Can Cell Phones Compromise Your Network?

Simply by carrying a mobile phone, employees may inadvertently be walking, talking network-security risks. Here's how companies can respond

We insist on being connected. Many executives carry smartphones -- mobile devices that do more than just store phone numbers. In the past year, sales of smartphones have exploded. During the third quarter of 2005 alone, 12.6 million smartphones were shipped worldwide, more than triple the number from a year earlier.

As our appetite for mobile devices increases, so too does the interest of malware writers. In early March, a new virus became the first to automatically infect a mobile phone from a PC upon connection. Crossover, so named for its ability to jump from one type of device to another, exploited a vulnerability in Microsoft's (MSFT) ActiveSync, a program that synchronizes Windows Smartphones with PCs.

Crossover was created as a so-called proof-of-concept virus by a security researcher to demonstrate its feasibility. And it foreshadows a paradigm shift ahead. Prior to Crossover, we only had to worry about not losing our cell phones or laptops in order to protect our data. Now, it is only a matter of time before malware writers actively target our growing dependence upon mobile devices.


 As that happens, the battle to protect both personal and corporate information will be played out in an ever expanding and harder to control arena. Anyone with a Wi-Fi- or Bluetooth-enabled mobile device is potentially a walking, talking network-security risk, as more and more sensitive corporate data are stored on such devices.

There are similarities between the evolution of malware targeted at mobile devices, and that of computer vulnerabilities; as computers became more widespread and connected via the Internet, hackers sought out weaknesses to exploit. Connected mobile devices, such as smartphones and PDAs, are destined to suffer the same fate if the security of these devices does not improve.

But there are also differences in the evolution of malware targeted at mobile devices. These devices increasingly have capabilities such as Bluetooth that allow neighboring handheld machines to find each other and dynamically create their own network. This handy feature is also a security risk, as proximity to infected devices creates new vulnerabilities. With mobile devices, even the most rudimentary security tools are almost nonexistent, leaving unsuspecting users at risk.


  Consider the thousands of people moving through airport terminals every day. Many check e-mail or work from Bluetooth-enabled devices. Imagine the impact from one Bluetooth device in an airport infected with aggressive mobile malware. That one device could transmit the virus to others within range. Then those would transmit the malware as the users move around the airport and on to their destinations -- and back to their offices. In this scenario, virus propagation begins to look much more like that of airborne human viruses.

Adding to the risk is the fact that most users are either unaware of their exposure or think it will not happen to them. Two years ago nobody would have believed that in 2005, 57 million people would have their identity compromised -- but it happened, according to the Identity Theft Resource Center, a national nonprofit that focuses exclusively on identity theft. Automated mobile malware can make this type of attack even easier on mobile devices.

Multi-device viruses such as Crossover present a significant risk to both personal data and business assets. In order to efficiently protect mobile devices from these threats, corporations, vendors, and end users need to recall lessons learned in protecting sensitive data on network devices.


  Proactively determining what is on the network is the first step for businesses, since you can't protect what you don't know about. Educating users, providing security tools, and developing policies are all parts of a comprehensive solution.

Security tools for mobile devices, when they are available at all, are either too difficult to use and understand for the average business user, or are simply not up to the task. Vendors must acknowledge that these handsets require the same level of security as any other mobile corporate network device and begin building effective security tools.

Businesses must take security education seriously and put some teeth into the enforcement of security policies. One corporation takes its policy so seriously that employees must sign a document at hiring acknowledging their responsibility for safeguarding company data. Employees who make security errors can be fired. That is certainly an extreme, but companies have to protect their sensitive data and must demand responsibility from their employees.


  Corporations also can't just ban mobile devices forever; like the laptop, these devices will become required tools for employees to stay connected. Instead, policies must be developed that promote a continuous understanding of what is on the corporate network, enabling enterprises to be prepared for changes.

Technology exists today that can discover not only the mobile devices themselves as they connect and disconnect from the corporate network, but also the software applications that are used to connect these devices to the employee's computer. Implementing policies and security solutions that discover and report this information is key to understanding the risk and being prepared for future malware outbreaks.

Regardless of corporate policy, business users themselves must be accountable for how they use and secure mobile devices. You must not put sensitive business documents on the device if you are not sure of your ability to secure the device. And if the device stores corporate secrets, it should be protected like the secrets that it contains, in the same way as you would protect your passport, birth certificate, or Social Security number.

    Before it's here, it's on the Bloomberg Terminal.