Trend

Ensuring secure mobility

Mobile devices seem to be going the PC way when it comes to security. Rishiraj Verma reports

According to the Cellular Operators Association of India and Association of Unified Telecom Service Providers of India there were 100 million mobile phone users in India as on June 2006.

Apart from regular utilities, mobile phones are used by corporates to store strategic information. It is therefore important to secure these devices from hackers and spammers who find fresh ways to attack new technology. This problem is especially serious among smartphone users.

Anirban Sengupta, Principal Consultant, PricewaterhouseCoopers, says, “According to a study done by a leading research group, sales of smartphones, which emerged in 2000, had surpassed 46 million units worldwide by 2005. Smartphones are likely to show an annual growth rate of 94.5 percent through 2008. In fact, Asia-Pacific is likely to be the largest region for these devices in 2006. Though the current penetration in India is low, the Indian market is growing at a rapid pace and it shall significantly contribute in making Asia-Pacific the largest region for smartphones.”

However, mobiles seem to be going the PC way when it comes to virus or phishing attacks. The first mobile virus was found two years back and since then their numbers have increased. As was the case with PCs, mobile phones are being attacked by viruses, spam, phishing, malware and spyware. Mobile phones are compromised through Bluetooth and Multimedia Messaging Service (MMS).

Explains Shimon Gruper, Vice-president of Technologies, eSafe Business Unit, Aladdin Knowledge Systems, “Earlier, mobile phones were not targeted as the devices were simple. With smartphone adoption rising, they have become vulnerable.”

Vishal Dhupar, Managing Director, Symantec India feels, “Most of the mobile threats seen to date are proof-of-concept threats.” However Kartik Shahani, Director, Sales, India and SAARC, McAfee says, “Around 40 percent of the mobile phones in India are smartphones and this number could increase soon.” He says that the mobile security market needs to grow at an equally fast rate if the devices are to be protected.

Rationale behind threats

Sengupta makes a valid point, “Operating systems for handhelds and smartphones have focussed on maintaining a small footprint with low memory usage. Security has not always been the primary focus, while designing handheld devices. Besides, there have been no established standards for these products. Their increasing popularity has created a challenging security situation.”

Vendors of security solutions list out some definite threats to mobile devices. Gruper’s list includes, “Malicious code, viruses and Trojans that can steal personal information stored in phone memory.”

While Dhupar lays stress on physical threats such as accidental disclosure or leakage of private data by employees. “This could be data loss, that is intentional or unintentional,” he adds. Shahani feels that the different ways of communication through smartphones and PDAs could be the biggest threat to both customers and mobile operators. He adds, “Certain viruses can even reset and drain the battery and send SMSs to premium numbers without the user’s knowledge.”

Shahani brings up another interesting point. He says that a single virus may be able to affect more than just one business. “If a large number of users from a single operator are affected, all of them will try to contact the call centre and keep lines busy, thus robbing the call centre of its business.”

Sengupta elaborates, “the ease of mobility of handheld devices within different secured areas, makes them attractive targets for virus writers. Also, like other computer systems, the security vulnerabilities in handhelds may allow the spread of blended threats, which include a combination of different threats like worms, viruses, and Trojans, in the near future.”

The use of Wireless LAN by smartphones can cause security issues, which include eavesdropping of transferred data and unauthorised authentication to the network infrastructure, similar to any computer system.

Prevention vs. cure

Vendors say that while solutions may prevent such instances, the users themselves need to take precautions to make sure that they do not accidentally allow file transfers or downloads which they are not sure of.

Dhupar provides a set of best practices. He says, “Data must be removed from devices that are not in use and users should be educated on security features and threats.” According to him, enterprises must create awareness programmes and centralise security. He feels that security updates are a must and that obtaining advance warnings and keeping operating systems updated will add to the security of the organisation on the whole.

Shahani opines, “The operator could get security features and push them on to the users’ devices.” He cautions that a user must not pair his device with any unknown Bluetooth or Infrared device because he will not be able to differentiate between safe and unsafe files.

Low penetration

Though expected to grow, the mobile security market size is not significant at this point of time. “It may be due to the low penetration of handheld devices and smartphones in India. However, with the increasing popularity of smartphones and the potential security risks, the mobile security market size is expected to grow at a rapid rate,” remarks Sengupta.

McAfee’s Mobile Virus Scan is an agent that sits on the user’s handset. “Anything written into your storage or sent out from the device is scanned,” says Shahani. He explains, “Any malware that is detected by the agent is immediately reported and deleted. As for the updates, the user can simply go to the Web site and download.” He hopes that mobile operators will start providing security updates and save the user’s time. He adds, “We haven’t been hit too hard in India. One big attack will force us to look into it with more seriousness.”

Aladdin Information Systems is offering a gateway-based content security solution, which is installed at the mobile operator’s centre and inspects all the inbound and outbound mobile data traffic (WAP, MMS, HTTP etc.). The focus is on the mobile operator for providing the updates rather than the user downloading them. Gruper explains, “As we know users hardly maintain security on their PCs.”

Symantec classifies its offerings into those meant for enterprise customers and consumers. Symantec Mobile Security 4.0 for Symbian and Symantec Client Security for Nokia Communicator are some of the offerings made by the vendor. “There is an emerging demand for anti-spam and content-filtering solutions,” says Dhupar. “Symantec also offers products that are meant to filter spam in SMS and MMS,” he adds.

The future

According to Dhupar, more proof-of-concept malware is expected to be seen in the near future. “In the long-term, it’s likely that malware will use additional infection vectors such as 802.11x, MMS, and conventional HTTP and SMTP. Malicious code targeting mobile devices is expected to intensify in number and severity. With hackers researching susceptibilities in Bluetooth-enabled devices, the possibility of a worm or some other type of malicious code propagating by exploiting these vulnerabilities is more than likely to increase,” he adds.

Gruper insists, “We definitely see more smartphones being used, which will enable not only voice but data communication. Mobile phones are fast becoming our mobile computers that hold a lot of valuable information. Without adequate security, this information is exposed and leaves us vulnerable.”