informa
5 min read
article

Smartphones: The Next Generation Of Security Vulnerabilities?

Enterprises are seeing an explosion of smart devices entering the company and accessing their data. Security experts recommend some simple steps to tame the mobile beast
For one semiconductor firm that has invested $500 million in chip technology research, the skyrocketing use of smartphones and tablets in the workplace is restricted -- not because of the threat of malware, but because of the potential leaks these devices might cause to its critical intellectual property.

The company -- a client of mobile device management firm Zenprise -- does not let mobile users access sensitive data from their devices unless the data is fully encrypted and the phone is centrally managed, says Ahmed Datoo, vice president of marketing for Zenprise. Datoo declined to name the client, but said the situation underlines the reason why data loss, not malware, is the primary danger posed by mobile devices.

"[The client's] biggest fear is that if I had one of those engineers that had the blueprints to that technology in an email on a mobile device and that mobile device is left somewhere or it is stolen, that is $500 million [in research and development investment] gone," Datoo says. "And if you think about it, it is so much easier to lose one of these devices than, say, a laptop."

The number of mobile devices that are interacting with corporate environments is skyrocketing, leaving companies wondering how to keep their data from wandering away. In a report released in October, Forrester Research predicted that by 2015, companies will see more mobile devices -- such as smartphones, iPads and other non-PC tablets -- than computers in their networks.

The best publicly known case of intellectual property leaking out on a mobile device was when the phone itself was the intellectual property: the Apple iPhone 4. An Apple engineer forgot a prototype of the phone in a Redwood City, Calif., bar, and the person who found it sold it to technology news site Gizmodo, which published pictures of the device.

Information security departments need to adjust to the new threat landscape, where managing the vulnerabilities inside the company is less about plugging software holes and more about protecting data, says Chenxi Wang, vice president and principal analyst at Forrester.

"If you are going to provide any kind of corporate data to a mobile device and the mobile device is not something that you manage very actively, then you do have to worry about what kind of data you let [workers] access," Wang says.

To make the situation even more complex, each mobile device has a different threat profile. While malware infecting mobile devices is not a significant problem today, Trojan horses dressed up as legitimate applications are an issue. Typically, companies have less to worry from BlackBerrys than Apple's iPhone, Wang says. And because Android users can download software from places other than the Google-run Android Market, Android-based devices could potentially be the most susceptible to attacks via software.

In fact, researchers earlier this month demonstrated two flaws in the Android OS that could allow attackers to install applications on Android-based devices without the owner's knowledge. At a recent Intel security conference, Jon Oberheide of Scio Security and Zach Lanier of the Intrepidus Group demonstrated that malware could be loaded onto a device by exploiting vulnerabilities in a fake add-on for a real Android game.

The second flaw, found by a researcher known as Nils, exploits an incorrect setting in the browser on an HTC-brand device.

The versatility of smart devices is another reason companies should monitor their wireless networks, says Pravin Bhagwat, CTO for AirTight Networks, which sells products that do so. While compromised devices are a danger, the small form factor of most mobile devices means attackers could load in a variety of attack programs in a smartphone and find a way to have it delivered to the corporate office. Once inside the network, the phone could be used to exfiltrate data, Bhagwat says.

"Until now, the [wireless] hacker was a person sitting in a parking lot with a laptop and a lot of gear," he says. "Now, all of these attack tools are available in a form factor that fits in your hand."

Companies, then, should monitor their wireless networks to detect rogue devices and attacks as well as manage devices remotely, so that they can be locked or erased if lost or stolen, experts say. Increasingly, however, mobile devices are not owned by the company but by the employee. For that reason, companies have to develop mobile device security policies and discuss those policies with their workers, says Shun Chen, director of product management for mobile-device management firm MobileIron.

"Unlike laptops and desktops, where it's owned by the enterprise, these are mostly end-user devices," Chen says. "There's a lot more end-user privacy concerns. How do I manage privacy concerns versus my security and compliance policies?"

Privacy issues could also come to the fore, experts say. Should companies track an end user's location, archive SMS messages, and track phone calls? Those are decisions companies will have to consider as they develop mobile security policies.

The intersection of corporate policy and end-user-owned mobile devices could be the hardest hurdle to leap, says Forrester's Wang.

"Once you consent to give them access to corporate data on a personally owned device, the company tends to impose some level of policy in terms of security and operational procedures on the personal phone to allow employees to access corporate data," she says. "Employees want to access corporate data, but they don't want to give up too much control."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.