Smart Phones "Bigger Security Risk" Than Laptops

CWmike writes "A recent survey of 300 senior IT staff found that 94% fear PDAs present a security risk, surpassing the 88% who highlighted mobile storage devices as a worry. Nearly eight in 10 said laptops were an issue. Only four in 10 had encrypted data on their laptops, and the remainder said the information was 'not worth' protecting. A key danger with PDAs was that over half of IT executives surveyed were 'not bothering' to enter a password when they used their phone. A VP at the company that performed the survey said: 'Companies need to regain control of these devices and the data that they are carrying, or risk finding their investment in securing the enterprise misplaced and woefully inadequate.' Is this just iPhone fear-mongering? Do you think the passwords execs could remember would help with securing PDAs and smart phones?"

Fortunately, we use blackberries!

[Anonymous Coward]

And if you have a blackberry enterprise server, you can:

- force your users to have a password
- force the device to lock after a specified period of inactivity
- force the user to enter the password every x minutes regardless of activity
- prevent users from having a trivial password
- give users a duress password
- set the blackberries to store everything in encrypted from
- if a blackberry is lost, you can remotely lock the blackberry
- if a blackberry is lost, you can remotely wipe it

Blackberries are the best mobile platform, period.

A surbey?

[Cala]

The bastard cousin of the sorbet?

Re:There are other PDAs besides the iPhone

[Anonymous Coward]

Yes. Most of these idiotic questions should be answered with "mu [wikipedia.org]." However, that's not a normal answer, so we flood the comments with ridiculous arguments about the stupid question stuck to the submission.

Re:Fortunately, we use blackberries!

[vux984]

Mod parent up. Blackberries ARE better than the other PDA platforms in terms of security, because they do support this level of security 'out of the box'.

Other PDA's don't, and in most cases you can't even add it. With the BB, you can essentially set them up so that all data is end-to-end encrypted to YOUR server, and from their it can go out to retreive web pages, access address books, download documents, run applications, etc, etc. You can apply corporate filters to the web, limit applications, etc, etc all very easily.

All other PDA platforms require you to trust the carrier and the user for a significant chunk of the security. They give you exchange and imap support for example so email can be reasonably secure, but its much harder to lockdown EVERYTHING else... like blocking it so the pad web browser can't reach facebook or myspace or so poker can't be installed... blackberries make it as easy to manage PDA's as it is to manage desktops... which is to say... its a hassle. But on other platforms its not even really doable.

How easy is it to get an iphone to run through a 'VPN' so it can access an intranet site and have no or extremely limited access to the public WWW? This is a pretty common scenario for the PC's staff are provided by enterprises, but smartphones in general do no make this sort of configuration easy; in many cases its simply not possible.

Packet Sniffer

[Darkness404]

Chances are, it is more risky to connect to an unencrypted network at a local coffee shop and check your e-mail on your PDA then it is to leave it without a password. I know on my computers the information stored on it is useless to a thief but some e-mails (stored on a remote server) has more confidential information then what is stored on the device (and just about all webmail require you to use a password). So really, for me and most other people, a 1337 H@X0R with Wireshark will do more damage then some guy who steals your PDA/Laptop.

Re:Fortunately, we use blackberries!

[Anonymous Coward]

I have no experience with Blackberries. Do they support traditional wifi (802.11a/b/g/n?)

Some models do.

I thought emails and all that went through Blackberry's central servers before being passed on to the organization's or corporation's servers.

Depends. If you have a blackberry enterprise server, you manage the encryption entirely in-house. The company (RIM) is only carrying the encrypted message, and RIM doesn't have the keys, you do. The government of India was in the news recently, threatening to cut off blackberry service, since they can't decrypt the messages.

If you don't have a blackberry enterprise server, RIM manages the encryption on your behalf. In this case RIM has the keys.

I know this data is encrypted, but does it meet the encryption requirements laid down for electronic medical records in HIPAA?

