Handheld Security: Part II - Understand Vulnerabilities

by Laura Taylor

PDAs and smartphones are susceptible to a host of security risks. Even if you're not a security expert, you should know what's at risk and can establish safeguards to protect your data and the device itself.

As we discussed in Security Basics for PDAs and Handheld PCs, PDAs and smartphones are susceptible to a host of security risks. In this article, we'll take a closer look at specific vulnerabilities that affect these devices. Even if you're not a security expert, you can establish safeguards to protect your data — and the device itself.

Types of PDA Vulnerabilities
In this article, we can't list all the security risks that affect each handheld platform. Therefore, we'll focus on the leading vulnerabilities to help you research and address your device's specific security weaknesses.

The same types of vulnerabilities that affect laptops also affect PDAs and smartphones. These include the following:

Viruses, trojans, and worms Physical Theft Data theft Mobile code exploitation Authentication exploitation Wireless exploitation Denial of service attacks TCP session hijacking

All of these areas are unique and specific to the type of operating system your device uses, as different platforms offer different vulnerabilities that require specific safeguards.

The most widely used mobile operating systems include Windows Mobile, Palm OS, Java VM, Research In Motion (RIM) BlackBerry, Symbian OS and Linux.

To start with, you need to know what operating system your handheld uses, and the particular version number. If don't know, ask the dealer that you bought the device from. If you bought it at a discount superstore, you can go to the PDA vendor's Web site to obtain the information.

Don't be afraid to e-mail a vendor your questions or to call their support number. After all, the device manufacturer has a vested interest in helping its customers. They usually do their best to answer questions, even if you did not buy the handheld directly from them.

Understand How Your Handheld Connects
To protect your handheld and the data that resides on it, you should understand how it connects to the Internet or to a desktop PC.

Using your handheld to access a network via a synchronization process is called connectionless access. The device relies on the desktop PC for its Internet Protocol (IP) network connection. Mobile devices also offer a direct-connect Internet capability through a network interface card.

A mobile device's network interface card can be a traditional wired card or a wireless card. Each connection method has its own unique security problems. The three main ways to connect include:

  • Desktop synchronization
  • Hardwired network interface card
  • Wireless network interface card

In addition, a wireless handheld can connect in one of three ways: Wi-Fi, Bluetooth, or cellular (CDMA or GSM).

Bluetooth and Wi-Fi connections are the least secure since they typically transmit radio frequency based signals — often without encryption — that can be easily intercepted by other wireless users in the area. You can increase Wi-fi's security using Wired Equivalent Privacy (WEP), but by default, WEP is typically not enabled. Bluetooth is even less secure than Wi-Fi because the off-the-shelf package rarely includes any type of encryption.

If you don't know which type of wireless connection your handheld uses, ask the merchant who sold you the device or the company that provide your access services. The best way to keep your wireless device is secure is to setup a Virtual Private Network (VPN) client. That way, when the device connects to networks or desktop PCs, the data is encrypted.

Disabling Local, Network, and Modem HotSync
One of the biggest vulnerabilities for Palm devices can be introduced using the HotSync feature. HotSync enables you to synchronize elements of your handheld with a desktop PC. Some of the elements typically synchronized include the Outlook inbox, the contacts list, the calendar tasks and notes. When using HotSync, worms, viruses, and Trojans can be transmitted from the mobile device to the local desktop, and ultimately to you your network.

When Network HotSync is enabled, the Palm OS opens TCP ports 14237 and 14238 as well as UDP port 14237. This means that cyber miscreants can open connections to these ports for the purpose of accessing private and proprietary information or unleashing malicious code. If you install a firewall on your device, you can restrict which systems and domains have access to which ports.

Similar to Palm OS HotSync attacks, Windows Mobile Pocket PC and smartphones are susceptible to ActiveSync attacks. While you can protect ActiveSync with a password, the ActiveSync authentication process can be exploited through data interception (password sniffing) or brute force dictionary attacks.

