Wireless security: IT pros warily watching mobile phone threats

Security experts have warned repeatedly that mobile phone attacks will grow as the devices become more sophisticated. IT administrators are starting to believe them.

When McAfee Inc. released a report claiming 83% of more than 200 mobile operators surveyed had experienced mobile phone infections, some IT professionals were skeptical. After all, they haven't seen any phone infections in their environments.
We haven't seen any big breaches in this area, so nobody is really paying attention.
Nils Puhlmann,
senior manager for enterprise information security

Robert Shullich, senior security technology advisor in the corporate information security office at New York-based Bowne & Co. Inc., said he hasn't seen any malware attacks against phones and PDAs in his company, and wonders if McAfee is "over-hyping this since they sell antivirus."

But he and other IT professionals admit they'll probably see mobile phone attacks sooner rather than later, and they're starting to look at ways to minimize the threat.

"We have many security concerns about mobile devices, including the loss of sensitive data via loss of the device, and someone using the authorized channel between the phone and the corporate server to gain unauthorized access to the network," Shullich said in an email exchange. Phone spam is also a concern, he said.

Eighty-three percent of mobile operators surveyed by Informa Telecoms & Media on behalf of McAfee Inc. between December and January acknowledged they've been hit by mobile device infections. Respondents, who answered questions on a variety of mobile security issues in an anonymous online survey, also acknowledged that:

  • The number of mobile security incidents in 2006 was more than five times as high as in 2005.
  • The number of mobile operators in Europe and APAC reporting incidents affecting more than 1,000 devices more than doubled in 2006.
  • All operators spent $200,000 or more on mobile security in 2006 compared to 2005.
  • The number of mobile operators estimating that the cost of dealing with mobile threats is more than 1,000 hours increased by 700%.

An underestimated risk
Nils Puhlmann, senior manager for enterprise information security at a Fortune 100 company in California, said he hasn't read the McAfee report. But whether the numbers are hyped or not, he does believe people are underestimating the risk to mobile phones -- and the larger threat to company networks.

Mobile device security:
Why Mobile Device Management is Critical to IT

Mobile device security in six simple steps

Data breaches may be new boon for mobile security

Who should install handheld device security: Vendors or customers?

"We haven't seen any big breaches in this area, so nobody is really paying attention," he said. "Security is reactive, and no one takes notice until something happens."

Sooner or later, something will happen, he said. And the damage won't be limited to the phone itself.

"There's no such thing as just a mobile phone anymore," Puhlmann said. "Some devices have Bluetooth, which means there's some sort of network connection, and we're seeing a lot more email and Web functionality. Anything stored on that device is business property and needs protection."

Several thousand employees in his company use Blackberries, which he said are more secure than some other phones on the market because they were designed with IT management in mind. But employees are eager to try out other phones that may be a lot tougher to manage from a security standpoint, such as the newly unveiled Apple iPhone.

"When Apple announced the iPhone, a lot of people in the company started inquiring about getting one," he said.

Like losing a laptop
In the future, he said, losing a phone may become as problematic for a company as losing a laptop is today. "You can lose a phone that easily has 30 email messages on it, many of which can include sensitive information," he said. "We have a policy that if any of these devices get lost it has to be reported right away. You have to treat it as if you lost your laptop."

Steven Dietz, information security principal for North Carolina-based healthcare services provider Quintiles Transnational Corp., agrees. He also worries that as phones grow more sophisticated, they could become vulnerable to older, PC-based software flaws.

"The smart phone is getting more and more like a PC all the time," he said. "When people can read .pdf or PowerPoint files or even make changes to the document over a phone, the phones could potentially be vulnerable to older flaws that were fixed long ago on the PC side. Embedded firmware makes patching all the more joyous."

Like Puhlmann, Dietz's environment is primarily Blackberry based. He too likes the added manageability of the Blackberry and said the device has a future in his company. One of the features he likes is the ability to enforce security policies.

"After a certain amount of attack attempts, it locks up and becomes useless," he said. "It transmits data in an encrypted tunnel so it is secure in transit, and we have control of the data, whereas a mobile operator with a smart phone has to manually add on security on their own. Blackberries have more initial security capabilities built in."

But he has tested other phones and believes that in general, mobile phone security is better than it was a few years ago.

"In 2003 I could crack a smart phone with public or private forensic tools," he said. For example, he said, a lot of progress has been made in the security of Windows smart phones.

Advice for users
To ensure the best possible mobile phone security, Dietz suggests IT professionals test as many devices and add-on security offerings as possible to find the technology that's the best fit for their environment. Puhlmann suggests companies address the proper use of mobile phones in their security policies.

"It's a mobile computing device, not just a phone, and you should treat it as such in your security policy," he said.

Read more on IT risk management