Don't Overlook PDAs
by Lisa Phifer, Vice President, Core Competence, Inc.
Falling prices and broader features are expected to dramatically boost
PDA purchases this year. According to In-Stat/MDR, worldwide PDA sales
will grow 18% annually to reach 25 million units per year by 2007. This
tidal wave of new PDAs will also be more tightly-coupled with networks.
Units with integrated wireless will increase to 3 out of every 4 sold by
the year 2007.
Today’s handhelds fall into three categories:
- Pen-based PDAs like Pocket PCs and Palm Pilots
Keyboard-based PDAs such as the HP Jornada
Hybrid phone-PDAs like the Handspring Treo.
Pen-based PDAs dominate, and the most popular pen-based operating
system is Palm OS. According to Gartner, 6.7 million handhelds running
Palm OS were sold in 2002 alone, capturing 55% of the global market.
Most PDAs are still purchased by end-users, but business adoption is
rising as PDAs morph from Personal Information Managers into true mobile
computers. As these devices mature, businesses are being forced to rethink
handheld security. Palm PDAs and their brethren are becoming an extension
of the business network perimeter. Unless you take the proper precautions,
they could easily become the weakest link in your network’s armor.
Small Devices, Big Risks
What makes PDAs so vulnerable? Start with the obvious: their size. PDAs
and related secure digital (SD) and multi-media cards (MMC) are easily
lost or stolen. What’s worse, PDAs usually go missing in public places --
at an airport, on a train, in a restaurant or at a customer's site.
Wireless use in such venues also creates new opportunities for
eavesdropping and attack.
PDA mobility is a double-edged sword. PDAs offer convenient
anytime/anywhere access to applications and data, boosting business
efficiency. But an unprotected PDA that falls into the wrong hands can
extend this same convenience to intruders, resulting in theft of service,
loss of confidential data, even unauthorized backdoor access to the
Because PDAs connect intermittently to company networks, they are
harder for IT administrators to control. Furthermore, since PDAs run
different operating systems and have comparatively limited CPUs, storage,
and memory, they do not support the same security products already
understood and mandated for company-owned laptops.
Step One: Admit You Have A Problem
Some companies do not formally recognize PDAs as supported computing
devices. Employees can buy and use PDAs, but do so at their own risk.
Unfortunately, sticking your head in the sand rarely yields positive
results. Employee-owned PDAs may still jeopardize company data,
synchronized desktops and Intranet servers.
A more productive approach is to meet PDA security challenges head-on.
Recognize PDAs as mobile computing devices and plan accordingly. Even if
your company does not purchase PDAs, create an Acceptable Use Policy to
guide employees who use PDAs. Identify business risks, define best
practices to mitigate them and recommend security measures and tools to
implement these practices.
Enterprise-scale PDA Management
Companies that deploy PDA-based mobile business applications need to
take PDA security even further. A number of commercial solution suites
exist to create enterprise IT infrastructures that support secure mobile
computing. For example:
- Enterprises with existing investment in desktop management systems
from companies like Intel, Marimba, IBM/Tivoli, and Computer Associates can tap "mobile"
extensions to these products to centrally track PDA assets and manage
Organizations that need to centrally manage,
back up and monitor a variety of handheld devices might consider more
specialized mobile management solutions like XcelleNet Afaria, Novell ZENworks
Companies with Palm OS version 5 handhelds
can buy into Palm’s
Tungsten Mobile Information Management (MIM) Solution. MIM provides for
IT administration of “Security Plus” add-ons, including Palm access
controls and data encryption.
Solution suites like these provide a wide range of features for
enterprise-scale device administration -- including (but not limited to)
managing PDA security measures.
Management Guidelines for the Rest of Us
Smaller businesses that don’t have automated asset tracking or software
distribution for desktops or laptops are not going to deploy them for
PDAs. Nonetheless, these tracking tasks are still relevant to small
businesses; small businesses simply handle them differently.
Create and maintain an asset inventory. Keep a list of PDAs and
peripherals, with hardware
serial number, flash ID, MAC address, owner information and the IP address
of the company system that the PDA typically synchronizes with. An
accurate inventory is your foundation for implementing access controls,
discovering unauthorized PDAs and locking out stolen or lost PDAs.
Define your standard PDA environment. Identify PDA models that
you must support. For each, enumerate required OS versions, wireless
interfaces and third-party security tools (see below). If you let
employees install PDA software, document an update distribution process.
