My heart sank when I first saw Al Gore pull out his BlackBerry. It was in the waning weeks of the 2000 US presidential campaign, and there he was on the TV, tapping away on his then-novel converged device.

Although I had no evidence, I was positive that whatever he was reading had already been perused by some conservative spies, with his responses scrutinised not long after. (Given recent revelations about the opposition's ethics and panting obsession with domestic spying, I still suspect that any technically possible eavesdropping was probably being done at the time .)

So imagine my dismay when I saw Senator Barack Obama pulling a BlackBerry from his coat pocket shortly after announcing his candidacy for president. Like many others addicted to their converged devices (former candidate John McCain was apparently indulging during the last State of the Union speech, not sleeping), he's become a constant user, and he now uses it to manage a large portion of his communications.

While I hope these politicians have IT staffers paying attention to this sort of thing, more often than not, a series of underinformed security and privacy assumptions are made shortly before sensitive information starts flowing.

Many common assumptions about the security and privacy of smartphones or other handheld converged devices are off-base or just flat-out wrong. For any high-value target - whether that's a political candidate or an organisation with valuable financial or personal data - a little more thought ought to go into the process of selecting and deploying any device handling important data. It makes sense, then, to challenge the more widespread assumptions, and consider how to handle oft-ignored risks.

1. It's just a phone with cool features, right?

No, it's not. There's been a major shift in smartphone architecture in the past few years. Yesterday's phone ran an embedded operating system with software hooks written for the specific model's CPU, interface, vocoder and radio. Today's mobile converged device is more likely to run software considerably more advanced and versatile than desktop systems just 10 years ago. That versatility is an enemy of security because it turns the underlying security architecture on its head.

It used to be that a phone or small handheld device had a default-deny security model, because every feature was added from the ground up. There were no extraneous services running on the device, because every one was purpose-built. Now most converged devices run commodity operating systems, such as Sony Ericsson's Symbian OS or Microsoft's Windows CE/Mobile family, that have portability as a core design goal. This means there are plenty of communications services and data-handling hooks in the code base, and it's up to phone and application developers to ensure unused code is removed or disabled where not appropriate.

No one wants to annoy customers so, more often than not, a wide range of services and interfaces is included and enabled - equivalent to a default-allow stance. While I'm a fan of open systems, it's worth evaluating a mobile device that provides the features you want and no more in the base configuration - perhaps a "feature phone" instead of a smartphone - and place less priority on the capacity for upgrades and expansion.

2. It's stable, just like any other purpose-built appliance.

Don't assume that the lack of operating-system patches and application updates for a smartphone means that they aren't needed. In the short history of mobile malware, Symbian received bad press by playing host to the first, the Cabir worm. However, Windows CE wasn't far behind with the Duts virus and Brador Trojan. Even single-purpose network devices are periodically vulnerable to network and service exploits, and vendors ought to make updates available in a timely manner.

The bad news is that mobile platform vendors are still slow to issue operating-system and application patches. The only practical way to mitigate this is through a mix of process and technology: teach users proper skepticism of emailed attachments and unexpected connection or update confirmations, and implement antimalware programs for those who just keep clicking 'ok'.

3. Communications are encrypted from end to end.

BlackBerry and Sidekick users may have heard that their communications are encrypted "end to end" but email and other communications are encrypted only from the phone to the phone company or service provider's servers. Beyond that point, email, instant messages, and file transfers may be transmitted unencrypted over the public internet by default.

This is less of a concern for closed organisations where everyone involved uses the same services, but vendors, partners, consultants, and others outside the organisation often use their own email addresses and smartphones on other carriers. There's no guarantee of message encryption in these cases, and the risk is no better or worse than any other internet email.

4. The connection's secure unless I use Wi-Fi in a cafe.

Some might be concerned about the cellular connection itself. The GPRS and Edge data protocols used by T-Mobile and Cingular are based on GSM, and GSM authentication algorithms such as A5 have been broken in ways that allow a motivated eavesdropper to reconstruct voice- and data-conversations with only a few thousand dollars of equipment. CDMA and associated algorithms are mildly more secure, but many carriers choose not to implement all of the security controls available because of performance and handset compatibility.

