Hackers on the move

Danny Bradbury

Monday 24 May 2004 01:34

As more employers are issuing mobile devices, the problem of securing company data is becoming ever more acute. Danny Bradbury looks at the threats firms need to address

Many employees want to cut their companies' apron strings, go mobile and go on the road. But although mobile computing has many benefits, security has to be a key consideration. Experts believe that a mobile computing culture will never be as secure as fixed line access behind a firewall because of the insecurities inherent in radio-based networks such as Wi-Fi and Bluetooth.

"The obvious answer is that sealed, Lan-based access will always be more secure," says Mike Smart, worldwide vice-president of product management and engineering at mobile security services company Gric. "Radio frequencies can be scanned."

Smart says that most of his clients' mobile employees are more aware of the potential security dangers than non-mobile users and are more on their guard. Conversely, working behind a firewall on a terrestrial Lan can lull IT managers and end-users into a false sense of security, says Phil Robinson, managing consultant at security services company IRM.

Some of his clients are very poor at securing their Lans and are failing to put network access controls in place. He recalls one or two clients that had no access control mechanism for workers inside the firewall. "If you have a network port connection, you can access the system holding the crown jewels," he says.

But although some hope that firms will take extra care with their mobile networks, statistics suggest otherwise. Research released by the DTI at the InfoSecurity event in April revealed that 68% of the 1,000 UK firms interviewed provide some form of remote access (up 20% from two years ago), but 50% of those companies still have no security procedures to manage mobile devices.

Given the number of potential threats to mobile users, this is particularly worrying. The range of exploits run from the low-tech, such as tricking legitimate users into giving away access information, through to the high-tech, such as "blue jacking" (hacking into Bluetooth devices), and "man-in-the-middle" attacks on Wi-Fi devices. This involves placing a rogue wireless access point in the vicinity of your PC which impersonates a genuine access point, passing on your connection to the genuine network while intercepting data.

Ian Hughes, wireless security consultant at British Telecom's technology research and IT operations business BT Exact, advises users of public Wi-Fi hotspots to use a personal firewall on their notebook PCs while ensuring that file and print sharing is disabled.

The security mechanisms built into wireless networks all have their problems, he says. The Wired Equivalent Privacy protocol, part of the original 802.11b standard, is easy to crack using open source software such as Airsnort, and concerns have also been raised over the Wi-Fi Protected Access security protocol that is a precursor to 802.11i.

Hughes is sceptical of the 802.1x protocol, which is designed as a security overlay for wireless networks. "If you read it as per the IEEE standard, then natively it only authenticates one-way, but there are extensions to it," he says. "You have to be clear which version you are talking about."

Unfortunately, simply encrypting data will not stop an infected or vulnerable machine from polluting the rest of the network. The move towards autonomic and policy-based security is designed to mitigate this risk.

Companies such as Cisco with its self-defending network initiative are producing network agents that analyse devices when they connect and make decisions based on the results. This could lead to a mobile device with an operating system lacking the relevant security patches is quarantined onto part of a network with reduced functionality, or simply refused access altogether.

The problem with such security mechanisms is that they concentrate on the device rather than the user behind it, meaning that if a machine is stolen or used illicitly by another party, it could become a conduit for attack.

Ideally, firms should deploy two-factor security, says Smart. This would encompass something you have, such as a smartcard, in addition to something you know, such as a password. However, the DTI survey reveals that just 6% of companies opted for two-factor authentication when using mobile devices.

This low level of interest combined with the easy-to-lose factor of mobile devices makes data on mobile clients particularly vulnerable, even before it travels over a network connection. Consequently, it is important to encrypt data on the mobile device itself, says Chris Knowles, consultancy practice leader with Computacenter.

The problem with encrypting data has been processor power, says Ollie Whitehouse, director of security architecture at security consultancy @Stake. Many encryption algor-ithms chew up CPU time, leaving small footprint devices unable to cope. He suggests elliptic curve cryptography, as used by companies such as Certicom, as a solution because of the lower processing overhead.

But PDAs and smartphones carry other security challenges. As most of them are purchased and owned by individuals rather than distributed by employers, this can make them a security nightmare. With so many makes and models and with many requiring a return to the service centre for security firmware upgrades, even policy-based or autonomic security architectures will run into difficulties handling PDAs and phones, says Whitehouse.

Some of these devices are prone to bluejacking attacks. Nokia, for example, is releasing software upgrades for selected phones to address this problem in the summer.

When dealing with phones and PDAs, the best approach is to deploy a management policy governing how data is held and synchronised on the corporate network. By taking a universal approach you will be able to mitigate the risks, but the smaller and more varied the device, the more of a security risk it creates in any mobile computing infrastructure.