Teach employees to check signatures to verify authenticity, and instruct
them to avoid shareware/freeware of unknown origin.
Document recommended configurations. Many PDAs don’t even use
built-in safeguards. Educate employees by supplying instructions to enable
passwords, disable infrared ports ("beaming"), use wireless encryption,
avoid weak PAP
authentication, etc.. Include rigorous instructions for third-party
security tools. Automated systems implement and verify configurations, but
even without such tools, you can encourage compliance by performing ad hoc
Perform regular backups. Companies already realize the need to
routinely back up laptops and desktops. PDAs used for business also
require frequent backup so that service can be quickly restored when a
handheld is lost, damaged or reset. Travelers who must backup on the road
can use tools like Botzam Backup and
routinely encrypt Palm PDA data onto secure digital cards.
PDA Security Tools
Whether your company is large or small, there are many tools available
to mitigate PDA vulnerabilities. I’ll focus on tools for Palm OS, but
similar measures are available for other OSs such as Windows CE and
Control PDA Access. Power-on passwords prevent unauthorized use
of lost or stolen PDAs. Palm OS includes a basic password, but third-party
software supports stronger, more flexible authentication methods. For
example, TealLock enforces
password length/complexity/update, wipes data after n unsuccessful
login attempts, and blocks backdoor access via serial and IR ports. Visual Key and OneTouchPass lock the Palm with a
graphic, permitting access only when predefined spots are tapped in the
correct order. CIC
Sign-On recognizes the owner’s written signature as a password.
Protect Stored Data. Data on PDAs and associated SD/MMC cards
can be encrypted to prevent access by malicious programs, other users on
multi-user PDAs, or thieves when the password is disabled or compromised.
Programs like BeSafe and Password Store
provide a secure place to record passwords. Tools like Cloak
automatically encrypt databases owned by individual Palm applications.
Programs like Handango
Security Suite, movianCrypt,
PDA Defense and PDA Secure combine access controls
with on-demand encryption using a variety of ciphers.
Control Network Access. Authentication can prevent strangers
from gaining unauthorized Internet or Intranet access via misappropriated
PDAs. Palms can authenticate with MS-CHAP over PPP and with shared keys
over 802.11 WLANs. Wireless services like Palm.Net or GoAmerica use device authentication
to control subscriber access. Enterprise solutions like MIM allow
users to authenticate to a Web portal in order to gain access to selected
Intranet servers. Or leverage your existing VPN gateway to provide
PDAs with authenticated secure remote access (below).
Protect Data In Transit. Business data sent by PDAs should be
encrypted to prevent eavesdropping, not just on wireless links, but
end-to-end. Many Palm OS VPN clients are available, including Mergic VPN (PPTP) and movianVPN,
PDASecure VPN, SoftRemotePDA
(made by Safenet, who makes WatchGuard's MUVPN client) and V-One SmartPass (IPsec). PDA clients tend
to be simpler and therefore more limited than Win32 counterparts – read my
If you don’t already have a VPN, there are other options. For example,
Palm’s MIM applies AES encryption between the Palm and MIM server. The
Palm OS supports SSL, so you can probably tunnel using SSL VPN products
from vendors like Aventail, Neoteris, SafeWeb and URoam.
Or you selectively encrypt individual applications. For example, secure
Telnet using SSH clients like Mocha
PocketTelnet and TopGun
Stop Malicious Code. Palm OS has fallen prey to just a few
viruses: Phage overwrites Palm files, Liberty deletes applications while
masquerading as a software patch and Vapor “hides” applications so they
can no longer be used. PDA viruses will increase, but that's tomorrow's
worry. The more pressing threat today is that attackers can use PDAs to
propagate viruses to synchronized desktops and mail servers. To defeat
this, run A/V software like McAfee
VirusScan Wireless, TrendMicro
PC-cillin for Wireless, or CA
eTrust AntiVirus. Look for integrity measures in products like PDA Secure, which prevents
protected applications from being deleted.
PDA owners often fail to understand and address inherent
vulnerabilities, a cultural phenomenon seen with almost any new
technology. Most companies have some PDA presence, whether they formally
recognize it or not. Don’t be an ostrich -- look around, assess PDA use in
your company, define your acceptable use policy, and start employing
appropriate security tools to manage risk. ##
Copyright© 2003, WatchGuard Technologies, Inc. All rights
reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks
or registered trademarks of WatchGuard Technologies, Inc. in the United
States and other countries.