In-Depth

Mobile Devices: Ready To Explode?

Mobile personal devices are very convenient, but often quite dangerous.

Nothing in business ever comes for free, particularly productivity gains. Consider the recent influx of more powerful Windows-based smartphones and personal digital assistants (PDAs). Using these compact devices, employees can effortlessly access and download sensitive corporate data between sips of their morning coffee, which is certainly a welcome convenience.

Once their work is done, though, these employees are effectively walking around with ticking time bombs in their pockets waiting to explode. Many industry observers predict that these bombs will cause major explosions in the coming months.

"There's no doubt that a large company will encounter a major security breach because of employees' use of cell phones," says Jack Gold, president of Northborough, Mass.-based market research firm Jack Gold & Associates. "The only questions remaining are when will it happen and how much damage will it do?"

Robert Enger, Vice President of Product Management and Global Marketing, Check Point Software Technologies Ltd.

To illustrate the potential vulnerabilities, look at the case of Nicolas Jacobsen, a 22-year-old hacker who was able to use cellular network password security loopholes to access about 400 T-Mobile customer accounts. Hacking through mobile devices, criminals may be able to not only access individual cell phone account information, but also sensitive information like customer account numbers and payroll data. Such information is increasingly being stored on portable devices.

To Support and To Protect
Handheld devices present IT departments with a unique set of support challenges. "Users view handhelds as personal devices and treat them that way rather than as important corporate assets," says Ken Dulaney, vice president at Gartner Inc. Consequently, he adds, new security holes are emerging and IT departments need to fill them immediately or they run the risk of encountering catastrophic problems.

The rapidly growing processing power and storage capacity of these devices are making employees significantly more productive when away from their desks, so they're gaining a high profile in the enterprise. Hewlett-Packard Development Co.'s iPAQ hx2795 Pocket PC, for example, features 384MB of memory, integrated Wi-Fi connectivity and a 3.5-inch display.

Some IT organizations first started using these devices for niche applications in industries like transportation. Data-Tronics Corp., a transportation logistics supplier and subsidiary of Arkansas Best Corp., provides hardware and software so companies can find the optimal transportation method to move their products from location to location. The company outfitted several hundred users at its pickup and delivery points with Dell Inc. handhelds.

"By providing users with an easy way to enter packing and shipping information at our different locations, we gained a clearer and more up-to-date picture of the status of shipments and availability of transportation resources," says Doug Cogswell, director of technical services at Data-Tronics.

E-mail systems are another area where reliance on handheld systems is increasing. One reason for this is the more advanced functions of the systems. What has helped in this regard is Microsoft's decision to begin bundling Exchange Server Service Pack 2 and Messaging and Security Feature Pack (MSFP) software in Windows Mobile 5.0. This lets users send e-mail messages and contact information to handheld devices over cellular networks, something Microsoft calls Direct Push.

And it doesn't stop there. Handheld devices are encroaching upon the hallowed grounds of legacy applications. United Agri Products Inc. (UAP) is a retailer and service provider to farmers in North Dakota, South Dakota, Minnesota, Montana, Kansas and Canada. It has about 35 account managers who visit current customers and potential customers, attempting to convince them to use the firm's containers, seeds, bulk storage system and produce-handling services.

In 2005, UAP gave its salespeople handheld devices from Dell, HP and Motorola Inc. so they could access information stored in Microsoft's Dynamics Enterprise Resource Planning (ERP) package. "Replacing manual entry methods with handhelds increased the accuracy of the input and reduced salespersons' data entry chores from hours to minutes," explains Bert Berkholde, UAP's IT director.

Along with enterprises, academic institutions are also realizing some of the productivity benefits of these devices. About four years ago, the University of Kentucky supplied mobile employees in select departments like athletics and facilities management with smartphones. "About a year or two ago, the interest level in smartphones took off. Just about every one of our employees is interested in technology that will make them mobile," says Doyle Friskney, chief technology officer at the university, which has about 500 smartphones on campus.

Take Stock
While they offer potential benefits, handheld devices present significant challenges, starting with their purchase. Because prices for these devices have dropped to a few hundred dollars and are often included in carrier service plans, buying them is a simple process, one that often occurs beyond the purview of the IT department. "Consumers walk into Best Buy on the weekend, pick up cell phones, and then connect them to the company network on Monday morning," says Richard Stone, vice president of marketing at Addison, Texas-based mobile security supplier Credant Technologies Inc.

So the first step in securing mobile devices is figuring out who has them.

"There are always a lot more handhelds accessing company networks than the IT department thinks there are," says Jack Gold & Associates' Gold.

Even though users may not turn to the IT department for help buying these products, these departments are responsible for them. "Because of recent changes in federal compliance regulations, the IT department needs to put checks in place to make sure that data accessed via handhelds is protected," says Stone. Currently, handhelds represent an area where such checks are likely missing.

Data-Tronics found that its handheld Wi-Fi features were problematic. The devices come with an inherent feature that sends out a message in search of local wireless networks. Unfortunately, the function also notifies intruders that a handheld device is in the area. "We tailored our systems so they don't broadcast their location to everyone," says Data-Tronics' Cogswell.

Jack Gold, President, Jack Gold & Associates

Keeping all of the software -- including updates, security patches and new versions -- running on handhelds up-to-date is a challenge. Data-Tronics had to develop its own software to update new configuration data on the handhelds.

