Preparing for the perils of wireless access

Wireless PDAs provide organizations with a huge productivity boost by giving mobile employees instant access to email and other corporate information sources. They also present a security threat that many organizations are not prepared for

By Jacob Stoller

Computer viruses come and go, and thanks to the efforts of hard working network administrators, most of us have become pretty complacent. Normally, the first we hear about a virus is in an e-mail from network security that tells us how to protect ourselves and the company in the unlikely event that the attack makes it through the corporate firewall. However, there’s a new virus out there that’s likely to catch many security people off guard. Code-named “Brador,” the virus in question is different because it attacks personal digital assistants (PDAs). This is just one example of a new virus trend.

In the past, PDAs haven’t been much of a target for hackers, but that appears to be changing. The use of PDAs is becoming much more pervasive; statistics show that they will soon overtake laptops in the number of units sold. The growth rate is expected to increase even more with the wide adoption of smart phones, which are effectively cell phones and PDAs in one. As PDA use becomes mainstream, the information content of the typical PDA is increasingly likely to include confidential e-mails that could contain substantial sensitive data — about the financials of a company, a spreadsheet with sales forecasts, a customer list, or a host of other items. Hacker interest is likely to increase in proportion to the value of the content.

The content of the PDA itself, however, is just the tip of the iceberg, according to Albert Caballero, technical services manager for security software provider CrossTec Corporation. “The PDA can act as a gateway between your external and your corporate network,” explains Caballero. “When you’re mobile with your PDA, you connect it to any number of Internet service providers or corporate providers. You really have no idea what’s going on on their networks. When you come back to your office, what’s the first thing you do? You put your pocket PC into your screen, or you synchronize it with your corporate laptop, or your corporate desktop, for that matter. So in the latter case, that is completely bypassing any kind of network security that has been implemented by your administrators.”

That connection, Caballero points out, could easily transmit a virus to the corporate network. And the fact that many PDAs now use wireless to connect to their networks makes the gateway phenomenon even more dangerous. “Before, PDAs used to connect with a serial port,” Caballero continues. “Now, there are more and more PDAs that connect with just a wireless card. That allows someone, if they can connect to your PDA via that wireless connection, to have access to your corporate LAN, which would otherwise only be hardwired, and they would really need physical access to the building. That’s no longer the case if you have wireless PDAs.”

To clarify, PDAs use two types of wireless connection. For receiving email and transferring data, the connection is made via a special protocol such as CDMA, which connects the device through a cellular service provider. Security is less of an issue here, as most carriers have extensive security infrastructures in place. The link that should cause concern is the 802.11 or Wi-Fi port, which is used to connect to wireless LAN within a corporate facility. This can be done with off-the-shelf equipment that has no built-in security; securing the connection is up to the organization using it. Not taking the proper steps creates the potential for “eavesdropping” by a hacker sitting in the corporate parking lot, to give one example.

What’s particularly disturbing about the Brador virus is that it is what is termed a “backdoor”; a program that allows an outside person, presumably a hacker, to take control of the device. With the right (or wrong) turn of events, an external hacker could use the Wi-Fi connection to gain unrestricted access to a corporate network.

PDAs are obviously vulnerable because they are frequently used in public places, and because of their size, are frequently lost or stolen. But wireless networking use opens up a number of more subtle possibilities for hackers. Hot spots, which are becoming much more popular, are a prime example. Located in coffee shops and other public places, these facilities provide Internet services through Wi-Fi technology. There’s no way to control who could be in the faci-lity with the intent of intercepting your communications. “It’s a minefield out there,” warns Caballero.

There are a plethora of off-the-shelf systems available to protect PDAs from a variety of threats. Virus protection software can screen e-mail attachments to prevent infection. Encryption software can make information on a PDA unreadable for hackers. Remote access Virtual Private Networks (VPNs) can ensure that the wireless connection made within the office is protected. And bit-wiping software can completely wipe out the contents of a PDA that somebody attempts to tamper with.

The challenge with these tools is not acquiring them, but selecting them properly, and looking after them. Each device has to be configured properly, and patches have to be installed continually to make sure that protection is maintained as new threats arise. When your office PC is on the network, this is easy. PDAs are much more difficult for IT departments to keep track of, let alone gain consistent access to. Furthermore, it is common for employees to buy their own PDAs, and they might feel that these devices are their business.

Corporations, however, are legally obliged to secure sensitive data, regardless of who owns the device that hosts it. Therefore, corporate security controls need to be established over any device that connects to the corporate network, or, for that matter, contains proprietary company data. At a bare minimum, there should be a written policy, signed by PDA users, spelling out responsibilities and procedures. For organizations that handle sensitive financial information for clients, it might be necessary to only allow the use of company-issued (and maintained) PDAs with a number of security features installed.

A major challenge is providing a safety net that is comprehensive, while at the same time, not making undue demands on users. According to Roy Pereira, vice-president of marketing and product management for Certicom, a Toronto-based creator of security software for PDAs, “security has to be turned on by default. It has to be unobtrusive. I think a lot of times people forget that. It’s nice to sit in an office and think about zero-risk types of scenarios. But it has to be usable. The leading cause of security breaches is basically an employee turning the darned thing off.”

But the biggest challenge of all might be getting people to think ahead. “Security has always been thought of as something you add later, as soon as you’re feeling uncomfortable or paranoid, or whatever,” Pereira explains. “But really, in a wireless world you can’t think of security that way. You really have to think of security as something that is a feature of the product you buy from day one.”

Jacob Stoller is principal of StollerStrategies, a Toronto-based consultancy focused on technology issues.

Top