[ISN] How secure is your handheld?

InfoSec News isn at c4i.org
Mon Apr 19 05:07:14 EDT 2004


http://www.computerworld.com/securitytopics/security/story/0,10801,92338,00.html

by Joel Strauch
APRIL 16, 2004 
PC WORLD

The No. 1 threat to the sensitive data stored on your handheld device
or smart phone remains physically losing the device, but other threats
are looming on the handheld horizon.

"When you send a defective PDA to the manufacturer for tech support,
they usually give you a new one and then resell the old one," said
John Girard, vice president and research director at Gartner Inc.  
"Buying dead machines is an ideal method of pursuing identity theft."

What's more, 90% of mobile devices lack the protection necessary to
ward off hackers, according to a recent strategic planning assumption
conducted by Stamford, Conn.-based Gartner.

"Most devices have IrDA, Bluetooth and wireless connections, and many
of them aren't set up properly. You can just walk around with a
connected device of your own and see what you can find," Girard said.

Even if there are security settings activated by default on a device,
users will often turn them off if they find them unintuitive to use,
he said. "Security needs to be as transparent as possible to users,"  
Girard said.


Malicious Code

While security researchers have developed "proof of concept" viruses
for handheld devices and smart phones, nothing has been seen yet "in
the wild," said David Perry, global director of education at antivirus
developer Trend Micro Inc. in Cupertino, Calif. "E-mail is easier.  
It's universal, and PDAs aren't."

Since handheld device users can still choose from several operating
systems, they face a lower risk that a widespread virus will hit
mobile devices.

"As long as it's really easy to do Windows and e-mail, why should
people bend themselves out of shape to hit something else?" Perry
asked.

But the possibility of always-on wireless connectivity of smart phones
and handhelds opens the door to malicious code.

"There was a screen saver being passed around in Europe that would put
your phone into a loop and lock it up," Girard said. "And worms on a
Web site that you visit with your PDA could switch on Bluetooth. But
we don't see viruses or malicious code being a significant threat for
mobile devices until the end of 2005."


Protect Your PDA

That doesn't mean you should consider the information on your mobile
device completely safe. There are still ways to lose it -- and ways to
protect yourself from data loss.

"You shouldn't keep things on a PDA that you can't afford to lose. And
be vigilant -- don't let it get lost or stolen," Girard said.

Also, use the "power-on" password settings in your device, he added.  
That way, a thief can't even activate your handheld device without
your password. "And don't store important stuff on peripheral storage,
where the power-on password might not protect it," he added.

Third-party applications from vendors such as BlueFire Security
Technologies, Asynchrony Solutions and others afford additional
protections. "BlueFire has a PDA firewall, and you might ask whether
you'd need a PDA firewall," Girard said. "But it shuts down Bluetooth,
which closes a port where hackers could get in."

Data encryption products from some of the same players are also a
consideration, so even if the device does fall into the wrong hands,
the data will be much harder to extract.

Handheld devices are still much safer than desktops or laptops from
virus and hacker attacks, but that won't always be the case.

"What you'll find on a PDA today is what you'd find on a laptop five
years ago. What you'll find on a PDA five years from now is what
you'll find on a laptop today," Girard said. That power and operating
system ubiquity will bring a greater potential for harmful intrusions.

 



More information about the ISN mailing list