Need to protect your PDA or lock down your laptop? Danny Bradbury looks at how the IT industry is developing protection to shield users from mobile attacks
Just because computing power can fit easily in your pocket does not make it insignificant from a security point of view. Take the Mosquito Trojan horse, for example. It appeared in August, hidden in a hacked version of a mobile phone game of the same name. When run, the program begins sending premium rate SMS messages while users unwittingly play the game.
Mosquito was one of the first serious attacks that has been seen on mobile phones in the wild, but there are others. WinCE.Brador is an e-mail-delivered attack that opens a back door for a server exploit on a PocketPC. And the platform has been exploited by others, too; an experimented, or proof-of-concept worm called Cabir was released in June.
Traditional anti-virus products can tackle these problems to some extent, although the more limited processing power of PDAs and smartphones makes the task more difficult. Companies such as F-Secure provide anti-virus products both for the mobile device and at the operator level - where the network traffic is checked before it arrives at the device.
Mobile phones and connected PDAs are good targets for virus writers because they are often connected to premium-rate services, warns James Pankiewicz, mobility expert at security consultancy Conchango. "It's all about volume. If you can hit thousands of devices and get them all dialling into the same premium services, that's a lot of cash in the bank in a short period of time," he says.
Operators have joined forces with handset suppliers and software developers to create the Messaging Anti-Abuse Working Group to develop a reference architecture and network standards to clamp down on abuse of mobile messaging. The handset makers will be instrumental in stopping worms and viruses.
ARM, which licenses chip designs to mobile device manufacturers, has developed Trust Zone, a technology that sits inside a piece of the core silicon for protected information. Texas Instruments is to include the technology in some future devices.
Trust Zone can switch the system between non-secure and secure states. When the system is in the latter state it can run trusted code, store signatures and provide secure access to peripherals. "What gives you security is the basic separation of the secure and non-secure world in the CPU," says Richard York, Trust Zone programme manager for ARM.
The separation process is being mirrored by the Trusted Computing Group, a consortium originally called the Trusted Computing Platform Alliance. The TCG has developed the specification for a similar mechanism called the Trusted Platform Module to protect trusted code and data.
York says the company is monitoring what the TCG does to support ARM's architecture and, in particular, wireless technology. "Our goal is to ensure that what the TCG wireless working group does is in line with the ARM ethos," he says.
Meanwhile, the TCG has expanded its focus from the PC to all footprints. The widespread roll-out of technologies such as Trust Zone and the TPM is some way off, but when they arrive they may complement another emerging protection mechanism for mobile devices. Client compliance marries the client device and the corporate server to solve one of the biggest concerns for IT managers - ensuring that mobile devices do not infect the corporate network upon reconnection if they do pick up infections outside the firewall.
A TCG subcommittee is working on a specification called Trusted Network Connect to support this idea. "They work on protocols that let you authenticate a device into a workgroup or VPN but also check the trustworthiness of a device," explains Lark Allen, executive vice-president for trusted computing software supplier, Wave Systems.
The problem is that the heavy-hitters are adopting their own approaches. Cisco has its Network Access Control initiative, but Vincent Bieri, security consultant at the company, is unimpressed by the TCG. "At the moment we think that NAC has much greater potential than TCG. We are further ahead than them," he says.
Microsoft has its Network Access Protection technology, which will be in Windows Server 2003 release 2. The result of all this will be delayed customer acceptance.
Jay Heiser, who is moving from security software and services firm TruSecure to become a Gartner analyst, said, "It is not just anti-virus and Microsoft patches that these products have to check; it is the VPN software. VPN suppliers have been working to ensure that the network stack was configured properly on log-on for the past three years," he says. "That is proprietary to each VPN supplier, and how do you integrate that?" Then there are application patches to consider.
If suppliers do not work together, this will take years to achieve. While users wait for all this to happen IT managers can take some other steps to protect their mobile devices. The USB port is a critical weak point.
"Anyone can plug in a USB key. The majority of users are running Windows 2000 and above, and it will recognise the device, copy data, and run hacker's programs," says Joseph Seanor, global managing consultant in the enterprise security group of networking firm Avaya. "Network managers need to protect their data and USB ports - endpoint protection."
These products enable administrators to set local policies dictating the operations that can be carried out on the device. Administrators can also use hard drive encryption to help prevent data theft or access from a stolen laptop. Alternatives to prevent such thefts include Securikey, from the company of the same name, which requires a USB token to be inserted before a user can gain access.
A complete mobile security system will include client and server-side components. Protecting unauthorised port access and encrypting data on the client side will help to prevent local attacks and data theft.
On the server side, client compliance systems are mainly proprietary but choosing some form of policy enforcement is a good idea as a second level of defence, preventing compromised devices infecting your infrastructure. The lack of client compliance support for PDAs and phones means that any smart company with a significant small footprint user base should have an acceptable use and approved device policy.
This article is part of Computer Weekly's Special Report on wireless mobility produced in association with Intel