Smart Phone Data Protection

Cell phones and personal digital assistants (PDAs), like BlackBerries, now offer a range of features that make them essentially equivalent to handheld computers. “They’re about where laptops were about 10 years ago,” says Gartner vice president and research director John Girard.

Called smart phones by the industry, these devices offer great convenience and can enhance productivity. But as with other technology, security risks come with that promise. Companies need to be aware of the risks and proactive in countering them to protect proprietary data that may otherwise be compromised by such mobile devices.

Risks

Part of the problem is that people still view these handhelds simply as phones or scheduling tools. They do not think, for example, about the data stored on a mobile phone and how easily that information could fall into the wrong hands if the phone were lost, stolen, or hacked. Lawyers can lose their client information, sales executives their marketing strategies, and doctors their patients’ health data.

Portability exacerbates the problem, because it makes these devices easy to misplace. A study by Redwood City, California-based Check Point Software Technologies found that over a six-month period, more than 21,000 PDAs were left in taxis in Chicago alone.

In another example of how these devices put data at risk, Trust Digital bought nine phones randomly off eBay. Engineers at the McLean, Virginia-based firm found nearly 27,000 pages of data on the phones including personal tax information, corporate sales notes, and business client records.

Malware. Added to loss or theft is the emerging risk that phones will become malware-infected. According to McAfee Avert Labs in Santa Clara, California, the current worldwide mobile malware tally is about 450. That’s not many compared to the company’s pc malware count of about 400,000. Many of those 450 were also proof-of-concept, meaning they weren’t actual attacks.

To date, mobile devices in Europe and Asia are attacked by malware more often than in the United States. One reason is that they tend to present a more profitable target; mobile financial transactions are more common in those regions. But the risk is likely to rise in the United States as Americans increasingly use handhelds to surf online, conduct commerce, and bank.

Simply visiting Web pages and downloading attachments creates new malware venues. “We do believe the reality today is changing. You’re going to start seeing targeted attacks in the way you do with other endpoints,” says Jeff Aliber, senior director of product marketing at Woburn, Massachusetts-based Kaspersky Lab.

All malware is becoming more profit-driven. Some recently discovered mobile viruses, such as three variants of the Viver Trojan detected by Kaspersky Lab, fit this trend. Written for Symbian OS—an operating system common outside of the United States—the viruses, once on a device, send text messages to premium-rate Russian numbers. There is a charge for each text message.

Such scams used to require user interaction, but the new viruses automatically send messages as soon as they are downloaded. The Trojans that carried the viruses reached targets through a popular photo and video file-sharing program for mobile users. One variant was downloaded more than 200 times before removal by the site administrator, according to Kaspersky.

Another form of malware, found earlier this year by McAfee, aimed to hold handhelds for ransom. Discovered in China, the malware would remove all the text messages from targeted Symbian Series 60 phones. It then displayed a warning message, threatening to cripple the phone unless users sent about $7 to an account in QQ, a Chinese instant messaging and virtual currency system. McAfee said it hadn’t found any examples where the attackers’ threat was carried out.

Of much more concern to companies is “snoopware” that silently embeds itself in systems before siphoning information back to a server. These programs are not evident to the user. “Today, when attacks hit, you almost never know it,” says Paul Miller, director of mobile and wireless at Cupertino, California-based Symantec Corp.

One such software program is FlexiSPY. Sold openly as a legitimate product by a Thai company called Vervata, it acts like a key logger. Capabilities include remote phone monitoring; logging of incoming and outgoing SMS messages; and viewing of call history, address books, and other data. Uses could range from the relatively benign (a parent monitoring a child) to more malevolent (spying on a top executive). While FlexiSPY installation requires physical access to a device, variants of the technology can be hacked into a Trojan.

Many smart phone threats have involved Bluetooth technology. In so-called Bluejacking, malicious text or multimedia messages are sent to other Bluetooth users. In Bluesnarfing, hackers connect to a Bluetooth device to access and modify data. A number of viruses have spread via closely proximate Bluetooth devices. With pairing, two nearby devices with discovery mode on can negotiate a connection.

Viruses can “spread like a biological function, person to person, like a common cold,” says Miller. “Typically you see flare-ups in small regions, such as airports. Someone might walk around Heathrow and infect people, then Charles DeGaulle, and JFK.” Some of the attacks have involved spam-like messages, asking users to sign up for dubious services.