Republished with permission from WatchGuard Technologies, Inc.


Smartphone (In)Security

By Lisa Phifer, Core Competence, Inc.

Smartphones have come a long way since 1997, when I browsed my first text on an AT&T PocketNet phone over tediously-slow Cellular Digital Packet Data (CDPD). Analysts have been predicting a smartphone market explosion ever since. In-Stat/MDR reports increased sales last year and forecasts 44 percent compound annual growth through 2009.

Are smartphones finally here? Perhaps.

Adoption barriers are starting to evaporate. Smartphones have gotten smaller and cheaper, while becoming more powerful and easier to use. Voice, messaging, and e-mail have become tightly integrated with each other and enterprise mail servers. Connectivity has expanded well beyond cellular, embracing Bluetooth, Wi-Fi, and third-generation (3G) services. New hybrid wireless LAN/WAN phones are expected to take VoIP beyond the corporate campus, increasing demand for both handsets and services.

But hurdles still exist. In the US, 2.5G services like GPRS, EDGE, and 1XRTT are only available in metropolitan areas, delivering speeds that barely match v.90 dial. 3G trials are underway: AT&T Wireless Services now offers 320 Kbps WCDMA in Detroit, Phoenix, San Francisco, and Seattle; Verizon offers 500 Kbps EV-DO in San Diego and Washington DC. However, until 3G becomes ubiquitous, smartphone adoption will continue to lag.

When business use does take off, smartphones will run head-long into a typical post-deployment pitfall: inadequate security.

Why Smart Doesn't Mean Secure

Whether based on Symbian, Palm, or Windows CE, smartphones are ripe for compromise. Yes, these operating systems incorporate some built-in security measures, and third-party products can fill many of the gaps. But our biggest smartphone security challenges are perception and user behavior. Simply put, most of us fail to treat smartphones as computing assets that require business-grade security measures.

Lost Smartphones. According to a poll by FusionOne, 43 percent of mobile subscribers experience phone damage, loss, or theft. At LAX airport alone, 400 lost phones are found each month. Most businesses routinely back up servers and desktops, but few treat data stored on smartphones with similar care. A whopping 87 percent of those who lost phones had to manually re-enter their data, and 31 percent lost data stored nowhere else.

Theft of Service. Stolen cellphones have long been used to place unauthorized calls, creating a huge black market. According to the Australian Mobile Telecommunication Association, GSM carriers in that country have spent over $7M on technology to block calls placed using stolen Mobile Equipment Identity (IMEI) numbers. But countermeasures like this depend on users to notice and report loss quickly.

Theft of Proprietary Data. Gartner estimates that each unrecovered PDA or phone used for business costs the employer $2,500. This shocking number represents the value of compromised proprietary data. Here again, users who wouldn't think of carrying an unlocked laptop routinely carry unlocked smartphones. Why? PIN-locking an oft-used phone is a hassle, and even well-intentioned users can forget to lock their phone. Smartphones raise the stakes because they house more sensitive business data, including e-mail, corporate logins/passwords, meeting notes, sales orders, and customer contacts.

Smartphone Compromise. Smartphones have long been a backdoor for desktop infection, propagating Win32 viruses through synchronization and e-mail. But few attacks had been written specifically for smartphones -- until now. WinCE Brador-A and Symbian Mosquitos trojans released this August show how carelessness breeds insecurity. Mosquitos, a hacked version of a legitimate game, racks up charges by silently sending text messages to a premium rate number. Many smartphone users download games, skins, ringtones, music, images, and video clips with little regard as to file source or authenticity. Executing downloaded files on phones that almost always lack on-board virus protection compounds risk.

Bluetooth Exploits. Many smartphones -- especially those running Symbian -- sport built-in Bluetooth. Bluetooth can be used productively to connect wireless headsets, share content with peers, and synchronize with desktops. But it can also be used by attacks, like the Cabir proof-of-concept worm released this July. Worse, the WIDCOMM Bluetooth SDK used by many smartphones has an unpatched buffer overflow vulnerability that permits running arbitrary code on any nearby Bluetooth-capable device. Add these recent developments to previously-documented attacks like Bluejacking and Bluesnarfing, and you have ample motivation to disable Bluetooth on your smartphone.

Mobile Messaging Attacks. Smartphones support popular mobile messaging services like SMS (text) and MMS (multimedia). These services can be associated with fees per message sent/received or when messages exceed a prepaid limit. Attacking a smartphone by flooding it with unsolicited messages is an obvious attack. On a smartphone with short messaging or Internet data, overage charges can accumulate quickly. More subtle attacks include sniffing unencrypted SMS, using MMS to deliver malware executables, and using SMS trigger messages to DOS-attack, unlock, or wipe infected smartphones.

