In-Depth

Lock Down Your Handheld Devices

As the capabilities of handheld devices have grown, so have the threats.

• By Jonathan Gossels and Dick Mackey
• 06/01/2004

Over the past five years, personal digital assistants (PDAs) have evolved from novelties into vital productivity enhancement tools. In some businesses, they have become ubiquitous, and like so many good ideas before them, they came in through the back door. While this speaks to the inherent value of the devices, it also helps to explain why securing them has been largely ignored. As organizations increasingly deploy production applications on handhelds, many are beginning to wrestle with PDA security issues. This article, the first of two, is intended to help you understand the major issues and challenges for using handheld devices securely in an enterprise. The second article will address, at a technical level, general threat categories, specific vulnerabilities, and some security measures you should consider.

Three technologies evolved as significant forces in the handheld market:

• Palm OS devices that evolved from the original PalmPilot.
• BlackBerry devices that originated with two-way pagers.
• Pocket PCs, which are the Windows-based answer to the Palm and other handheld devices.

All three have been adapted to provide contact managers, mobile phone service, MP3 playback, digital photography, calendar support, word processing, and spreadsheet functionality.

Pocket Real Estate—A Limited Resource
As these devices accumulate functions, we think users will become more selective of the devices they're willing to carry. It's likely that convenience will be the driving factor in determining which handheld devices will win the battle for the pocket. However, the most critical features will be those that integrate easily with other services, such as cellular service and Wi-Fi in and out of the office.

Users will want to seamlessly create, edit, access, and transfer files on the local corporate network, connect to e-mail, and print. In other words, handhelds should be as functional as laptop computers.

The popularity of these devices, combined with the demand for seamless integration with services and data both inside and outside the enterprise, will undoubtedly present new security challenges to organizations of all sizes.

Whether your organization uses Palm, BlackBerry, or Pocket PC, the problems will be similar. While this article focuses on Microsoft's Pocket PC, its concepts are applicable to Palm and BlackBerry.

Thinking Big About Small
Organizations today recognize that laptops are as capable and vulnerable to viruses, worms, and other security breaches as desktop computers. Many organizations, however, consider handheld computers in a different light, as if the limitations of those devices somehow eliminate the risks associated with laptops. Thanks to competition and Moore's Law, the processing power, system software, storage, and connectivity of these small computers have increased to the point where such a distinction no longer applies.

Because of their small size and portability, handheld computers are far more likely to be stolen or lost than laptops. In addition, these devices connect to wired and wireless networks everywhere. Network promiscuity increases the risk that employees will expose sensitive information while accessing outside networks. You can't ignore security issues if your organization relies on handheld devices to store and manipulate sensitive information.

Pocket PC operating systems are a large and ever-growing subset of Windows CE. This means that in addition to the vulnerabilities of the physical device and the storage associated with it, network services consumed by the devices or provided by the devices will come under attack. The more services provided and consumed by these devices, the more opportunities attackers will have to infiltrate the device and your organization's infrastructure.

Unfortunately, there is no guarantee that the handheld version of the service will have all the security protections present in the desktop and laptop versions. Consequently, the best course of action is to think about the security of your handheld devices in the same broad context as your laptops, but also look specifically at the weaknesses that might be unique to handhelds. Practically speaking, this means that you need to develop a security program that includes:

• A security policy for handheld devices that is generally consistent with your policies for other remote computers.
• Centralized corporate processes to establish and maintain the security of these devices consistently.
• A set of security products and system settings to protect the security of the device (including virus protection), the confidentiality and security of data stored there, and the authenticity and confidentiality of handheld network communications.
• A process to analyze software capabilities to determine the risks associated with enabling particular platform capabilities.

Ownership and Control
Most organizations buy and control employee desktop computers and laptops. This is not so with handhelds. Employees buy their own handhelds and load their systems with games and other recreational software that sometimes contains viruses or other malicious code. Most organizations lack policies or procedures to prevent the spread of such code. Most individuals are unaware that the free program they downloaded from the Internet to track their golf scores might be putting their organization's IT infrastructure at risk. Consequently, handheld devices are currently the embodiment of an insecure platform.

Because the employee owns his or her handheld, the organization has little leverage to impose an appropriate security policy. How can an organization require an employee to buy additional security products for a personal machine? Or restrict how an employee uses a device? Or develop an effective security program for handheld devices that encompasses every brand and every model (with varying capabilities) available?

The simple answer is to recognize that companies can't control what they don't own. For organizations where handhelds are an integral part of the business, the time for employee ownership of handhelds has passed.

The job of securing handhelds becomes vastly simpler when a organization makes the decision to provide handhelds to employees needing them. Now, the organization can select a specific device and include manageability and security in the selection criteria. It can investigate whether its existing antivirus systems can be extended to cover the handhelds as well. It can investigate whether the VPN solution it uses for its laptops can be used by handhelds. If protection of data is important, it can select a product to encrypt data stored on the handhelds. It can require that the devices be set up with appropriate authentication and password protection.

Not only does the decision to provide handhelds enable appropriate technology choices as noted above, but it also enables the organization to develop and enforce appropriate usage policies. For example, if handhelds are being used for critical production applications—say by investment advisors for a large retail financial firm—the organization should consider the following:

• Develop a policy that states the device is for business use only and that only organization-approved software might be installed.
• Develop a standard build to ensure that configurable parameters are set properly and that layered security products are installed.
• Develop a process to reload the standard build periodically when the handheld is synched and to ensure that uploaded content is checked for viruses and other malicious code.

Developing a plan to effectively secure your handhelds begins with understanding how they are vulnerable. The second article in this series will deal with threats in considerable detail. Consider the following scenarios as a starting point:

• The device is not password protected or the password is taped to the back when it is lost or stolen.
• An attacker intercepts wireless traffic from the handheld.
• A user installs software that contains malicious code (Trojan horse) or downloads infected documents.
• An attacker can access handheld documents when the device is in its cradle.
• An employee uses the handheld in a public network environment (for example, Starbucks) and someone else in that environment attacks either applications or the operating system. (This is possible because these devices use TCP/IP.)
• A competitor or determined intruder uses a lost or stolen handheld device to breach the parent organization's infrastructure. These devices often (at least temporarily) store passwords and encryption keys that in certain circumstances enable access to e-mail, file shares, and other corporate services.

Balancing Convenience and Security
Handheld devices have already drawn a large number of devotees. Many people already find them to be indispensable tools for everyday life, both in and out of the office. As these devices continue to expand their functionality, they become even more attractive. One can easily see how a single device that holds your contacts, calendar, mobile phone, documents, and your link to your office can quickly become the most useful of all office tools.

Organizations need to recognize that if they require users to abandon the use of critical software packages or require an employee to carry multiple devices when one would do the job, it is likely that users will either circumvent the policies or the security controls. Organizations need to recognize that the security mechanisms depend largely on the primary user of the device. As a result, organizations need to acknowledge this inherent trust in the user and choose security mechanisms that discourage attacks but afford a reasonable degree of convenience to the user.

As the capabilities of handheld devices have grown, so have the threats. Fortunately, the threats can be managed. The best way to manage these threats is to simplify the problem. That means selecting a handheld that offers appropriate security and manageability, developing a formal handheld policy, and then deploying a standard build that includes layered security products.

The most important step to take today is to recognize that handheld devices require more, rather than less, security attention than laptops.