Personal digital assistants (PDAs) and other handheld devices were serious enough security risks when users merely synched them with their desktop computers for e-mails, schedules and contact lists. That's because their portability and handheld size made them perfect for, well, stealing or losing.
The security risks are greater today because more and more handhelds support wireless connectivity, whether it be short-range infra-red beaming, 802.11 wireless local area network access or even 2.5 G or 3 G broadband wireless. If a handheld requires a docking cradle to synchronize with the owner's PC, the worst that can usually happen is that a thief would see any data the user had already downloaded to the handheld. Wireless handhelds pose a greater risk because a thief or hacker might be able to use the handheld's connectivty features to connect back into sensitive corporate systems.
The threat is multiplied because, unlike notebook computers, which are usually purchased by and configured for security by the corporate IT department, handhelds are often bought by users who configure them to access corporate systems with little to no thought for security. With many users buying these "toys" and using them to access critical applications, how do you secure them?
A good starting point for PDA security, of course, is to make sure your own wireless LAN security standards are up to par. Be sure, for example, to place wireless access points on isolated network segments and use network-based intrusion-detection tools to detect unauthorized access points and any use of those access points.
Gartner Inc. analyst John Girard recommends that companies rely on application or transport level security, such as SSL or IPsec, rather than rely on the security built into wireless devices. He also recommends security-in-depth, ranging from the handheld device, through the network and to the servers.
Depending on the sensitivity of the data stored on your handheld devices, here are some of the latest options for these various levels of defense.
Device-based authentication and encryption
To prove a user is who he claims to be, vendors offer a variety of tools that require anything from a simple password to a signature, fingerprint or the use of a password along with a one-time access key sent to the handheld device.
The Palm OS supports popular authentication protocols including the Challenge-Handshake Authentication Protocol (CHAP) and Password Authentication Protocol. Both Palm- and PocketPC-based handhelds can be used as physical tokens for use with one-time access keys, eliminating the need for the user to carry a physical token. Microsoft is licensing RSA Security Inc.'s RSA SecurID two-factor authentication software, while RSA Security has developed a software token for the Windows Pocket PC 2002 platform.
Girard warns that hardware or software-based tokens are more reliable and portable across platforms than signature or biometric-based tools. He warns, though, that a physical token may cost more than the PDA.
PDA Defense Enterprise from Asynchrony Software Inc. provides 128-bit or 512-bit encryption and allows IT managers to enforce password, encryption and beaming policies for both Palm- and Pocket PC-based devices. It includes an option to automatically delete all the data and applications on Pocket PC devices (and selected data on Palm devices) if unauthorized attempts are made to access the device.
PDA Secure Enterprise from Trust Digital LLC encrypts data on both Palm and Pocket PC devices using Advanced Encryption Standard (AES) and also allows administrators to define security policies. Assurency SecureData for the Palm OS from Kasten Chase Applied Research based in Mississauga, Ontario aims to ease performance concerns by providing record-level encryption for all data stored on the handheld, unencrypting the data only when needed. Security@Hand from F-Secure Corp. provides 128-bit file-based encryption for both the Pocket PC and Palm platforms.
Palm Inc. offers Security Plus, an upgrade to its Tungsten Mobile Information Management Solution, designed for use with its i705 handhelds and/or m500 series handhelds. Security Plus allows IT administrators to make password protection mandatory, set policies for the length and type of password, and control encryption and application access.
On the biometric front, Communication Intelligence Corp.'s Sign-On uses signatures or even a personalized drawing or design to allow users to lock and unlock their devices. Similar capabilities can be found for Pocket PC devices in SafeGuard PDA from Utimaco Safeware AG.
Just as users can be forced to prove their identities to their PDAs, handhelds can be required to prove their identities before connecting to sensitive corporate servers. For example, every communication from a Palm i705 handheld to Palm's Mobile Information Management Solution server must be authenticated with a user name, password and unique device identifier, which can include the hardware serial number or the device's mobile access number.
Authentication and encryption of data in transit
For the Palm i705 and m500 devices, the MIM Solution provides AES encryption for all communications from the MIM server to the handheld. Among the vendors offering authentication and VPN capabilities for the Palm and Pocket PC platforms are Certicom Corp. with its movianVPN, Mergic Inc. with its VPN for Palm OS, SafeNet with its SoftRemote PDA and V-ONE Corp. with its SmartPass for Palm.
VPN use should accelerate throughout this year, says Girard, as vendors such as Check Point Software Technologies Ltd., OpenReach Inc. and Aventail Corp. introduce more "thin client" VPNs that are better suited to the limited processing and memory capabilities of handhelds. Vendors such as Certicom and Diversinet Corp. also offer PKI (public key infrastructure)-based tools to provide authentication and encryption.
It's not clear how inviting a target a handheld device would be for virus and worm writers, or whether it's worth the cost or the effort to regularly update virus signatures to handhelds. However, if you've been attacked or your devices are important enough to you, most of the popular antivirus software vendors offer versions of their tools for popular handheld platforms.
Any security is useless if a user turns it off, which is often the case even with the minimal password protection that ships with almost all handhelds. Despite the grumbling from end users, consider installing software that requires the use of passwords or whatever other security mechanism you are using, on all handhelds.
Finally, in the "easier said than done" department, purchase handhelds or smart phones with corporate money rather than letting users adopt them themselves. Making handhelds corporate assets makes it easier to control their usage and enforce security policies on them – not to mention the IT department can configure them to their liking before users even get their hands on them.About the author
Robert L. Scheier writes frequently about security from Boylston, Mass. He can be reached at firstname.lastname@example.org.
For more information, visit these other resources:
- Featured Topic: SSL
- Featured Topic: IPsec
- Featured Topic: Wireless whirlwind
- Executive Security Briefing: Are PDAs back-door security threats?
This was first published in March 2003