Handheld computing devices, like Palms and Pocket PCs, play an essential role in many people’s lives.
They often store confidential contact and schedule information and, with their increased computing power, networking capability and application support, are the natural home for sensitive reports and passwords. Unfortunately, many corporate security departments have not kept pace with the changing nature of these devices and have turned a blind eye to the threats they pose to their corporate data.
This brief article is intended to help you better understand the real threats that handhelds pose to your data and infrastructure and how you can start to address the problem.
IT security departments in most large organizations have their work cut out for them keeping up with the threats and countermeasures associated with traditional computing and networking devices like laptops, desktops, servers, firewalls and VPNs. Unfortunately for the security professional, the increased power and functionality of personal digital assistants (PDAs) has added a new set of devices to the enterprise computing mix. Handheld computers, or PDAs, come in all shapes and sizes, from the common organizer to cell phones and two-way pagers that incorporate much the same functionality. While these computers have made their way into many organizations, most IT departments have not recognized them as their responsibility.
A PDA has become every bit as much a computer as a laptop. In fact, although the popular Palm family of devices runs an operating system specifically designed for PDAs, Pocket PCs run system software derived from Microsoft Windows. Furthermore, some PDAs even run Linux. Layered on these operating systems, PDAs not only run scheduling and contact management software, but also receive and store email, and support word processing, spreadsheets, browsers and a host of other applications. Rich application support means that a handheld user can transfer important documents to this extremely portable device and read them, edit them, and even transmit them to others.
Herein lies part of the problem. Handheld devices are so convenient that they are the natural choice for storing some of the most critically sensitive information people have, their passwords. This was true even before these devices became packed with a complete set of application software.
Rich application support has only exacerbated the problem. Copies of databases, account data, proposals, and sensitive technical and financial documents are finding their way onto handhelds.
Unfortunately, these problems, though very real, go unacknowledged by many IT departments because PDAs are not considered supported or real computing platforms.
Time to acknowledge PDAs
The big step that organizations have been hesitant to take is to recognize PDAs as real computers that store real data and can be the target of real attacks. Once an IT department acknowledges the platform, the next step is to understand the threats to PDAs and how those threats should affect the policies and practices for the platform.
For example, one the problems with PDAs' second class status is that organizations avoid the issue of setting policy for the kind of information that is allowed on the device and what protection mechanisms should be used to safeguard the data stored there. Without policies, users let utility and convenience dictate practice. Consequently, all sorts of sensitive information resides on these devices, unprotected, uncontrolled, and unaccounted for.
The solution is to acknowledge these devices as real components in your corporate computing infrastructure. If your organization is like most large companies, this first (significant) step will allow you to study the threats, and the products available to counter those threats, and to establish ground rules for your organization's use of PDAs.
What are the threats?
The threats to PDAs are virtually the same as those to laptops. They can be the target of both physical and network based attacks.
Due to their small size, PDAs are easily misplaced or stolen. The main threat in this case is that an attacker, after having physical access to the device, gains access to the confidential information stored on the PDA. PDAs, like their larger laptop cousins, share some of the protection mechanisms designed to prevent unauthorized access, such as passwords or database (or file) encryption
Handheld computers support password protection at power on. This is the minimum protection IT departments should require of their users. While earlier versions of the most popular PDA operating system (PalmOS) were susceptible to backdoor attacks that bypassed password protection, later versions (4.1 and later) addressed this problem and appear to be more robust. The password protection on the latest PalmOS prevents brute force attacks, enforces password strength, and can be centrally managed.
Windows and Linux operating systems, like their larger cousins that run on laptops and desktops, support password protection. Like their larger counterparts, these operating systems are inevitably found to be vulnerable to attack. The only way to protect oneself from these problems (regardless of the platform) is to monitor vulnerability reports and update the software when necessary.
PDA file systems (a.k.a., databases) typically do not support access control based on the identity of a user. However, add-on products that provide this functionality are available. These controls may be useful if a user must allow multiple users access to the device, but the most effective technique is to deny access to anyone other than the owner of the device.
The third type of protection, database encryption, prevents an attacker from gaining access to sensitive data through direct physical access to the device.
PDAs have become extremely capable networked systems. They come equipped or can be expanded to communicate via modems, 802.11 wireless, Bluetooth wireless, cellular, infrared and Ethernet networks.
This makes the devices a potential target of both active and passive attacks. Active attacks are characterized by an intruder attempting to gain access to information or functionality on the device via its network connection. Passive attacks are the interception of network communications (i.e., eavesdropping).