Absolutely. They have a sales division dedicated to health care [blackberry.com].

I also wonder about Blackberry service coverage. In many of the buildings where I work, I don't get cell service (Sprint) and my peers do not either (AT&T, T-Mobile, Verizon, etc).

That really depends on your local provider, and how much concrete & steel you have in your building. If you really want to, you can buy a cellular repeater to carry cell phone signals through the building. Expensive though.

There is local wifi available, but can Blackberry use that?

Some blackberries can do wifi.

Just wondering what the limitations of the seemingly "perfect" Blackberry platform really are.

I never said it's perfect, just that it is the best of what is available.

The thing I found most annoying is that you can't make the phone ring & vibrate at the same time. It can ring only, vibrate only, vibrate then ring, but not both simultaneously.

If you have a headset plugged in to the blackberry, when the phone rings, the ringing sound is made by the regular ringer, not through the headset.

Re:Fortunately, we use blackberries!

[mdboyd]

I believe that most of the major Smartphone players have begun to do things like this. For example, Microsoft Exchange 2007 allows users and administrators to remotely wipe devices. Combining Exchange 2007 with WM6 brings additional security features: http://technet.microsoft.com/en-us/library/cc182299(TechNet.10).aspx [microsoft.com]. Bottom line: If you Smartphone makers want to reach Enterprises, they need to take both security and device management into consideration.

Re:Fortunately, we use blackberries!

[ohcrapitssteve]

In just a few days, Apple is set to release iPhone Software 2.0 (as well as maybe Hardware 2.0...) but sw 2.0 is slated to have many of the enterprise features listed above. Not to sound like an Apple commercial, but features will include:

-ActiveSync (with SSL..)
-Remote administration with remote wipe of a lost device
-Cisco VPN with RSA SecurID

And as far as the VPN question, it is pretty straight forward, just another pane in the settings menu. PPTP and IPSec.

So iPhone's release featureset wouldn't have satisfied your needs, but tune back in in a few days and see if it floats your boat.

Re:Free and owned.

[jamesh]

How is Debian on my handheld less secure than Debian on my desktop?

That's an easy one, when was the last time your heard of a workstation being accidentally left in a taxi? Or left at a pub? Or being stolen from someone's handbag? Your handheld is much more likely to go 'missing' than your workstation. All other things being equal, a device that easier to steal or more likely to be misplaced is less secure than one that is harder to steal.

By how much it is less secure is a different matter of course. If you use whole disk encryption on both and your passphrases are 'unguessable' then the difference is probably going to be negligible.

Re:IT departments securing handhelds

[bigstrat2003]

(And if a company laptop doesn't contain ANYTHING worth stealing, the employee should probably be fired for not producing anything worthwhile :) )

That, or they're (God bless them!) putting their data on network drives, not on their PC. Harder, but still doable, with a laptop, even on the go, as long as you have VPN access. It's always tragic/amusing when someone loses all their data, when they knew damn well they should've been keeping it in a location that's backed up regularly. :/

Re:Cell phone security

[Ira Sponsible]

If you're using the built-in Palm password feature for your security, you might want to have a look at this:
No Security [geocities.com]

Basically, the Palm security program has a tragically weak flaw which this handy little program exploits easily. All you have to do is load No Security into the palm install queue and hotsync. It immediately deletes the password, even if the device is locked, giving you full access to any private data hidden by the Palm security program.

I use a couple of different solutions to this problem: Cryptopad [sourceforge.net] , which is essentially an encrypted replacement for the memopad (and has the added bonus of giving you >4k memos); and using the encryption option of Tejpwriter [atspace.com], which is the best free text editor I've tested for Palm.

And all these programs are free and/or open source and easily obtained with a quick google search.

But I still use the Palm security program to lock the handheld (despite its weakness) as a very basic means to keep casual snoopers from poking around and to prevent accidental button mashings from doing weird things to my data.