Mobile client security threats shouldn't be underestimated

Organizations go to great lengths to secure their servers, but often neglect the security threats associated with their users' mobile devices. The evolution of mobile devices may be to blame.

Mobile devices have been around for many years -- I remember buying my first one in the mid-90s. At that time, they were expensive, had limited options for connectivity and, to be perfectly frank, you really couldn't do a lot with them.

As a result, users developed a false sense of security around these devices. But there is nothing magical about mobile devices: They face the same security threats as full-blown PCs. The difference is, since hackers favor big targets, the relative obscurity of mobile devices made them unattractive – initially.

Many people still view mobile devices as harmless, however they have evolved into a major security threat. Some of the factors involved include the following:

• Mobile devices are mainstream, and almost everyone owns some type of smartphone. As a result, the devices are an appealing target for malware authors.
• Mobile devices used to be difficult to connect, but many of today's devices maintain constant Internet connectivity.
• Mobile operating systems are much more powerful than they used to be. This makes the development of mobile malware more practical.

Malware infections on mobile devices
In recent years, malware authors have targeted both Windows Mobile and the iPhone. This is because the iPhone's success can largely be attributed to the number of applications that exist for it. As a result, competing wireless providers and mobile device manufacturers have started to build up the number of applications available for competing platforms, such as Windows Mobile. Therefore, it was only a matter of time before some of the available mobile applications began to carry malicious payloads.

Initially, the viruses affecting mobile platforms were fairly benign. For example, the WinCE/InfoJack Trojan horse that runs on Windows Mobile demonstrates some key viral ingredients such as replication and automatic execution, but it doesn't cause any real harm. Likewise, in October 2009, a proof-of-concept virus for the iPhone was released. This "virus" changed the user's wallpaper, but it didn't cause any additional harm.

But viruses for mobile systems have become malicious in recent months.

For example, in November 2009 someone created an iPhone worm that not only steals data but also allows the attacker to control iPhones in a manner similar to a botnet. As if that weren't bad enough, some hacker websites have discussed the possibility of eventually creating a virus that flashes a mobile device's BIOS in a way that permanently renders the device useless.

For the most part, malware infections on mobile devices can easily be controlled through antivirus software. But such infections are not the only threat to mobile device security.

Protecting data on lost or stolen mobile devices
Another major security concern for mobile devices is the accidental disclosure of sensitive data.

Although most organizations protect their devices with a password, the password is often a four-digit PIN that can be easily figured out through brute force. Once the password is cracked, whoever has the device can access to the corporate virtual private network (VPN), the user's email account and any data stored on the device.

Sometimes a thief doesn't even need to figure out a device's password to steal data. Many Windows Mobile devices have a very limited internal storage capacity, but they offer increased storage via an SD or a Micro SD card. Unless the data that is stored on this card is encrypted, it can be removed from the device and inserted into a PC, where the data on the card can be read.

How can you prevent accidental data disclosure from lost, stolen or infected mobile devices? My advice is to use only provisionable devices. Devices running Windows Mobile 6.1 and above can be joined to a Windows domain, so you can secure the devices with group policy settings.

Keep in mind that mobile devices require a completely different set of group policy settings than desktops. However, Microsoft does offer some products that include Group Policy Objects specifically designed for Windows Mobile. The product of choice is Microsoft's System Center Mobile Device Manager. However, Exchange Server 2007 and Exchange Server 2010 also include similar capabilities for locking down and managing mobile devices.

In order to use any of these settings, the device must be fully provisionable. This means that you cannot use System Center Mobile Device Manager or Exchange Server to secure the iPhone, devices running older versions of Windows Mobile, or mobile devices running other nonprovisionable operating systems.

There is no silver bullet for securing mobile devices. The only way to truly achieve mobile device security is to take an inventory of the mobile devices in use in your organization, and then configure those devices to adhere to your corporate security policy. In doing so, you may find that it is to your advantage to replace any nonprovisionable devices.

ABOUT THE AUTHOR:
Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities and was once a network administrator for Fort Knox. You can visit his personal website at www.brienposey.com.