Ten dangerous claims about smart phone security

Our columnist sees Barack Obama with that BlackBerry and shudders

1 2 3 4 5 Page 2
Page 2 of 5

2. It's stable, just like any other purpose-built appliance.

Don't assume that the lack of operating system patches and application updates for a smart phone means that they aren't needed. In the short history of mobile malware, Symbian received bad press by playing host to the first, the Cabir worm. However, Windows CE wasn't far behind with the Duts virus and Brador Trojan. Even single-purpose network devices are periodically found vulnerable to network and service exploits, and vendors ought to make updates available in a timely manner.

The bad news is that mobile platform vendors are still very slow to issue operating system and application patches. The only practical way to mitigate this is through a mix of process and technology: Teach users proper skepticism of e-mailed attachments and unexpected connection or update confirmations, and implement anti-malware  programs for those who just keep clicking "OK."

3. Communications are encrypted from end to end.

BlackBerry and Sidekick users may have heard that their communications are encrypted "end to end," but e-mail and other communications are encrypted only from the phone to the phone company or service provider's servers. Beyond that point, e-mail, instant messages and file transfers may be transmitted unencrypted over the public Internet by default. 

This is less of a concern for closed organizations where everyone involved uses the same services, but vendors, partners, consultants and others outside the organization often use their own e-mail addresses and smart phones on other carriers. There's no guarantee of message encryption in these cases, and the risk is no better or worse than any other Internet e-mail.

4. The connection's secure unless I use Wi-Fi in a cafe.

Some might be concerned about the cellular connection itself. The GPRS and EDGE data protocols used by T-Mobile and Cingular are based on GSM, and GSM authentication algorithms such as A5 have been broken in ways that allow a motivated eavesdropper to reconstruct voice and data conversations with only a few thousand dollars of equipment. CDMA and associated algorithms are mildly more secure (PDF format), but many carriers choose not to implement all of the security controls available because of performance and handset compatibility.

Use a VPN to mitigate this problem for sensitive data and make sure essential services are encrypted at the application level using SSL or similar protocols. While it might seem redundant, using a voice-over-IP client through a smart phone's VPN data connection is one way to ensure that voice calls are private. Direct SIP-compliant VoIP clients are best for this; closed-protocol applications such as Skype Mobile may try to route across a public connection even if a VPN is available. It also may relay connections between NAT endpoints through random clients on the Internet, so it's not a good candidate in this scenario.

It's also worth noting that VoIP with AEC, one of the features of Windows Mobile 5, is not encryption. AEC refers to Acoustic Echo Canceling, not the NIST Advanced Encryption Standard ("AES ") described in FIPS 197.

1 2 3 4 5 Page 2
Page 2 of 5
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon