Could a hacker take over your cell phone or personal digital assistant (PDA)? Well, according to a Georgia Tech study, by 2009, attacks likely will become sophisticated enough to turn your Blackberry or Treo or other device into a Botnet.
“As these things become more capable, we can foresee the possibility of this becoming an ideal way to infiltrate devices and networks,” says Wayne Jensen, a computer scientist at the National Institute of Standards and Technology. “There are potential problems coming through connections, both wired and wireless.”
That is why NIST issued Special Publication 800-124 last month recommending steps agencies can take to secure their cell phones and PDAs.
Jensen says NIST has been looking at how to secure these devices since 2001, but with the increase in attacks and the expanded capabilities of cell phones and PDAs, it was time to offer some more specific advice.
“Our publication is a wake up call for agencies who are not thinking about this,” he says. “We want to raise awareness of the situation.”
Jensen says from July to August the Caspersky, a computer security company, found that there were 8,000 different types of malicious code and unwanted programs, or spyware, detected on these devices.
“Many of these are not so serious, but there is a growing concern,” Jensen says. “There may be a sense that we are reaching a tipping point where we’ve actually gone from sort of a relatively nuisance mode for these malware and attacks to something that may be more serious.”
Jensen says as these devices gain more and more capabilities from Web browsing to online banking to social networking tools, the threat grows. But he also says there have been cases where hackers went after cell phones or PDAs through their wifi Bluetooth devices.
“These things have hit large gatherings of people like a sports event where a lot of people had their Bluetooth devices turned on and available,” he says.
Jensen says there are some simple things agencies can do to improve the security of these devices. First and foremost, develop a policy about how cell phones and PDAs are used and what kind of data should be stored on them.
NIST’s guidance also recommends agencies configure devices using a risk-based approach.
Apply patches and upgrades to the operating system
Eliminate or disable unnecessary services and applications
Configure user authentication and access controls
Configure resource controls
Install and configure additional security controls that are required, including content encryption, remote content erasure, firewall, antivirus, intrusion detection, antispam and virtual private network (VPN) software
Perform security testing.
Jensen says many times these simple steps are not done by agencies.
“Many people don’t use the basic security mechanisms on the device,” he says. “We see that on the forensics side of the house.”
NIST says another common mistake is agencies do not dispose of cell phones and PDAs properly. Too often agencies do not erase data completely so when they are recycled, the information can be obtained with a little bit of work.
Jensen says NIST did not work with any agencies specifically on developing the special publication, but did get input from several departments informally. He says the departments of Defense, State and Treasury are among the most advanced agencies in securing their cell phones and PDAs.
The Navy, for instance, is expanding the use portable smart card readers for logging-on to handhelds.
Jensen also says there are a handful of companies making software to protect these devices.