Using a VPN (virtual private network) can mitigate this problem for sensitive data, and make sure essential services are encrypted at the application level using SSL or similar protocols. While it might seem redundant, using a VoIP (voice over IP) client through a smartphone's VPN data connection is one way to ensure that voice calls are private. Direct SIP-compliant VoIP clients are best for this; closed-protocol solutions such as Skype Mobile may try to route across a public connection even if a VPN is available. It also may relay connections between NAT 'ed endpoints through random clients on the internet, so it's not a good candidate in this scenario.

It's also worth noting that "VoIP with AEC", one of the features of Windows Mobile 5.0, is not encryption. AEC refers to "Acoustic Echo Canceling", not the NIST Advanced Encryption Standard ("AES") described in FIPS 197.

5. Emails and messages are secure from prying eyes.

Whoever controls your smartphone application server has access to your data. While smartphone service providers and software packages all provide a modicum of access control, administrators with root access can always get at your information if they want.

While your corporate IT department might not be spying on Marketing on behalf of Finance, Obama might want to take note that congressional IT organisations that serve both Democratic and Republican Senators have had several incidents involving email disclosures to other parties. In the midst of the Mark Foley scandal, it was interesting to note a person described in the media as a "Democratic operative" was able to retrieve and forward messages sent months earlier from a Republican representative's smartphone.

Know where messages and other data reside when sent from a smartphone. If service is provided by a neutral vendor, make sure you have a service level agreement that considers whether your data may be commingled with other businesses - possibly your competitors - on the same systems. Those with specific competitive concerns ought to run their own systems using their own administrative staff.

Obama would do well to use a device controlled by the Democratic National Committee or his own campaign, rather than one managed by Senate IT staff and easily influenced pages.

6. Using a mobile phone constitutes out-of-band communication.

A phone call over a landline used to be an acceptable method for communicating out-of-band administrative information. For example, a system administrator might call you back at your desk to verbally give you a new password (which you then changed, right?), This worked because the desk phone was isolated from the network and system resources to which you were being given access.

Not so anymore. If you lose your smartphone and IT calls you back on that mobile number to confirm the trouble ticket, is it a meaningful method of verifying the identity or location of the person who answers? Of course not. Possession of the number means little if anything anymore, especially since most phones will allow answering of an incoming call even when locked.

IT help desks should cross callbacks off the list of acceptable methods of identity verification for anything to do with mobile devices or remote access. The new Bluetooth BlackBerry smartcard reader is a viable option for those who need to authenticate using something they possess, and while similar options lag a little on other platforms, they are available.

7. I trust the integrity of data and applications on a smartphone.

On modern desktop and server systems, file systems with journaling, database-like features, and integrated backup are common. Not so with mobile devices, where almost all data integrity relies upon some sort of synchronisation with a stable fixed server system for backup and management.

Windows Mobile users can use a variety of synchronisation options to ensure that messages and data on the mobile device are consistent with a central Microsoft-based repository such as Exchange, SharePoint or even Groove file-share workspaces. BlackBerry Enterprise users have over-the-air device security options that include data synchronisation and backup, and remote shutdown options for lost devices.

(A product called SyncBerry provides advanced sync and backup features to SyncML-capable systems, and extends some of the BlackBerry goodness to Symbian users.)

T-Mobile's Sidekick, on the other hand, stores very little data locally because it's constantly synchronising with the servers at Danger, the manufacturer. If the device is lost, damaged or reset, data can be reloaded on the device by logging in with a name and password. However, this means that data is stored at a service provider with which individuals have a rather one-sided service-level agreement unsuitable for enterprise use.

All of this can be protected by setting the device to require a passcode at startup. If the wrong passcode is entered four times on the Sidekick, local data is erased but can be restored by a remote password reset on the management website. Security administrators might lament the scarcity of people who use this feature, but it's interesting to note that the young thief who acquired up the now-famous Sidekick II in New York City last year was identified and arrested only because she had access to the phone, sent messages and took pictures of herself - which then synchronised with the legitimate owner's account on the Danger servers.

