Securing consumer-friendly smart phones
Smart-phone security has been a staple for business users, but now consumers are getting the devices--and their security needs are growing.
But so far, security products designed for individual mobile users--software and systems that keep data secure and devices free from viruses--aren't widely available.
Manufacturers, such as Palm and Research In Motion, have seen great success in addressing the business market with handheld devices like the Treo and BlackBerry. Now they're going after everyday users with affordably priced handsets that allow people to not only check their work and personal e-mail accounts, but also listen to music, send instant messages, take pictures and surf the Web.
Last week, at the DigitalLife technology showcase in New York City, Palm launched the Treo 680, a smaller, simpler Treo designed for the consumer market. Also last week, High Tech Computer introduced its new Wi-Fi enabled phone, the Dash, on T-Mobile's network. Research In Motion released its consumer-focused phone, the
Most of these phones are priced under $200 when purchased along with a service contract, making them much more affordable than the $500 Treos of a few years ago. As a result, they're much more likely to appeal to everyday users and to a segment of the population known as "prosumers"--consumers who buy gadgets and use them for both personal and business purposes.
What can consumers do to protect themselves today from mobile threats? The U.S. Computer Emergency Readiness Team, which coordinates defense against and responses to cyberattacks across the nation, has listed several tips for smart-phone users to better protect themselves from attacks:
Follow general guidelines for protecting portable devices. Take precautions to secure your cell phone and PDA the same way you should secure your computer.
Be careful about posting your cell phone number and e-mail address. Attackers often use software that browses Web sites for e-mail addresses, which then become targets for attacks and spam.
Do not follow links sent in e-mail or text messages. Be suspicious of URLs sent in unsolicited e-mail or text messages. While the links may appear to be legitimate, they may actually direct you to a malicious Web site.
Be wary of downloadable software. There are many sites that offer games and other software you can download onto your cell phone or PDA. This software could include malicious code. Avoid downloading files from sites that you do not trust.
Evaluate your security settings. Make sure that you take advantage of the security features offered on your device. Attackers may take advantage of Bluetooth connections to access or download information on your device. To avoid unauthorized access, disable Bluetooth when you are not using it.
Overall, analysts believe the new crop of users could boost the total number of people using smart phones. Currently, only about 5 percent of the 220 million cell phone subscribers in the U.S. own smart phones or voice-enabled PDAs. In the next few years, 10 percent of all cell phone users are likely to use a smart phone, according to JupiterResearch studies.
But like the security issues that emerged during the PC and Internet revolutions of decades past, security concerns pegged to the growing popularity of these new connected devices will likely bubble to the surface.
"As prices come down on these phones, we're going to see a lot more people using them," said Iain Gillott, an analyst at iGillott Research. "And just like in the PC market, when there is mass adoption in the consumer market, we're likely to see more security threats."
Malicious software and viruses targeting cell phones exist today, but the risk of users becoming infected is still relatively small, experts say. For one, traditional cell phones are difficult to hack. Many handsets use proprietary operating systems, and they operate over a carrier-controlled network, providing little opportunity for hacking or infecting.
But that's changing. Smart phones are now supporting unlicensed wireless technologies that can be hacked. Most have Bluetooth, a short-range unlicensed wireless technology used to connect devices to accessories like headsets or speakers. And in the future, many will also support Wi-Fi, which connects users to the Internet over unlicensed radio frequencies.
Several Bluetooth viruses have already been identified. Experts say it wouldn't take much for attackers to rewrite Web-based viruses to work on cell phones accessed through Wi-Fi connections.
That said, security technologies can be used mitigate risk. For example, T-Mobile, which operates more than 7,000 Wi-Fi hotspots throughout the U.S., uses Wireless Protected Access with 802.1x security technology. The WPA technology is designed to make it more difficult for unauthorized people to view data while it is being wirelessly transmitted within a T-Mobile hotspot, a T-Mobile representative said.But logging in to insecure Wi-Fi networks can be dangerous, because infected devices can wreak havoc, once they return to the carrier or corporate networks.
"Users are most exposed to security vulnerabilities where the carrier isn't providing the service, such as open Wi-Fi networks or Bluetooth connections," said Mike Hendrick, director of product development at T-Mobile. "But there are security measures that can be used to minimize these risks, and we encourage our users to turn on security features whenever possible."
Preemptive preparation
Security companies have already started preparing for the onslaught of mobile threats. For example, security company Symantec has embedded its antivirus software in some Nokia devices, such as the nSeries multimedia phones. It's also preinstalled on Dell PDAs.
Another security provider, F-Secure, has been working with carriers in Europe to offer its software as part of a managed service. Vodafone and Orange are two wireless operators using F-Secure's software to offer antivirus protection to subscribers. The company also is in talks with U.S. operators to offer similar services.
F-Secure's antivirus software can also be purchased by individual consumers on its Web site for $34.95 for a one-year license. Symantec also offers antivirus software that can be downloaded from its Web site. It's now available for a 30-day trial on Symbian phones, to which it can be delivered wirelessly and paid for using premium SMS and a credit card. The next Windows release will support the trial and over-the-air payment options.
"Smart phones are more computers than phones these days," said Paul Miller, managing director for mobile security at Symantec. "If users protect their PCs they (like the enterprise) also need to protect the computer on their hip."
While viruses and other malicious software will likely become a threat on mobile devices in the future, experts say there are other security issues that are more pressing today.
"By far the biggest problem for most people is losing a phone or mobile device in the back of a taxicab, or having a device stolen," said Nate Dyer, an analyst at the Yankee Group.
Lost phone, lost data
Smart phones can store a slew of sensitive information, from phone numbers to e-mails to passwords to bank account data. Large companies, especially, see this as a threat. In fact, losing sensitive corporate data has been identified by enterprise IT managers as the No. 1 security risk their mobile work force faces, according to Yankee Group research.
Companies such as Research In Motion and Microsoft, which has developed a mobile operating system running on such devices as HTC's Dash, have products with built-in security features that allow IT managers to remotely delete information from devices if they're lost or stolen. The providers have also instituted secure password controls that require users to enter passwords to log in to mobile devices when they're turned on or when they have been inactive for a certain period.
"Customers want to be assured that the device they are using is protected from unauthorized use," said Alan Panezic, vice president of product management at RIM. "We've been offering many of these features for at least four years. And we also offer the ability to customize the features for customers, especially those in the military or government."
Being able to remotely wipe a device clean is a great feature, but RIM's and Microsoft's solution requires an IT administrator to initiate the commands. Microsoft said that starting early next year, it will allow individuals to remotely delete information on smart phones running its software if they are linked to servers running the next release of Microsoft Exchange software.
U.K.-based Synchronica offers remote memory-deleting software that mobile operators can use to offer security services directly to consumers. Remote XT, a new cell phone data backup and security service in London, is using Synchronica's technology and offering the service to consumers. The Synchronica software also offers secure password protection, and it actually makes cell phones scream if someone tries to crack the password.
"Microsoft and BlackBerry are only addressing part of the enterprise market," said Carsten Brinkschult, CEO of Synchronica. "Our software can also be used for individuals with smart phones. Effectively, we serve 100 percent of the market."
While several security solutions exist today, it can be difficult to put them into practice, because handsets are not built to the same specifications. But that is changing.
The Trusted Computing Group's Mobile Phone Work Group last month released a draft of security specifications that will serve as a blueprint for device makers, mobile software developers and service providers. This should make it easier for security companies to build solutions that will work on a wide array of devices. TCG has already developed similar security specifications for PCs and servers.