Getting a grip on handheld devices

by Richard Hollis

Companies today do not have a firm grasp of the security vulnerabilities associated with their handheld devices. Personal Electronic Devices (PEDs), Personal Digital Assistants (PDAs), email and paging devices (such as the BlackBerry), and other hybrid handheld communication devices are found in the hands of most every business manager these days but their inherent vulnerabilities are largely overlooked. Perhaps this is because of their size, mobility or relatively inexpensive costs. Either way, these devices do not register on the radar of most systems administrators and are wrongly perceived as not as vulnerable as end user terminals connecting via hardwire to a LAN, WAN or the internet. The popularity, proliferation and rapidly evolving technology associated with the devices make them extremely susceptible to security vulnerabilities.

There are two general classes of hand held devices: those using the Palm Operating System (OS) (Palm Pilots, Handspring Visor, etc.); and those running Windows CE and Pocket PC (Compaq, HP Jornada, Casio, etc.). Hand held devices are equipped with a wide variety of accessories from cameras, modems and synchronisation cables to Bluetooth and wireless connections and flash memory storage. Both the Palm OS and Windows CE operating systems have software libraries with applications developed and distributed throughout both the commercial and freeware shareware channels and as with any software developed by non-trusted sources, freeware programs may possibly contain hidden code.

Given their size and portability, the primary security concern associated with hand held devices is their ability to store large amounts of information. Add to this the breadth of communication options available and you have a device that introduces formidable risks. Since the devices are relatively inexpensive, users buy their own or receive them as gifts and they tend to come into use in an organisation regardless of whether they are approved or not. As such, companies have little or no control over data leaving the organisation on these.

A wide variety of vulnerabilities exist when these devices are attached to PCs or other network-connected automated information systems (AIS): Trojan horse and malware programs can easily be installed thus creating a backdoor on host networks to permit exploitation since antivirus products for hand held devices are not as evolved as PC antivirus software and operating systems currently do not limit malicious codes from modifying system files. Wireless device connections can be intercepted and data captured without the knowledge or permission of the user as recently demonstrated in well-publicised incidents of drive-by hacking, blue snarfing and blue jacking. Hand held devices using infrared data transport technology might also be intercepted as well. Finally, hand held devices by their very nature are small and therefore easily stolen or lost resulting in sensitive information being disclosed to unauthorised individuals.

The first and best step to getting a grip on hand held devices, is to ensure that your company includes them in their written security policies. Companies must issue clear and concise guideline on what devices may and MAY NOT be used and for what specific purposes. How the devices are used and the type of information that is allowed to be stored on the devices will directly impact the overall risk to the organisation.

Good policies will specify the approved configuration of the devices and modes of operation including whether wireless radio frequency and/or infrared transmission is permitted and whether the user is allowed System Administrator rights to the base PC with which the device synchronises. Clearly define the purpose and acceptable use conditions of the devices. Corporate provided devices should be used only for work related activities. Users should sign an agreement to abide by the acceptable use policy. Devices should not be used to enter or store passwords, safe/door combinations, personal identification numbers, or classified, sensitive or proprietary information.

Effective policies should delineate approved connectivity requirements, prohibiting up and downloads via wireless or infrared while connected to desktop PCs and stating approved methods for infrared data transfers. Users should be given precise instructions regarding requirements to sync their devices to receive patches, fixes and updates. It's imperative that your policies spell out device-specific build and configuration requirements to include: firewall, VPN, encryption, biometric, authentication and anti-virus software needs.

Physical security requirements should be simple and achievable but at a minimum should state that devices shall not be left unattended when attached to a computer, secured with password protection when not in use and reported immediately if lost or stolen and insured against theft, loss or breakage.

Your organisation should have a mechanism to manage the policies for hand held devices from a central location and establish a registry of all devices in use. This registry should include: serial number, configuration, make and model and to whom the device has been issued. Each device owned by the organisation should be marked as such with an asset tag or other permanent marking.

While handheld devices may currently be a lesser target than networks, end user terminals or laptops for virus and hacker attacks, that won't always be the case. The applications and functionality we see on PDAs today is what we saw on a laptops five years ago. What we'll find on PDAs five years from now is what we find on laptops today. The increased power and flexibility in the operating systems will bring greater security risk. The sooner you get a grip on this risk the better.

About the author:
Richard Hollis is founder and CEO of European information security consulting firm Orthus. A seasoned security professional with over 20 years industry management experience, Richard has extensive hands on experience in designing comprehensive IT security, business continuity and disaster recovery programmes for more than one hundred blue chip high tech companies throughout Europe. His career has included time spent as Director of Security for Philips Communications, Deputy Project Security Director to the US Embassy Moscow Reconstruction Project and numerous sensitive security positions within the US Government. His expertise has been shared via numerous articles and white papers, and in appearances on BBC, Channel 4 and CNN, as well as appearing in print in Time, SC, InfoSec, Computing and Computer Weekly. Find out more about Orthus at www.orthus.com

Send a comment about this article to editor@itwales.com.