IT departments also need to make sure the devices are safe. As with any other device connected to an enterprise network, IT departments must guard against outsiders hacking into the system and corrupting corporate data. This is not as much of a possibility for these devices as it is with PCs and laptops -- at least for the moment (see "Handheld Security Is Rudimentary at Best").

Lost and Found
While hackers generate the headlines, IT managers face more mundane security issues with company handhelds, beginning with lost phones. Because they're small and users can carry them anywhere, they're often inadvertently left behind. "Cell phones are the most commonly lost item at airports," says Gold. Taxi cabs are another place where busy executives often lose their devices.

Once a smartphone disappears, companies then need to figure out what corporate information may be vulnerable. "Users view their handhelds use as revolving around 'only e-mail,' but they often include attachments with their messages and those attachments often contain sensitive corporate data," says Robert Enger, vice president of product management and global marketing at Check Point Software Technologies Ltd., located in Redwood, Calif

Handheld Security Is Rudimentary At Best

Security issues often present IT departments with a risk/reward trade-off. How much time, money and effort do they need to spend in order to make sure that corporate information is safe? At the moment, the level of interest from hackers in smartphones has been low but the devices have a number of potential security holes, which means IT departments can hardly ignore the threat.

Cell phones have been designed for consumers as well as business people, so the security features have been limited. The password systems used to protect handheld data are weak and fairly easy to compromise as illustrated by a few high-profile break-ins over the past few years. A U.S. Secret Service agent's handheld was hacked, and after Paris Hilton's cell phone was compromised, her contact list spread across the Internet.

User-Defined Passwords
One reason for the problem is users often have a great deal of responsibility for securing the password system. Initially, carriers assign customers default passwords, which they're supposed to change once they access the network. In many cases, they fail to take that step and leave themselves open to intruders. Another problem is users pick easy-to-remember passwords, such as their first name or simple numeric sequences, like 123456. If a password is simple for the user to remember, it's also simple for the hacker to crack.

As the various problems become clearer, cell carriers are trying to harden their password security. Some support digital signatures, which are a robust way to authenticate users, while others sell only handsets with protected memory, which can prevent malicious applications from accessing data or parts of the phone's operating system.

The malicious applications come from hackers, who have shown only passing interest in cell phones to date. One reason is handhelds traditionally possessed little processing power and therefore did not merit attention as a potential carrier of malware. As the devices gained the power needed to support multi-media applications, they also gained the ability to run all of the malware found on PCs and notebooks.

"Most of the cell-phone malware has been demonstrated more in theory and test than viruses racing across the Internet," says Todd Thiemann, director of device security marketing at Trend Micro Inc., a supplier of network anti-virus and Internet-content security software and services.

Little Threat From Viruses
The first wave of viruses, worms and Trojan horses designed for handheld systems arrived in the summer of 2004 and WinCEDUTs corrupted data for users working with Microsoft Mobile. Since then, a few hundred viruses have emerged but none has done significant damage. "I tell clients that the risk of mobile viruses is quite low right now," says Ken Dulaney, vice president at Gartner Inc.

There are a few reasons why that's legitimate advice. Cellular carriers have a great deal of control over handheld communications and have put up barriers, such as firewalls and virus-protection software, which prevent hackers from accessing their networks.

In addition, hackers want the biggest bang for their time and effort by having their artwork replicated on as many systems as possible. Windows is usually the object of their desire because it has such a large installed base. The smartphone market is small, accounting for about 8 percent of all cell phones sold in 2006, according to Gartner. Compounding the issue, the handheld operating system is much more fragmented, with Microsoft, Symbian and Linux dividing up the booty and depriving hackers of a big fat target device.

IT departments understand that no security threat should be ignored. Installing anti-virus and spyware products from companies such as McAfee Inc., Symantec Corp. and Trend Micro is a sound choice. Companies do not-at least for the moment-have to put as much time and effort into guarding smartphones from malware as they do with their desktop and laptop systems. -P.K.

In many cases, of course, this data isn't secured. Because they view handhelds as personal devices, users typically do little to protect the data on them. Many rely solely on faulty password protection as their only security check. If the device falls into the wrong hands, though, sensitive information is at risk.

Consequently, they need to take additional steps to protect sensitive information. "At a minimum, data on handheld devices should be encrypted," says Gold.

Microsoft is trying to help companies protect their data. There's a device-wiping capability in its Windows Mobile software. If a person tries to access the information, it will wipe out the data. "While the updates with Vista are beneficial, the reality is most users will be working with earlier versions of Windows [Mobile] and their information needs to be protected," notes Gartner's Dulaney.

The different security holes illustrate the need for companies to put policies in place to protect corporate data. "While there's no difference in the potential damage from what a cell phone can do versus what can happen with a PC or a laptop, there seems to be a disparity in the recognition of that threat," says Gold.

In fact, analysts estimate that as few as 10 percent -- and at most 35 percent -- of organizations now have policies in place that outline how to secure handheld devices. Without such policies in place, companies are running a risk.

"It wasn't until last year when the Veterans Administration acknowledged that a system with more than 20 million veterans' and their spouses' names and Social Security numbers was missing that many organizations took a closer look at their laptop security policies," says Stone. "Unfortunately, the same scenario is playing out with smartphones. As they become more powerful, there's no doubt that a major security breach will happen. The only questions are how close are we to it and how much damage will it do."

Featured

comments powered by Disqus

Subscribe on YouTube