As consumers increasingly rely on their mobile devices for e-mail and other functions besides voice, it’s increasingly important to address security issues – even if they’re not the Secret Service.
In the hours and days after 9/11, White House staff struggled to stay connected amidst the chaos and confusion. At the time, all staff members were banned from carrying mobile devices because of concerns over device security. But the advantages of keeping the lines of communication open during a crisis were too great and the policy was changed to allow mobile device usage within the United States and a selection of other countries, for everyone except the president.
While most people don’t deal with the same security issues facing White House staff, the situation highlights the role that mobile devices play in today’s world and the need for secure transmission and storage of personal, financial or other sensitive information.
MALWARE & MISSING PHONES
Daniel Hoffman, chief technology officer of sMobile systems, sees the most common device security threats as malware and lost or stolen phones.
Malware is a broad term for any software that contaminates a computer or mobile device, generally causing data loss through destroyed or corrupted files. Once only the domain of personal computers, malware now exists for the operating systems used in today’s smartphones.
A more specific, sometimes financially motivated form of malware is spyware, which is generally less visible than other forms of malware and can be used to take over a device. One spyware application sends numerous premium SMS messages to a pre-registered number. When the spyware is deployed on numerous handsets, the scam can be extremely profitable. Another program can cause the handset’s microphone to transmit the nearby ambient noise, effectively spying on anyone within range of the phone.
Joe Hagin, deputy White House chief of staff during the Bush Administration, was aware of such threats. “If we were discussing highly classified information such as one of the President’s trips to Iraq, I wouldn’t have a smartphone on my hip.”
Most personal computer users are aware of the importance of installing and updating anti-virus software as the first line of defense against malware, but this practice may be overlooked for mobile devices. Jay Seaton, chief marketing officer at Airwide Solutions, sees the growth of mobile e-mail causing an increase in the amount spam and malware-infused attachments. “People are now more likely to open attachments on their phone, and the small screen size could limit pop-up warnings.”
Network operators also are affected by this problem. “A high volume of spam will degrade an operator’s network and create customer service issues that are expensive to deal with,” Seaton says.
Figures released in McAfee’s Mobile Security Report 2009 show that the reported cases of mobile security issues relating to network or service capacity increased by 53 percent in 2008, more than any other category. Virus and spyware infections, voice or text spam attacks and third-party application or content problems experienced a 50 percent increase for the same period.
So who is responsible for securing mobile devices? The McAfee report shows that manufacturers are taking measures in the areas that concern them the most. Mobile banking and payments are cited as major security concerns for 81 percent of the manufacturers surveyed, with 69 percent of manufacturers highly worried about the installation of applications and data transfers via external memory cards. Of least concern were voice and voicemail attacks.
As a result, encryption, application certification and mandatory access control top the list of security features installed in the factory. Features protecting against theft, loss and malware are listed, but clearly aren’t the top priority.
Hoffman’s company, sMobile, offers anti-virus, anti-spam and firewall software to carriers and consumers, but he sees very few consumers taking mobile security into their own hands. “Some tech-savvy users do look after their own security, but most would look to whoever they bought the phone from.”
In most cases that is the carrier. “Over the next five or six quarters, we expect to see a shift toward carriers offering more of the security features,” he says.
And when something goes wrong, the carrier has the most to lose, Seaton says. “Operators feel compelled to protect their subscribers, because they’re the ones that will get blamed.”
But there is still the need for the end-users to educate themselves about device security. “For example, Bluetooth creates horrific problems, but they can easily be overcome by users being aware of the possible threats and taking care when they use it,” Seaton says.
A number of solutions exist for lost or stolen handsets containing sensitive information, one of which is BlackBerry’s Enterprise Solution. This system allows administrators to back up data from a handset, and then apply a lock or delete all of the information. There are also remote wipe and GPS locate functions available to users with smartphones running the Android OS.
One of the most widely used security features is encryption. Employed by handset makers and 3G networks, encryption makes it extremely difficult to intercept and retrieve data. In fact, BlackBerry maker Research In Motion (RIM) recently acquired Certicom, an encryption firm that uses complex mathematics to address IT security.
So with encryption, remote wipe, anti-virus, anti-spam and application controls readily available to the user, carriers and manufacturers, why all the fuss over President Barack Obama’s BlackBerry? According to Hagin, it’s not the device security issue but the legal and political ramifications resulting from the Presidential Records Act, which allows all of the president’s correspondence to be subpoenaed by Congress and courts. According to Hagin: “Can you secure a device to protect against the leak of sensitive information relating to the president? The answer is yes.”
Filed Under: Infrastructure