaw in the iPhone (which could also affect Windows Mobile and Android phones) by which a hacker could gain access to some of the phone's apps through a text messaging exploit.
Then the ikee worm and the iPhone/Privacy.A attacks on "jail broken" iPhones hit the news.
And in November 2009, another iPhone virus, called Duh or ikee.B, emerged. This one turns the phones into zombies on a botnet.
In the past, many smart phone owners used their phones mostly for voice calls and email access. Web browsing on a phone was often a frustrating experience. Today's phones handle web pages much better, and consequently more people are using their phones to browse the web. Unfortunately, that opens up a whole new attack vector by which the bad guys can deliver Trojans, viruses and spyware or conduct phishing attacks through fake web sites, etc. A Trend Micro security survey indicated that only 23 percent of smart phone users are using security software on their phones.
In October 2009, a developer in Indonesia made public a mobile phone program for the Blackberry that can be downloaded to the phone without the user's knowledge to turn on the microphone and allow someone to remotely overhear conversations taking place close by. A similar program is available for the iPhone. Although these are generally installed by someone who has physical access to the phone, it would be possible to deliver such malware through a browser or email to an Internet-connected phone.
In the light of these and other developments, companies are waking up to the realization that it's time to start taking smart phone security seriously. According to a recent U.K. based security report, more than half of the organizations surveyed are planning to deploy smart phone anti-virus solutions in 2010, and 40 percent are planning to employ mobile security specialists on staff in the next two years.
Anti-malware is a good start, but like any security strategy, a successful smart phone security plan will be multi-faceted. Let's look at some of the minimal steps that companies should take to protect their business resources from mobile threats.
Solutions and Mitigations
The simplest solution might be to prohibit smart phones from accessing the company network, but in many/most situations, that's not practical or desirable. Management expects employees to respond to email when they're away from the office, and employees expect to be able to check mail, read a document, or even connect to their company desktops from their phones. Banning smart phones from the network would cut productivity and reduce employee satisfaction.
Thus it's important to manage the smart phones that connect to your network and to develop policies designed to protect both the network itself and company data. Luckily, today's smart phones support far more security mechanisms than those of a few years ago, making it easier to support such policies. Here are some suggestions:
- Require smart phones that access your network to run anti-malware software packages available from a variety of vendors.
- Require that all smart phones that access your network be protected by password and/or biometrics. ABI Research predicts that in the next five years, there will be a big increase in the number of smart phones that incorporate advanced security such as fingerprint sensors.
- In addition to requiring authentication to log onto the phone, a password should be required to access any business applications or corporate email accounts. Credentials should not be saved. This may slightly inconvenience users but will add a layer of security if a thief is able to get into the phone's operating system. There is third-party password management software available for Windows Mobile phones and iPhones to make it easier to secure passwords.
- Require SSL or other secure connection to access company resources.
- Use virtualization technologies to allow users to view corporate data on the phone without downloading it to the phone. That way, the data stays on the server and the phone is used only as a terminal to display it.
- If data is sent to the phone, require that it be encrypted.
- Require that all smart phones that access your network support "remote wipe," so that if a phone is lost or stolen, the data can be erased when it's turned on.
- Set policies requiring users to turn Bluetooth and wi-fi radios off when not in use to prevent attackers from exploiting those avenues for gaining access to the phone.
The smart phone arena is one that grows and changes every year. IT administrators can expect to see more and more of these small but powerful computers on their networks in the future. In fact, some security experts predict that eventually phones will be used as a means of authenticating users on the network - that is, your phone will take the place of a smart card or token since it's something you carry with you all the time and it has a unique identifier. If smart phones are to be given that level of trust, it will become even more important to ensure that they are secure.
Meanwhile, the time to take precautions is before a massive attack on smart phones occurs. It's the companies that take a proactive approach to smart phone security that will come out unscathed in the event of such an attack, and most security experts believe it's a matter of when, not if.