Users can prevent passive attacks by using encrypted channels. Both Palm and Microsoft PDA operating systems provide built-in support for encrypted protocols like SSL and IPsec. The challenge for users is to ensure that both the handheld computer and the office are configured to use one of these secure protocols.
Unlike desktops, laptops and servers, most PDAs do not provide a set of default networking applications like file sharing, telnet or FTP. In other words, PDAs do not typically wait for unanticipated network communications. Instead, a PDA's functionality is largely determined by the applications it runs. Many applications, such as email programs and web browsers, utilize TCP services over both wired and wireless networks but do not accept unanticipated packets. In other words, while active attacks are theoretically possible, they depend on the applications installed on the device and thus far, have not been very common.
A related and more immediate active threat is the data synchronization mechanism built into PDAs. Most PDAs can be synchronized over serial lines and networks. However, synchronization is initiated from the PDA, not by an outside attacker. Therefore, we'll deal with this type of attack in the next section.
The lost or stolen PDA
The convenient small size of a PDA makes it much more likely that the device will be lost or stolen. This is understandably most organizations' biggest concern regarding PDAs. A PDA in an attacker's hands poses multiple threats.
The device may have sensitive data on it that may be accessible to the thief. An attacker with physical access to the device can attempt to get access to the data stored there. To protect against this attack, PDAs provide optional password protection. In other words, if the option is not enabled, anyone with access to the device can read all the data.
The device may also provide a way to access data and services inside your enterprise via remote access mechanisms. In addition to storing sensitive data, PDAs often support downloads of email and file synchronization over modems and internet connections. It is standard PDA program development philosophy to support 'one button' synchronization. In other words, the philosophy suggests that the user should not be prompted for usernames or passwords on the connection. This level of convenience may allow an attacker to download your email or continue to download application data to the PDA until the synchronization mechanism is disabled back at the office.
Lastly, a stolen PDA may turn up with different software than when you lost it. Without password protection (or with a weak, easily guessed password), the thief who borrowed your PDA could install software on the device that might use the PDA's network connectivity to gather data and send it back to a system on the internet.
The primary protection mechanism against these types of attack is a strong password. Additional, more powerful measures are also available for PDAs, including encryption of the PDA's databases, account lockout after a configurable number of login failures, and password strength enforcement. These features are typically available as add-on software packages and are offered by multiple third-party vendors.
Some security management packages for PDAs can be configured to automatically download settings for encryption, password strength, and lockout for a set of managed PDAs. This sort of tool makes it much easier for an IT department to manage the security of these devices.
The usual suspects
In addition to the concerns of eavesdropping and physical theft, PDA owners need to concern themselves with the same problems all computer owners face, namely, virus protection, software trustworthiness, and software quality.
PDA viruses have already caused problems for users. Consequently, the vendors of virus protection products for PCs have produced products to detect and eradicate these viruses. The trouble is, without a policy and a virus protection program in place, many users don't regard this protection as necessary.
Software trustworthiness is another way of saying that any software you have on your PDA needs to come from a trustworthy source. Trojan horse software may find its way onto PDAs through a game or utility you downloaded. Here again, a policy describing the software that can be installed on these devices goes a long way toward protecting users from this type of attack.
Finally, PDA software is continuously being updated to address functional and security problems. A critical part of maintaining the security of these devices is to install critical updates as they become available. Users need to know these patches are necessary and available. That's where policy comes in. Furthermore, the easier an organization makes it to keep a device up to date and secure the more likely users will actually comply.
Keeping a PDA current with the latest patches can be accomplished through vigilance on the part of each user, but enterprises are much better served if a centralized authority takes care of monitoring vendors for patches and provides a mechanism to update everyone's PDA automatically.
As PDA devices have become more powerful in storage capability, processing, networking, and application support, their use in corporations has skyrocketed. Unfortunately, most IT organizations don't acknowledge these devices as bona fide members of their computing environment. Consequently, organizations neither understand the threats that these devices pose to the enterprise nor do they take steps to protect against them.
There are many products on the market to help protect the contents and functionality of PDAs from being used to steal information and penetrate your corporate infrastructure. Unfortunately, these products need to be selected, mandated, installed and used. This requires real management effort on the part of security and IT departments and this effort doesn't come for free.
The short story is, these devices are real, pose real threats, and need to be treated that way. It's time to incorporate PDAs into the policies and practices used for other computing platforms.
Richard E. Mackey, Jr., is principal with SystemExperts (www.systemexperts.com).