Running Head: Handheld Security
Handheld Computer Security
David B. Rankin
Information Security Management
July 22, 2004
1. Abstract
The popularity of handheld computers as a personal productivity tool and their uncontrolled introduction into organizations is a security risk that can be controlled with the establishment of security policies, requiring the use of power on passwords, data encryption, anti-virus software and appropriate device configuration.
2. Introduction
The use of
handheld computers, also known as Personal Digital Assistants (PDAs), has
increased steadily since the 1990’s with
Unfortunately many organizations have not yet established policies on exactly how to appropriately support and secure these small but powerful computers. There are several reasons why this may be so. The most common theory is that since organizations were not early adopters of the purchase of PDAs for their employees, individuals purchased PDAs with their own money and brought them into the company’s environment without the knowledge of corporate IT Support or Security. This phenomenon presented a dilemma for corporate IT Support and Security groups as they struggled with the use and support of personally-owned devices in business environments. (http://www.pdastreet.com/articles/2004/6/2004-6-2-Learn-the-Basics.html)
3. What is a Handheld Computer?
According to Webopedia a handheld computer is:
“A portable computer that is small enough to be held in one's hand. Although extremely convenient to carry, handheld computers have not replaced notebook computers because of their small keyboards and screens. The most popular hand-held computers are those that are specifically designed to provide PIM (Personal Information Manager) functions, such as a calendar and address book.”
(http://www.webopedia.com/TERM/H/hand_held_computer.html)
For the purposes of this paper on Handheld Computer Security, the definition of handheld computer will be limited to PDAs and smart phone devices running handheld operating system software from Palm, Microsoft and Research in Motion (Blackberry). There are other handheld operating systems including Pocket Linux and Symbian, however, they have modest PDA market share compared to the major three. It should be noted that Symbian is currently very popular as a dedicated cell phone operating system. (http://www.symbian.com/phones/index.html)
4. Why should you secure Handheld
Computers?
PDAs and smart phones are being used in a variety of environments as a lightweight, portable, multi-purpose technology tool. Because the functionality of the PDA has moved towards that of the personal computer, PDAs have a greater potential to be a highly-mobile threat vector with their own set of security vulnerabilities. (http://www.etforecasts.com/products/ES_pdas2003.htm#1.2) Because of their mobile nature, they are easily plugged in behind perimeter security defenses without the knowledge of IT Security. For these reasons, PDAs and smart phones should be included in organizational security planning, analysis, design, implementation and maintenance.
5. Common Handheld Computer Vulnerabilities
The number one PDA
security risk is the physical loss of the device itself. According to the
Meeting notes – 85 percent
Business names, addresses and email addresses – 80 percent
Organizational email – 32 percent
PIN numbers and passwords – 33 percent
When you consider that 57 percent of PDA users do not encrypt organizational data and 33 percent do not have any password protection enabled on their PDA at all, the security vulnerabilities of a lost PDA are obvious. (http://www.net-security.org/ article.php?id=564)
Virus infection and transmission is the second biggest security threat. Since PDAs and smart phones running Microsoft’s handheld operating system use pocket versions of Microsoft Word and Microsoft Excel, they are all vulnerable to the same macro viruses that attack the desktop and laptop versions. (http://its.med.yale.edu/security/PDA/)
There are Palm OS viruses. The Palm.Phage.Dropper virus was discovered in September 22, 2000 and is designed to overwrite every application installed on the infected Palm PDA. (http://securityresponse.symantec.com/avcenter/venc/data/ palm.phage.dropper.html)
A Gartner Group report predicts that by 2005, 10 percent of the attacks on Fortune 2000 enterprise networks will be caused by infected mobile computers spreading hostile code. (Egan, 1999)
PDA instant messaging and cellular short text messaging is another problem for IT security managers. In November of 2003, Caleb Sima, CTO of Spi Dynamics, demonstrated that he could launch a denial of service attack against a cell phone. He stated that he could launch an anonymous SMS flood of 1000 messages that would render a cell phone unable to make or receive calls. He also discovered that most cellular carriers charge the party receiving the SMS flood for every message over a certain limit. In his example, T-Mobile said they had no way to stop a SMS flood attack against a cell phone. (http://www.nwfusion.com/news/2003/1124comdex.html)
Another common use of PDAs is downloading and reading email. Many mobile computer users carry unencrypted copies of their entire email inbox with them at all times. This information can be used to launch social engineering attacks and depending on the content of the email messages, can be extremely damaging or embarrassing to the organization.