What about application integrity? Okay, you say, you'll just install digitally signed or approved applications. A few months ago, some enterprising pot-stirrers managed to buy a BlackBerry code-signing key from RIM (arguably the most security-oriented of the smartphone vendors) for $100, no questions asked. This is all bad.

sers tricked into giving network access to unsigned applications may be opening themselves up to all sorts of spyware, message relay and other malware, but signed applications don't even require consent to suspicious prompts. It's far better to teach astute users about acceptable applications and forbid the rest from installing anything. The choice of installable applications ought to be from a whitelist - or no list.

8. Information deleted from a smartphone is gone, right?

Most converged devices have relatively small storage capacities, and use variants of the venerable FAT file system. When a file is "deleted" the markers for the beginning and end of the data on the storage media are removed so that it is no longer retrievable by normal means ("orphaned"). However, the actual data remains until it's overwritten. There are no guarantees against orphaned data - in fact, the whole practice of mobile-phone forensics rests on the availability of orphaned data and logs.

I'm not aware of any smartphone that comes with a secure delete function to remove orphaned file system data. Perhaps Apple will include the file system wiping option from OS X in its forthcoming iPhone, but it's not present in any of the other major players' offerings. With many smartphones offering basic word-processing and spreadsheet applications, residual data from deleted copies becomes even more of an issue.

IT staff responsible for disposal of outdated smartphones should use tools to ensure that residual data is removed. The simple method is to copy and erase chunks of data onto the device in a manner that fills the flash memory or hard disk, but forensically sound methods are available from various vendors. If the device memory can't be erased, it should be destroyed - a damaged but repairable smartphone ought not be found in the trash. Those resorting to a hammer are advised to remove the li-ion battery first.

9. Spying on my smartphone is hard.

Think spying on your activities is hard? Think again. Most smartphones have no equivalent of Bluetooth authentication when plugged in - they just become slave USB devices and give up all of your data. Worse yet, a rogue employee, jealous husband or political opponent can buy backdoor malware... uh "remote phone monitoring" software here and keep ongoing tabs on communications. If they manage to install the spendy version on your phone (or trick you into doing it), it even includes remote microphone activation and generates a tidy Excel spreadsheet of your activities each day.

Flexispy is cheap, oriented towards consumers and very worrisome. It's available only for Symbian so far, but less-polished remote viewing software or illicit copies of management tools are available for BlackBerry, Windows Mobile and other platforms. It's not clear if antimalware products send alerts upon finding these, so the best policy now is to educate users on physical security and admonish them not to install unexpected software or updates.

10. Abuse is minimal because the network and phones are constrained.

Four words: remember ASCII art porn. Network miscreants will work with what's available, and resource limitations only make those inclined to misbehave do so in more creative ways. The difference is that smartphones are quite capable, and modern 2.5G and 3G phone networks provide surprisingly adequate bandwidth. For example, there are now multiple BitTorrent clients for Symbian as well as other platforms, some phones are adept at seamlessly switching between cellular and unsecured Wi-Fi networks, and with the price point for 4+ GB flash cards dropping below $100, there's lots to worry about.

To paraphrase Steve Jobs, misuse of technology is a social problem, not a technological one. Having a well-defined policy for the use of converged devices is essential prior to deployment. Conversely, rolling out smartphones without proper guidance will lead to all sorts of havoc. Users might respect pay-per-minute airtime as a corporate asset, but unless instructed otherwise they'll think of flat-rate data services as free connectivity on someone else's network (not covered by your policy), and the phone itself as corporate tribal adornment suitable for display anywhere, anytime.

More to consider

Am I advocating Naomi Campbell's method of disposing of one's fancy mobile? No, in fact just this month I bought a new smartphone. While I'm no fan of troublesome devices - two colleagues recently commented that their new WM5 phones rarely crash more than once per day now - mobile email and internet access are quickly becoming de rigueur. I made a list of the functions I needed and tried to avoid models that included features I would not use or could not secure.

Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blasé, cynical, jaded, content and enthusiastic again. He is currently a senior security consultant in Seattle, where his advice has been ignored by CEOs, auditors and sysadmins alike.


For more information on network security, our sister site Techworld has a comprehensive network security resource page.