Wireless data is coming, and in a big way. In the past, for a variety of reasons, promises of cellular and other forms of wireless data failed to live up to promises of mass acceptance. One of the biggest reasons for its abject failure was the viewpoint that wireless was just another communications medium, which the industry tried to leverage by forcing legacy applications and equipment to cope with low-bandwidth, high-latency connections. So instead of promoting its advantages of convenience and mobility, we promoted its weaknesses.
However, with the proliferation of actually useful mobile devices, like PalmPilots and smart phones, we are seeing the mature viewpoint that wireless is actually its own unique application platform and an enabler of new forms of computing. With standards like the Wireless Application Protocol (WAP), we will be seeing wireless Internet portals with lightweight Web pages suited for access by a population on the go, and mission-critical wireless applications, such as stock trading, will be predominant. These new wireless applications will be a part of every enterprise, and will surely come with their own security issues.
WAP is partially a rebirth of an earlier standards effort, the handheld device markup language. WAP aims to have its transport protocol closely parallel TCP/IP, without carrying forward that protocol's overhead, which makes it ill-suited for wireless. WAP is intended to operate over any of the different wireless transmission technologies, such as Cellular Digital Packet Data (CDPD), Code Division Multiple Access (CDMA) and global system for mobile (GSM). The WAP standard related to security is called the Wireless Transport Layer Security Specification (WTLS). WTLS is based upon its TCP/IP counterpart, Secure Sockets Layer.
A large risk with a wireless network is that of eavesdropping. It has been said that even Craig McCaw, the founder of one of the largest cellular phone networks in the world, does not trust and will not use cellular communications for sensitive issues. While protecting voice communications from interception is a mission of newer wireless networks from a physical transmission perspective, these developments do not preclude the necessity of session-based encryption with WTLS. Standards like GSM and CDPD provide encryption that have proven fairly robust, but past history does not guarantee future success. This month, two Israeli researchers claimed to have found an effective method to crack A5/1 encryption, standard with GSM.
Also, although a supposedly secure GSM phone may be encrypting communications in most cases, it may not be performing encryption when talking to older or other nonsecure systems. It is safest to assume the physical layer can be compromised, and provide another layer of encryption, such as WTLS. Utilization of a higher-layer encryption technology such as WTLS also provides a unifying technology that will work across all different types of cellular transmission technologies.
For mobile phones and personal digital assistants (PDA) to gain the market acceptance they need for critical applications such as wireless trading, they need the infrastructure for transactional integrity, including encryption, secure authentication and digital certificates. It is one thing to have a secure channel to your server - it is quite another to guarantee that the mobile phone is being used by its rightful owner. Building upon WTLS, we will need to see extensions of public-key infrastructure (PKI) to let e-commerce Web sites issue certificates to WAP clients. Entrust and Certicom are two companies from the security industry that have made product announcements and partnerships in this space, with Entrust having WAP Server Certificates, PKI for WAP and a tool kit for WTLS. Certicom released a tool kit first, WTLS Plus, and has a wide range of early adopters in the wireless community. Certicom makes a compelling argument that its Elliptical Curve Cryptography is a more efficient and secure solution than traditional RSA algorithms for mobile devices with limited resources.
Chances are, if you are already doing wireless stock trading through a broker in the U.S., you are using the cell networks CDPD, rather than WTLS, to encrypt traffic, and hopefully you have a personal identification number for each transaction. It is reasonable security, but not as good as it could be. If you are trading in a public place, keep a firm grip on your PalmPilot.
The vision of wireless as an untethered component of tomorrow's networks and electronic business solutions means new applications will be accessing familiar data. While this necessitates compacted displays and streamlined Web pages, we can't shortcut basic security needs like encryption and authentication. There is only one way to bring wireless into our enterprises, and that is to do it right the first time. This means implementing WTLS into smart phones and PDAs and integrating it with enterprise security systems such as PKI. When you finally have your smart phone with all of these features in place, you can feel as safe using it as you do in using your landlocked computers. Hopefully this will be some consolation when you realize that now you truly have no place to hide.
RELATED LINKS
GSM encryption broken
San Jose Mercury News, 12/07/99.
Microsoft makes wireless bid
Network World, 12/13/99.
Wireless standards support slipping
Network World, 12/13/99.
What in the wireless world is WAP?
Network World, 12/13/99.
RELATED LINKS
GSM encryption broken
San Jose Mercury News, 12/07/99.
Microsoft makes wireless bid
Network World, 12/13/99.
Wireless standards support slipping
Network World, 12/13/99.
What in the wireless world is WAP?
Network World, 12/13/99.
Archive of Network World on Security newsletters
Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.