Modern handheld computers include several wireless technologies that allow communication with other computing devices. Infrared communications allows PDA users to “beam” programs and data to other PDAs and laptop computers. This can also be a transport mechanism for viruses, Trojan horse software and computer worms. Many anti-virus programs do not monitor infrared communications between systems. Additionally, if appropriate care if not taken with infrared communication configuration, it is possible to unknowingly receive a maliciously beamed application.
Bluetooth is a very powerful wireless communication technology that allows communications over short distances. If misconfigured and left unsecured, a Bluetooth PDA could allow any device to initiate communications with it. (Anand, 2002)
802.11 (WiFi) wireless networking allows PDA users to easily connect to the Internet and access their organization’s networked resources. However, attaching onto untrusted wireless networks could expose the PDA to wireless packet sniffing and the information transmitted to capture and analysis.
6. Handheld Computer Security Measures
The first thing that organizations can do to create a more secure PDA environment is to establish policies that address the appropriate use, support, management and security of these devices. This policy should be championed by Senior Management and clearly communicated, read and acknowledged by organizational PDA users. (Price, 2003) Gartner says that PDA security policies should be short, succinct and enforceable. They add that to convince employees that PDA security vulnerabilities are a real danger, it is best to connect policy violations to specific threats. (Girard, 2001) Other policy suggestions include the control of PDA purchases, controlling the entry of PDAs into the organization’s environment, standardization of hardware and applications and formalizing PDA support.
An excellent suggestion to reduce the loss of PDAs is to attach the device to a larger folio or day timer with Velcro. The makes it much harder to misplace the device because it is now physically larger. Affix the organization’s name, address and telephone number to the device so that if it is lost, IT security can be contacted. (Beach, no date)
PDAs should be required to have a power on password. The ability to incorporate biometrics into the password, for example the owner’s signature, helps establish the owner’s identity and is a stronger authentication technology. The ability to lock the PDA or wipe the contents of the device and attached storage after repeated unsuccessful login attempts is strongly recommended.
PDA users should be able to encrypt specific information or the entire contents of the PDA. The encryption built into the Palm and Microsoft Pocket PC is not directly available to the end user, but there are a variety of third party products commercially available that will provide 128-bit and greater encryption. (Price, 2003)
PDAs should have anti-virus software installed that will monitor the most common PDA transmission technologies: email and email attachments, desktop synchronization, infrared transfers “beaming,” and wireless (WiFi or Bluetooth) file downloads.
Wireless PDAs users should always use VPN software to provide secure transmission between the handheld computer and the home network. This is especially relevant when using public wireless networks or using another organization’s wireless network.
Organizations should investigate tools that will allow the inventory of PDAs, centralized enforcement of configuration and policies, the ability to “push” updates to devices during desktop synchronization and the ability to install software across large numbers of PDAs. Novell Corporation’s Zenworks Handheld Management is an example of commercial software with these capabilities. (http://www.novell.com/products/zenworks /handhelds/index.html)
7. Conclusion
Handheld computers have evolved into extremely powerful portable tools that can give mobile access to corporate information, provide the ability to read and respond to email and carry large amounts of information in a very small package. These devices, because of the way they were introduced into many organizations, have not been included in IT support and security planning. This is a mistake but is easily mitigated with the adoption of PDA security and appropriate use policies, requiring power on passwords, encrypting sensitive information and email, using VPN software when transmitting via WiFi and installing and using anti-virus software. Organizations should manage PDAs with the same assertiveness they manage corporate desktop computers. It is an advantage for organizations to purchase PDA management software to help inventory devices, push software updates, enforce policies and configure the PDA during its synchronization sessions.
References
Institute of Management and Administration, Security Director’s Report, September
2003, pg. 7.
Egan, R., Clear
and Present Danger: Smart Phones Get Too Smart,” Gartner Research SPA-07-9190,
May 14, 1999.
Anand, Nikhal, An
Overview of Bluetooth Security, GIAC Practical Repository, SANS Institute,
February 22, 2002, p. 5.
Price, Richard, The
PDA as a Threat Vector, GSEC Practical Assignment v. 1.4b, March 2003, p.
10.
Girard, J.,
Beach, Nelson, Handheld
Security: A Layered Approach, SANS Institute c. 2003, no date.
Price, p. 12