Phone security not only a presidential issue

Suzanne Choney • E-mail

It isn't only the president who needs extra security for his BlackBerry. All of us with smartphones that have Internet access, e-mail and the ability to handle sensitive written or financial documents should consider paying closer attention to where and how we're using the devices, experts say.

Most of all, they say, know where your phone is at all times and don't leave it in the care of strangers or by itself on a desk at work. The latter is something a lot of us certainly do.

"There's software out there that will let people image what's on a phone, or download that information in a matter of minutes, put it back on a desk and nobody will know their information is lost," said Michael Kessler, president of Kessler International. The computer and cell phone forensics company works with government agencies, as well as corporate clients and law firms.

"We see that in situations where temporary employees will come into a business, and have access to the work area. People leave their phones on their desks. And it's just a matter of someone picking up the phone, downloading the information from another cubicle, then sticking the phone back on the desk, and you never know your information has been downloaded."

Johannes Ullrich, chief research officer for the SANS Institute, a security research organization, says the biggest threat for cell phone users is leaving their devices behind somewhere, or losing them. And perhaps putting too much data on the device.

"The information stored on a phone should be limited to information that is required while on the move," he said. "Some phones allow the user to store spreadsheets and other office documents. If any passwords are stored on the phone, they should be encrypted."

Check the cab
In a report last fall, "Guidelines on Cell Phone and PDA Security," the National Institute of Standards and Technology's Computer Security Division cited a report which said there would be 8 million phones lost in 2007, including 700,000 smartphones.

The government agency also said that one Chicago taxi company recorded more than 85,600 cell phones and 21,400 personal digital assistants left behind in the company's taxis during a six-month period, compared to more than 4,400 laptops.

So far, NIST noted, problems from malicious software, or malware, including spyware, viruses and spam, have been "limited" on cell phones compared with desktop and networked computers.

The agency said that's largely because of the number of different operating systems, including Windows, BlackBerry, Apple's Mac OS, Linux, Symbian and Palm, on cell phones which helps fragment the number of "potential homogeneous targets."

That also means there is no "one size fits all" security solution for cell phones, but there are some common issues to monitor.

Wi-Fi can be more vulnerable
As smartphones grow in popularity, so too does interest by thieves, not necessarily for the devices but for the information they hold.

That information can be easier to obtain, for example, if you're getting to the Internet using Wi-Fi from your cell phone, versus a wireless carrier's network.

While Wi-Fi  generally transmits data more quickly than 3G, or a third-generation wireless network, it's also more vulnerable unless you take extra steps to encrypt what you do when using the phone.

"Wi-Fi is dramatically less secure than a cell phone network," said Dan Hoffman, chief technology officer of SMobile Systems, which makes cell phone security software, a growing industry.

"If you're on a 3G network, there will be encryption by the wireless carrier. When you're on Wi-Fi, there's not going to be encryption, and your data will literally be flying through the air."

"The phone network is reasonably secure," said Ullrich. "However Bluetooth and Wi-Fi have a number of problems that allow others in the proximity to listen in."

Mobile banking Web sites do take extra security measures to protect users' data. But other sites do not, leaving it up to the user to do so.

"There are ways to encrypt data using Wi-Fi, but it's more an issue of the user being aware" of knowing do to that in the first place, Hoffman said.

Bluetooth awareness
Bluetooth, the short-range wireless technology used in cell phone headsets, can also provide an entry point for an intruder or eavesdropper.

"Depending upon how it is configured, Bluetooth technology can be fairly secure," the federal Computer Emergency Readiness Team noted in a "Cyber Security Tip" sheet last summer.

However, CERT said, "unfortunately, many Bluetooth devices rely on short numeric PIN numbers" — the default, out-of-the-box setting for many headsets is "0000" — instead of more challenging passwords or passphrases. Again, it's up to the user to change the default password.

Without doing so, someone who's within about 30 feet of your headset could access or corrupt your data.

"One example of this type of activity is called 'bluesnarfing,' which refers to attackers using a Bluetooth connection to steal information off of your Bluetooth device," CERT said.

"Bluetooth has been used in the past to trick users to install viruses or to download phone books from the phone," said Ullrich.

MORE FROM WIRELESS

Wireless Section Front

Sidekick phones back on sale after data loss Windows Mobile 6.5 phone gallery Dell smartphone to debut in China, Brazil Review: New BlackBerry Storm improves on original Newsweek: How texting can help you save money Review: Motorola's Droid a serious smartphone T-Mobile says phone service outage resolved Scared of flying? Press the fear iButton AT&T to Verizon: There’s a lawsuit for that iPhone comes to China without key feature Wireless Section Front   Add Wireless headlines to your news reader: