Love them or hate them, there’s little disputing that devices like Apple‘s (NASDAQ: AAPL) iPhones, iPods and iPads herald a vast mobile wireless world. We haven’t built this exciting new world without considering security, have we? I sure hope not.
Of course, to be fair, there’s a lot more in this field than just Apple’s products. Indeed, the mobile wireless world as a whole has exploded in the last few years. Wi-Fi hot spot usage has skyrocketed, and all the big telco players are providing pretty respectable 3G (and 4G) coverage.
Not only are there tons of mobile wireless products out there, but we’re starting to use them for more and more important tasks. They’re far more than simple mobile phones and rolodexes these days. Indeed, I started out writing this column on my iPad while waiting for a meeting in a local Starbucks. My iPad has become not just a delightful, entertaining toy, but a real productivity device for me.
But how secure are we as we move around and do all of these important things? Certainly, our devices and the networks we use them give us plenty of opportunities to make silly mistakes. But a knowledgeable consumer has a variety of settings and tools available to do things securely. If you aren’t taking advantage of them, read on.
One of the biggest risks with mobile devices is that they will be lost or stolen. Another is the dreaded “coffee shop attack.”Mobile devices are, of course, highly portable. Their size makes them easy to misplace, and easy for someone else to snag them. There’s a decent chance you or one of your employees will at some point lose a smartphone, tablet or other mobile wireless device. It’s trivial to drive to the nearest store and buy a new one, but what happens with all that important information on the device? How can we protect it? Here are a few tips to consider:
o Lock the device. Pretty much every mobile device can be locked down, requiring a password to access it. Some will even wipe out their data after some pre-set number of failed log-in attempts. Learn your device’s lock settings and use them to their fullest.
o Minimize the data you store on the mobile device. If you’re editing a document or two, that’s fine, but don’t use the mobile device for long-term storage of sensitive data. And if it’s too sensitive to lose, don’t put it on the mobile device in the first place.
o Find-me services. Some mobile devices have features, such as Apple’s MobileMe service, that allow you to search for the device if it’s lost. The moment you realize your device is lost, go straight to the find-me service and see if you can find out where it is. MobileMe allows you to remotely wipe the data on a lost or stolen device. Do that without hesitation — before you try to negotiate the safe return of your device.
And then there’s that coffee shop attack. You take your shiny new mobile device to your favorite coffee shop (or hotel, airport lounge, etc.), log in to the Wi-Fi service, and start doing cool stuff on the Net. But anyone on that same Wi-Fi segment can eavesdrop on all of your communications. With many configurations, it’s quite likely that the attacker can collect your usernames, passwords and other sensitive session credentials for Web sites, e-mail services and applications.
The coffee shop attack is absolutely trivial to execute. Your attacker only needs some freely available tools like Snort, Wireshark or any of dozens of others to make every packet of data on the wireless net his for the taking. And it’s shocking just how many popular sites don’t use encryption to protect your sensitive data while it is in transit between your device and the site.
But again, there’s good news to be found. Most mobile devices these days support several options that can help us keep our sensitive stuff safe. Here are some things to consider:
o Encrypt your network data. The best defense against the coffee shop attack is a virtual private network (VPN) . Even if you’re not accessing company resources, it’s still a good idea to enable your VPN. All your data on the local Wi-Fi should then be traveling in an encrypted tunnel, safe from the coffee shop attackers. Most large companies have VPNs in place these days, but even small companies can get a VPN-ready router or server that isn’t that pricey. In fact, individual users can easily put VPN server software on their home PCs. (Just be sure you’re not violating your ISP’s acceptable usage terms.) Alternatively, there are several free VPN services available on the Internet. Of course, somewhere upstream, where your VPN resides, any normally unencrypted traffic will exit the VPN envelope and become unencrypted again, but that still protects the data from the coffee shop attack.
o Encrypt your application data . Even with a VPN, it’s still a good idea to turn on encryption whenever feasible. Many e-mail services offer SSL-encrypted options. Use POP3S instead of POP3; use IMAPS instead of IMAP; and use SMTPS instead of SMTP. It generally takes some jiggling with the e-mail configurations, but if your server supports SSL of these protocols, you’ll be further protecting your log-in credentials and e-mail traffic as they travel through the network.
o Unfortunately, there aren’t too many options for encrypting the locally stored application data on the iPad and iPhone yet. I hope that changes over time, but for now, you do need to know that documents, presentations and most other application data stored on the device is most likely not encrypted. That is why you need to minimize your exposure, as suggested above.
o Avoid the really sensitive stuff when you’re mobile. It’s probably not a good idea to do high-stakes work while you’re wireless in your favorite coffee shop. There is, after all, another type of coffee shop attack you should be careful to avoid — someone physically seeing sensitive data on your screen. A mobile phone or small camera can quickly and easily take a snapshot of the data on your screen for later examination, and probably without you noticing. So forget about doing things like filling out a credit application for a new car at the local hot spot; you don’t know who might be hanging around just waiting for the chance to grab people’s names, Social Security numbers, addresses and other high-value, sensitive data.
Of course, these lists are just a starting point, but they should give all of us food for thought while we enjoy exploring these amazing toys business tools.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University’s CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.
