Mobile Computing Risks: Part 3
I have already discussed risks due to lost or stolen mobile computing devices as well as the implications of these devices not being connected directly to an organization’s network. Another serious risk to consider is related to the fact that vendors usually do not address security issues in mobile computing products as well as in conventional products. Configuration settings that tighten security in conventional systems are often not available in mobile devices. Additionally, vendors too frequently turn their backs to vulnerabilities in their products. A good example is Research in Motion (RIM), the vendor of BlackBerry devices. Until fairly recently, RIM virtually ignored vulnerabilities in its products. BlackBerry vulnerabilities were posted at various Web sites, but RIM did not produce patches or workarounds (or even post information about these vulnerabilities on its own Web site), even though some of the vulnerabilities were critical. For example, a buffer overflow condition during meetings synchronization with Microsoft Exchange was discovered in BlackBerry 7230. Exploiting this vulnerability could lead to denial of service as well as other undesirable outcomes. Similarly, a vulnerability in portable network graphics (PNG) file handling could lead to denial of service in BlackBerry Enterprise Server 4.x. Furthermore, exploit code (BBProxy) installed on a BlackBerry has to potential open a covert communications channel with RIM servers by bypassing gateway security mechanisms between the attacker and an internal network. RIM’s original response to these serious vulnerabilities was to ignore them, and RIM was not by any means the only vendor to take this approach.
Another problem is that the arsenal of security tools (anti-virus software, anti-spyware software, personal firewalls, integrity checking software, and more) that is available on conventional computers such as PCs is usually less available in the mobile computing environment. The exception is anti-virus software, which is now available on most major mobile computing devices. Without such tools, the struggle to achieve necessary levels of security is almost impossible.
Another significant limitation concerning security in mobile computing devices is the lack of auditing capabilities in these products. Many of these devices have no auditing capabilities whatsoever, due in large part to the fact that writing audit data to disk drives consumes so much disk space, something that is generally limited in mobile computing devices. Some of these devices have auditing functionality, but this functionality is typically meager in that audit entries are very vague and incomplete. Being able to inspect detailed audit data is a critical part of security for every system; without these data, perpetrators could engage in a wide variety of unauthorized actions without ever being noticed. Auditing functionality is thus something that needs substantial improvement in the mobile computing environment.
As I have said before, mobile computing risks are currently among the foremost of unaddressed security risks. There is only one reasonable response—to begin assessing these risks with the ultimate goal of managing them to the point that they are reduced to acceptable levels. The problem is going to get worse over time as computing becomes increasingly mobile, so starting as soon as possible is the only reasonable strategy.