A smartphone is only as smart as its user. This clearly explains why smartphones will soon be in the hackers' crosshairs. However, the subsequent application of appropriate security is a more complicated issue. Where should it be strategically deployed?
The breeding of PC portability and cell phone functionality gave birth to today's ubiquitous "computer-cation" via smartphones. Security soothsayers frequently discuss the upcoming threats facing mobile devices. It's only a matter of time before there's a LANdroid breach, resulting in your CEO carrying a HackBerry and your team of developers sporting 3G spiPhones. Skeptics can view an interesting video and accompanying article about the investigative journaling performed by NBC affiliate WTHR on their website.
It doesn't necessarily take the technical skills of a cell phone phreak (Lucky225) to access your phone account and accompanying personal information, as Obama recently discovered. Plenty of information about cellular technology's dark side is readily available from numerous websites for those eager mischievous minds. In addition to the usual worms, viruses, and bluejacking, automated pre-packaged tools for compromising current smartphone platforms are readily available. There's even a growing market for products advertised by companies for "lawful monitoring" of cell phone activity. The creators of FlexiSPY claim that their software allows one to covertly listen in on someone's phone calls, read the contents of their SMS messages, perform GPS location tracking and even remotely activate a phone's microphone to listen in on the target's surroundings. If one prefers a hardware approach, Paraben's CSI Stick, advertised as a forensic tool, provides instant acquisition of all phone data with the push of a button.
Using two important premises of security, one can construct the following smartphone syllogism:
Smartphones are vulnerable.
Vulnerabilities are exploited.
Smartphones will be exploited.
However a fundamental question remains, "What will happen once they've been exploited?"
Theft of all personal data on the device? Of course.
Malware infestation? Probably.
However, the combination of telecom services with internet accessibility make smartphones an effective tool for unified communications and a potentially powerful tool for hackers. Once it's successfully compromised, your server synced company phone is now an attack tool for its new malicious owner.
Server management applications, intended to leverage the smartphone as a mobile platform, can ease administrative tasks for IT managers. However, once that smartphone is p0wnd, it provides a mobile attack platform, granting hackers a back door and all the tools necessary for taking over a network. For example, Avocent's SonicAdmin Pro gives a BlackBerry or Windows Mobile device the ability to,
"...access any server allowed by their Active Directory profile to view server statistics, shutdown and reboot servers, view event logs, view and manage processes, manage Active Directory user accounts, use Windows services management, user group management, file explorer, file search, file and folder properties, file editor, a command line interface and run commands such as ping, ipconfig and traceroute."
Startech's Conyx allows smartphone users to interface with a serial console, enabling,
"...system administrators and network managers to monitor and control their computers and networks remotely, from anywhere in the world over a TCP/IP connection...allowing access to multiple types of devices and servers without the need to remember IP addresses, logins, or functions."
Smartphones, like all cell phones, have been designed to balance aesthetics and functionality with that of usability. Product reviews comment on these three areas in relation to its price, with usually no mention of security. Unless we can manipulate the line slope of the usability vs. security graph, smartphones will need reengineering towards secure computing.
Organizations must recognize the inherent risks underlying corporate smartphone adoption. Facilitating remote data access introduces a host of new vulnerabilities. Implementing tight control measures over smartphone usage and developing strict policies for remote access management are essential first steps prior to network integration. However, these are fundamental guidelines for introducing any new network technology.
A challenge specific to smartphones, is determining the optimal points for security implementation. Following the communication traffic path, with each subsequent hand-off, provides a good overview for strategic planning. Simplifying this process, one can trace data flow from the smartphone operating system, to the telecom provider, through the Internet, and ending at the company network. This assessment presents several protective options, across different vulnerable areas. Security can be directly applied to the smartphone by addressing aspects of its software, hardware, and networked services. Telecom providers should adhere to security best practices, such as monitoring behavioral call traffic patterns for possible threat signature matches. Most importantly, these devices require the same security management as other PC platforms--receiving mandatory updates, patches and security fixes.
Additional security mechanisms should be considered for enhancing mobile security. Biometric forms of user-to-device authentication, secure password management, and data encryption can strengthen the mobility layers of a defense-in-depth system. Furthermore, despite the questionable efficacy of Network Access Control (NAC), its utilization can help mitigate attacks from zombied smartphones through endpoint compliance.
Remember, just because the technology exists doesn't mean you have to use it. Smartphones may not be for everyone. While still satisfied with my Motorola Dyna-Tac, I may consider the Zune Phone, if it actually materializes at the 2009 CES.
Call me anytime. I can be reached at: greyhat@computer.org