A user can enter an unlimited number of password attempts into the ActiveSync password prompt, which enables the possibility of a brute force dictionary attack. Hackers sometimes set up systems that generate sophisticated automatic scans to remote devices that attempt to try every word, or combination of words, in multiple dictionaries in an attempt to crack passwords. This is one of the reasons you don't want your PDA or smartphone to allow an unlimited number of password attempts.

Every time an ActiveSync handheld is connected to a desktop PC via its cradle, ActiveSync requires you to enter a password. Users however have the option of saving this password on the desktop PC to expedite the connection process. The problem is that if an unauthorized user gains access to the desktop, they then also have access to the ActiveSync password. And even if the password is encrypted, unauthorized users could potentially use a dictionary attack to break the password.

Continued on Page 2: Prevent Network Vulnerabilities

Continued From Page 1

Prevent Network Vulnerabilities
One of the best ways to safeguard PDAs and smartphones on a network level is to create security policy template files and distribute them to the end-user devices. To do this, most companies need to purchase a third-party handheld security policy editor that can create group policies that integrate with either Active Directory or LDAP.

Controlling security policies through a centralized management system is the most effective approach to secure company-owned mobile devices. In evaluating enterprise PDA security products, look for ones that offer the following capabilities:

  • Protect personal databases such as address books, calendars and date books
  • Protect application databases such as SQL Server CE
  • Encrypt files, database, and folders
  • Strengthen password protection by turning on lock-out features
  • Expire passwords after a pre-determined length of time has passed

The PDA security policy editor should always be centralized and integrated with your directory services, otherwise it creates a great deal of administrative overhead.

Web Sites with PDA Vulnerability Information
Once you know what operating system your handheld uses, and how it connects to other systems or networks, you can research the vulnerabilities that could potentially affect your device.

While many independent research and advisory sites contain objective third-party information, so do the vendors that design handheld security software. Be sure to check their Web sites to improve your understanding of handheld security issues.

PDA Security Countermeasures
Countermeasures, or safeguards, are steps you can take to offset the risks of mobile device security threats. The following is a list of countermeasures that you can put in place to prevent unauthorized users from wreaking havoc on your handheld and the company systems and networks with which it communicates:

  • Install a firewall on the handheld that has its rules configured to allow only authorized IP addresses to make connections to the device.
  • Disable all HotSync and ActiveSync features when not in use.
  • Ensure that password lock-out software is enabled to restrict the number of password guesses.
  • Do not store PDA passwords on desktop PCs.
  • Install a reputable anti-virus product on your device to prevent propagation of malicious code (viruses, Trojans, and worms).
  • Strong third-party authentication (e.g. two-factor authentication) software should be installed to protect them from brute force attacks and password sniffing.
  • Any PDAs or smartphones that transmit classified information should have their connections to third-party systems and networks protected by VPNs.
  • Handhelds that contain sensitive or classified information should have their data encrypted with keys that are at least 80 bits long.

  • Make sure your mobile device is upgraded with the latest security patches.
  • Do not use un-trusted Wi-Fi access points (such as those at coffee shops) since they may not have all their security features properly configured.

PDA Vulnerability Upshot
You should take the time to read about and understand the security features that come bundled with your handheld's operating system. If it lacks basic security features, look into to improving a mobile device's security by installing third-party security software. At the very least, install an anti-virus product.

You do not have to be a computer security expert to research the security vulnerabilities that affect your handheld. You need to know what operating system your device uses and how it to connects to a desktop PC and the Internet.

From these two starting points, you can research your handheld's vulnerabilities on the Web. When shopping for a handheld, ask the dealer what sort of security features come bundled with it. For example, RIM devices come with a wireless e-mail client that is protected by the Triple DES (3DES) encryption algorithm.

If businesses allow end-users to connect their PDAs and smartphones to the corporate network, mobile device security policies should be established, include rules of behavior as well as technical policies that network administrators need to configure and set up. Mobile device management policies should also be established in order to put management accountability into place.

Adapted from smartphone.com.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!
This article was originally published on Friday Sep 17th 2004
Mobile Site | Full Site