Insecurity in a wireless world

Guy Matthews, Network News [14-03-2001]

The emerging world of wireless connectivity presents multiple security threats to corporate IT infrastructures, says researcher Gartner.

The level of such threats is going to rise as companies link their infrastructures into the wireless world, rendering themselves vulnerable to attacks on Wap gateways, in the form of mobile spam and even viruses on mobile phones.

The silver lining in the cloud, says Gartner, is that wireless systems are inherently robust, reducing the scope for Denial of Service attacks.

John Pescatore, Gartner vice-president in the US, said a “fundamental lack of security will not slow adoption” of wireless technology. He added that security professionals need to focus on limiting the gap between desired and achieved levels of control, recognising that achieving business goals involves taking risks.

According to Gartner research, the pace at which network connection and content distribution methods are evolving is outstripping the ability of companies to securely support them, leaving firms in a state of constant risk.

Complex protocol stacks, weak encryption, shared keys, user confusion, and bandwidth and device restrictions are encouraging suppliers to take shortcuts with emerging mobile devices and services.

Viruses on the move

For example, as mobile phones become smarter, attacks through software updates and simple scripting will come to the fore.

However, Gartner believes the emergence of phone viruses will not be an issue until 2005. At that time service providers will need to have in place anti-virus protection at the server level, because protection for individual mobile phones will probably be ineffective.

Corporate users should brace themselves for mobile spamming, cookie stealing, file stealing and malicious content with each improvement in mobile phone functionality.

Matthew Bevan, former hacker turned security consultant at Kuji Media Corporation, also believes a whole new wave of assaults on infrastructure could be around the corner.

“Any new technology has a level of vulnerability attached to it, especially if it’s been insufficiently checked,” he said. “There’s nothing about Wap that enables enterprises to say ‘we’re secure’. At the moment, it’s a bit too expensive for hackers to get involved with, but as the technology gets more applicable and available, the more it will be deemed worthwhile.”

Bevan believes that network managers ought to be concerned about almost any data that does not travel via a fixed link. “Everyone knows how insecure pagers and mobile phones are. A Wap device is really just a mini- computer that anyone can hack into if they can write code small enough. Denial of Service attacks on Wap devices and gateways are only a matter of time.”

Pescatore said end-to-end wireless security will not reach the level of that obtained over the internet until the first half of 2004, mainly because of the insecurity of Wap gateways.

A major target for hackers will be the Wap gateway, attacks on which can be mounted from anywhere on the internet. In particular, the Wap gateways of service providers will act as ‘hacker magnets’ and are likely to be of insufficient strength for web transaction services, although good enough for email.

Gartner also predicts that attackers will target WTLS (wireless transport layer security) in proof of concept attacks. The analyst recommends that to guard against these problems, companies should look to securely host Wap servers and employ available third-party software tools.

Shielding software

Meanwhile, Nokia has teamed up with anti-virus software vendor McAfee to launch WebShield, which allows anti- virus software to be installed on its Nokia Network Application Platform, which is sold to enterprises and service providers.

Bob Brace, vice-president of global marketing at Nokia, said: “Both companies are working together to prevent the high damage caused by viruses.”

Brace claimed that the combination of Nokia’s network security infrastructure expertise and McAfee’s anti-virus systems will “inevitably lead to innovations”. He said the millions of pounds of damage caused by the Love Bug virus showed the market needed new developments in network security.

The two companies will develop network security hardware and software as one offering. “With a network, you need a firewall and anti-virus equipment,” said Brace.

The alliance is working to prevent viruses being brought in by mobile workers using networks via laptops. “A laptop out of the office it is under threat from viruses,” said Brace. “The virus check should be put on the edge of a network, at the gateway.”

The companies’ products will not be available until after Christmas.