Unprotected E-mail. According to InfoWorld (PDF), e-mail is by far the most popular mobile business application, used twice as often as the second place app, Sales Force Automation (SFA). Smartphones are typically supplied with cleartext POP mail accounts and familiar e-mail clients like Pocket Outlook. Naïve road warriors who lack IT support for smartphones often forward urgent business mail over POP, risking exposure in transit -- you can see this happen at just about any Wi-Fi hotspot. Enterprises are more likely to safeguard mobile e-mail using RIM on Blackberry phones or GoodLink on Palm and WinCE phones. But risks still persist, as shown last fall when a former Morgan Stanley VP sold his Blackberry on eBay without first shredding stored corporate e-mail.

Defending Your Smartphone

Notice that all of these risks are caused by lack of awareness, disregard for consequences, and failure to apply common laptop best practices to smartphones. Although lighter-weight operating systems and wireless technologies do have inherent vulnerabilities, we can raise the bar.

Start with a little due diligence. Learn about the security features embedded in your smartphone operating system. Here are some resource links to get you started:

•  Symbian OS v7.0

•  Symbian OS v8.0

•  PalmOS 6 (Cobalt)

•  PalmOS 5 (Garnet)

•  Windows Mobile-Based Device Security

Familiarize yourself with third-party smartphone security measures. Previous LiveSecurity columns identified security tools available for PDAs running Palm and Pocket PC -- many also run on smartphone versions of those operating systems. Symbian users can find security lists for UIQ and Series 60 smartphones here and here, respectively. Be careful to check for compatibility with both your OS version and smartphone vendor/model.

Before downloading anything to your smartphone, know the source. You're probably on safe ground when downloading ringtones from your carrier's Website, or products from well-known vendor websites. But exercise caution when downloading shareware and freeware to your smartphone. Microsoft (HTML), Symbian (PDF), and Palm (PDF) have programs that let developers digitally sign their code, with or without third-party testing. These programs are relatively new, so unsigned code isn't necessarily malicious, but it certainly deserves more scrutiny.

Back up your smartphone regularly. Many of us don't think of doing this until we've lost our first phone. Individuals can use vendor-supplied synchronization software, like ActiveSync on Windows Smartphones or HotSync on Palm-based phones from GSPDA, Kyocera, and Treo. Larger companies may want to invest in enterprise mobile device managers like Afaria Frontline for Palm, Symbian, and WinCE. If your company lies somewhere between these two extremes, there are many PDA backup products with a wide range of prices and features.

Find any easy way to lock your smartphone when not in use. Some smartphones have inactivity timeouts or holster detectors that trigger auto-locks. If your phone has such a feature, use it! If you're really lucky, your smartphone has a biometric lock, like the FOMA F900i's fingerprint sensor. Otherwise, look for third-party tools to auto-lock your phone or make unlocking easier (see #2). Avoid the temptation to use Bluetooth-based unlockers like Bluekey.

Apply common security best practices to your smartphone. You wouldn't leave your home PC or laptop without anti-virus protection, so spend a few bucks on an AV scanner for your smartphone. Password safes and stored data encryption programs for PDAs are plentiful; use one on your phone for peace of mind after loss or theft. Don't forget to encrypt data on removable media. Here again, you'll find tools designed for individual and corporate use by following links given in #2 above.

Disable or secure all wireless interfaces. Your smartphone's wireless WAN is probably its most secure interface. Protocols like GRPS and CDMA have built-in authentication and encryption that carriers depend on to prevent unauthorized airlink use and sniffing. Carriers also use gateways based on WAP to secure wireless Web browser traffic over the air. But its up to you to protect any data sent over Bluetooth or Wi-Fi, beamed over IrDA, messaged over SMS, or mailed through the Internet. Common sense dictates turning off adapters you don't intend to use. Go one step further and turn the rest off until you learn how to secure them, using built-in and/or third-party authentication, authorization, and encryption measures.

Resist the temptation to practice unsafe e-mail. If your company offers a secure remote access solution for e-mail, find out whether you can use it on your smartphone. Most new OSs support PKI, SSL/TLS, and even a few VPN protocols. Others can often be retrofitted with light-weight PDA VPN clients. Many wireless carriers offer business-grade e-mail services that gateway messages from the carrier's server to your company's mail server, or provide secure access to mail programs running back at the office.

Inventory your smartphone, and carry it with you. When you lose your smartphone, odds are that you'll be traveling hundreds of miles away from the paperwork that has your phone's serial number. Jot down your IMEI and your carrier's customer service number and stick them in your wallet so that you're ready to report loss as soon as it occurs.

Create a smartphone security policy. Steps mentioned thus far can be taken by individuals without IT support. Companies should go further, beginning with policy definition. You may not (yet) purchase smartphones for employees, but you're probably already at risk from business use of personal smartphones. Start by educating employees about smartphone risks and best practices.

Don't fall into the trap of thinking "they're just phones" or "nobody buys them yet." Smartphones are coming, and so are security woes -- don't let ignorance become your worst enemy. ##

Copyright 2004, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.

Copyright 1996 - 2004 WatchGuard Technologies, Inc. All rights reserved.