Ten dangerous claims about smart phone security

Our columnist sees Barack Obama with that BlackBerry and shudders

1 2 3 4 5 Page 5
Page 5 of 5

9. Spying on my smart phone is hard.

Think spying on your activities is hard? Think again. Most smart phones have no equivalent of Bluetooth authentication when plugged in; they just become slave USB devices and give up all your data. Worse yet, a rogue employee, jealous husband or political opponent can buy backdoor malware ... uh, "remote phone monitoring" software here and keep ongoing tabs on communications. If they manage to install the spendy version on your phone (or trick you into doing it), it even includes remote microphone activation and generates a tidy Excel spreadsheet of your activities each day.

Flexispy is cheap, oriented toward consumers and very worrisome. It's only available for Symbian so far, but less-polished remote viewing software or illicit copies of management tools are available for BlackBerry, Windows Mobile and other platforms. It's not clear if anti-malware products send alerts upon finding these, so the best policy now is to educate users on physical security and admonish them not to install unexpected software or updates.

10. Abuse is minimal because the network and phones are constrained.

Four words: Remember ASCII art porn. Network miscreants will work with what's available, and resource limitations only make those inclined to misbehave do so in more creative ways. The difference is that smart phones are quite capable, and modern 2.5G and 3G phone networks provide surprisingly adequate bandwidth. For example, there are now multiple BitTorrent clients for Symbian as well as other platforms, some phones are adept at seamlessly switching between cellular and unsecured Wi-Fi networks, and with the price point for 4+ GB flash cards dropping below $100, there's lots to worry about.

To paraphrase Steve Jobs, misuse of technology is a social problem, not a technological one. Having a well-defined policy for the use of converged devices is essential prior to deployment. Conversely, rolling out smart phones without proper guidance will lead to all sorts of havoc. Users might respect pay-per-minute airtime as a corporate asset, but unless instructed otherwise they'll think of flat-rate data services as free connectivity on someone else's network (not covered by your policy), and the phone itself as corporate tribal adornment suitable for display anywhere, anytime.

More to consider

Am I advocating Naomi Campbell's method of disposing of one's fancy mobile? No, in fact, just this month I bought a new smart phone. While I'm no fan of troublesome devices -- two colleagues recently commented that their new WM5 phones rarely crash more than once per day now -- mobile e-mail and Internet access are quickly becoming de rigueur. I made a list of the functions I needed and tried to avoid models that included features I would not use or could not secure.

Readers looking for a structured set of criteria for evaluating and selecting a specific smart phone product are encouraged to read NIST Special Publication 800-48 (PDF format). It's a little dated, but when mobile system and application developers are rediscovering every mistake they made a decade ago with remote desktop and laptop systems, these old documents are right on the mark.

Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blasé, cynical, jaded, content and enthusiastic again. He is currently a senior security consultant in Seattle, where his advice has been ignored by CEOs, auditors and sysadmins alike.

This column has been edited to correct a misstatement: The Symbian OS is in fact owned in part by Nokia and Sony Ericsson.

Related Articles and Opinion

Copyright © 2007 IDG Communications, Inc.

1 2 3 4 5 Page 5
Page 5 of 5
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon