Whether based on Symbian, Palm, or Windows CE, smartphones are ripe for compromise and data security issues. Yes, these operating systems incorporate some built-in security measures, and third-party products can fill many of the gaps. But our biggest smartphone security challenges are perception and user behavior. Simply put, most of us fail to treat smartphones as computing assets that require business-grade data security measures.
- Lost Smartphones. According to a poll by FusionOne (now Synchronoss), 43 percent of mobile subscribers experience phone damage, loss, or theft. At LAX airport alone, 400 lost phones are found each month. Most businesses routinely back up servers and desktops, but few treat data stored on smartphones with similar care. A whopping 87 percent of those who lost phones had to manually re-enter their data, and 31 percent lost data stored nowhere else.
- Theft of Service. Stolen cellphones have long been used to place unauthorized calls, creating a huge black market. According to the Australian Mobile Telecommunication Association, GSM carriers in that country have spent over $7M on technology to block calls placed using stolen Mobile Equipment Identity (IMEI) numbers. But countermeasures like this depend on users to notice and report loss quickly.
- Theft of Proprietary Data. Gartner estimates that each unrecovered PDA or phone used for business costs the employer $2,500. This shocking number represents the value of compromised proprietary data. Here again, users who wouldn’t think of carrying an unlocked laptop routinely carry unlocked smartphones. Why? PIN-locking an oft-used phone is a hassle, and even well-intentioned users can forget to lock their phone. Smartphones raise the stakes because they house more sensitive business data, including e-mail, corporate logins/passwords, meeting notes, sales orders, and customer contacts.
- Smartphone Compromise. Smartphones have long been a backdoor for desktop infection, propagating Win32 viruses through synchronization and e-mail. But few attacks had been written specifically for smartphones — until now. WinCE Brador-A and Symbian Mosquitos trojans released a while back show how carelessness breeds insecurity. Mosquitos, a hacked version of a legitimate game, racks up charges by silently sending text messages to a premium rate number. Many smartphone users download games, skins, ringtones, music, images, and video clips with little regard as to file source or authenticity. Executing downloaded files on phones that almost always lack on-board virus protection compounds risk.
- Bluetooth Exploits. Many smartphones — especially those running Symbian — sport built-in Bluetooth. Bluetooth can be used productively to connect wireless headsets, share content with peers, and synchronize with desktops. But it can also be used by attacks, like the Cabir proof-of-concept worm released not long ago. Worse, the WIDCOMM Bluetooth SDK used by many smartphones has an unpatched buffer overflow vulnerability that permits running arbitrary code on any nearby Bluetooth-capable device. Add these recent developments to previously-documented attacks like Bluejacking and Bluesnarfing, and you have ample motivation to disable Bluetooth on your smartphone.
- Mobile Messaging Attacks. Smartphones support popular mobile messaging services like SMS (text) and MMS (multimedia). These services can be associated with fees per message sent/received or when messages exceed a prepaid limit. Attacking a smartphone by flooding it with unsolicited messages is an obvious attack. On a smartphone with short messaging or Internet data, overage charges can accumulate quickly. More subtle attacks include sniffing unencrypted SMS, using MMS to deliver malware executables, and using SMS trigger messages to DOS-attack, unlock, or wipe infected smartphones.
- Unprotected E-mail. According to InfoWorld, e-mail is by far the most popular mobile business application, used twice as often as the second place app, Sales Force Automation (SFA). Smartphones are typically supplied with cleartext POP mail accounts and familiar e-mail clients like Pocket Outlook. Naive road warriors who lack IT support for smartphones often forward urgent business mail over POP, risking exposure in transit — you can see this happen at just about any Wi-Fi hotspot. Enterprises are more likely to safeguard mobile e-mail using RIM on Blackberry phones or GoodLink on Palm and WinCE phones. But risks still persist, as shown not long ago when a former Morgan Stanley VP sold his Blackberry on eBay without first shredding stored corporate e-mail.
Smart phones, if you want to call them that, are here to stay, but let’s all be smart about data security and protection as we handle corporate information and data. There’s a lot at stake!