Securing Your Handhelds
Deploying handhelds requires understanding the sensitivity of your data, the strengths & weaknesses of your infrastructure, & the needs of your IT team. There are no easy answers.
We argued in "Lock Down Your Handheld Devices" last month that organizations need to recognize that handheld devices require more security than laptops. As the capabilities of handheld devices grow, so do the threats. The best way to manage these threats is to simplify the problem. That means selecting a company-owned, standard handheld that offers appropriate security and manageability, developing a formal handheld policy, and then deploying a standard build that includes layered security products.
This article details the security threats you face. Although our examples are Windows CE-specific, most of what we present applies to all handhelds.
For each threat, you need to think about the policies, procedures, and mechanisms applicable to your organization to mitigate the risks. Keep in mind that security is all about tradeoffs. You have a limited amount of time, money, and energy to spend on each issue.
The first step is to identify the threats. Threats divide themselves into two sections: attacks that require direct access to the device and attacks related to network access. It is helpful to think about an attacker's motives. Is the attacker using the network to cause disruption or to access the device? Is the attacker trying to bypass the installed configuration? What sensitive information are your handhelds privy to?
Attacks That Require Physical Access
When the handheld is inserted into the cradle, it performs a simple device authentication with the base PC and might require a password to begin synchronization. A synchronized handheld in Windows appears as an object under "My Computer/Mobile Device" and synchronization creates a duplicate of the handheld's contents on the local file system.
Anyone with access to the local file system can peruse the copied files, which includes data, operating system configuration, and application information. One could access the files by having direct access to the system or by using a remote network management program such as pcAnywhere or Microsoft Remote Assistant.
If the base PC's sync files are tainted, the handheld will be loaded with whatever the base system has in place, and it will now inherit whatever those problems are, including insecure configuration options, Trojans, malicious code, or modified data files. These programs might subsequently introduce security problems to other handhelds in your organization.
The most significant threat to a handheld is where the attacker has full authenticated access to the device. This happens when a person purloins the device before its screen is locked, password protection isn't enabled, or the thief guesses the password.
In these scenarios, the attacker can access all programs, data, and services that have no post-login protection. For example, if a network service supports automatic login after a user has logged in to a handheld, the service would be accessible to the attacker. This automatic authentication is typical with e-mail, calendars, and even proxies. With full access to the device, the user not only has access to local data, but remote data the device can access. The attacker might delete data, or a particularly devious attacker might install malicious code and return the device to its owner, which leaves the sabotaged device to carry out further attacks.
Attacks That Require Network Access
Modern handhelds come with a variety of network capabilities, and we assume the device has one or more networks enabled. The most common and convenient one is 802.11. While some handheld devices offer WEP, TLS, and EAP 802.11 security configuration options, most handheld networks are unencrypted. Typically, confidentiality is the application's or VPN's responsibility.
Remember that in an 802.11 network there are two opportunities to listen to network traffic. An attacker can be a well-dressed customer in a coffee shop who's not Web surfing but is actually monitoring wireless traffic, or it could be a coffee shop employee who is connected to the access point's wired network. WEP and other 802.11 security features apply only while data is being transmitted over the air. Once the access point receives the traffic, it sends the data in the clear over the wired network.
Another set of networking options has been made possible by the integration of cellular phones with handheld computers. The integration has enabled cellular services like short message service (SMS) as well as IP connectivity over cellular networks. The IP capability allows the user to connect to the Internet and back to the office from wherever there's cellular service. Like the wireless LAN capability discussed above, most cellular networking functions leave security to the application. In other words, confidentiality must be protected by VPNs or SSL.
Regardless of the wireless or application security measures used, handhelds have MAC and IP addresses, and a full set of TCP/IP services and protocols, which make them a ripe target.
The two most insidious network attacks are when someone changes data in transit or takes control of a session from the authorized user. As with any type of realtime modification of network traffic, the attacker accomplishes these feats by monitoring network traffic with a sniffer, intercepts packets, and inserts modified packets. The attacker can modify important transactions or gain control of a session, essentially impersonating the user for the length of the session.
These attacks are possible because most traffic has no built-in integrity protection. Unless a user has VPN or uses a secure version of application protocols, e-mail, remote login, Web transactions, and calendar can fall victim to modification attacks.
Let's assume a handheld has 802.11 enabled with the IP address assigned by DHCP. The device will automatically try to connect when in range of an access point. The hapless owner is probably unaware the device is now a known resource on the unknown network and can be interrogated or sent packets by any device on that network. This could leave the device vulnerable to data mining or direct attack. The attacker has the potential to impersonate all services that don't require authentication, including DNS and Web sites. In other words, the device is virtually surrounded.
Applications on combined cell phone/handheld devices can often be configured to use SMS message reception to trigger activity in other programs. This behavior may allow an attacker to trigger activity that could expose the device to attack or force communications that disclose sensitive information. If an application is designed to exchange cryptographic keys, download mail, or synchronize with a system at the office based on reception of a particular SMS message, an attacker could send that message and exploit a weakness in the communications used by the device.
This would be particularly dangerous if the attacker had physical access to the system and could monitor all network traffic to and from the device. The consequences could be severe if the triggered functionality depends on the obscurity of timing to protect the transaction. For example, if the protocol used to fetch e-mail, login, or update encryption keys were triggered by an event from a centralized server in the form of an SMS message and the protocols were not encrypted themselves, an attacker could force the event and monitor the network for passwords or other sensitive information.
One bit of good news is the number of viruses for handhelds is slight today. However, major antivirus companies are betting this will change and offer software specifically designed to run on common handhelds.
What to Do
First, turn on password protection and set the screen lock timer to an appropriate value. These two steps will go a long way when a device is lost or stolen.
Second, consider network communications. If you plan to use your handheld wirelessly in public places, take measures to encrypt sensitive communications. That might mean a VPN product or it might mean enabling encrypted protocols for particular applications, such as e-mail and synchronization.
Third, ponder wireless configuration and decide whether the convenience is worth the risk.
More challenging issues remain. You'll need to:
- Assess and address the threats to your corporate infrastructure (e.g., e-mail, calendar) brought about your handheld deployment.
- Develop policies regarding the sensitivity of data you'll store and communicate with the devices.
- Deploy appropriate security mechanisms for particular data sensitivities.
- Select handheld security mechanisms that can be managed across the enterprise.
- Educate handheld users regarding threats and their responsibilities.
Deploying handhelds requires thought and planning. It requires understanding the sensitivity of your data, the strengths and weaknesses of your current infrastructure, and the needs of your administrative team in managing these devices. There are no easy answers. It's important that you allow yourself latitude in the policies you define and the mechanisms you choose. Like any new technology, you will find that your initial decisions or plans need to be changed after you've lived with them.