New Standard Promises Better Security For All Mobile Devices

As wireless handheld devices begin to act more like PCs, they need to be secured even better than PCs. With E-mails, files, and electronic wallets increasingly being stored on devices small enough to fit into--and just as easily fall out of--a jacket pocket, security for them has to be top of mind for IT managers.

The ability to protect data on a fleet of BlackBerrys and smartphones typically has been hampered by a lack of standardization among devices, making it nearly impossible to deploy consistent security measures across all of a company's handheld devices. The Trusted Computing Group's Mobile Phone Work Group last month took an important step toward creating wireless security standards by publishing a draft of its Mobile Trusted Module specification, which creates a security blueprint for device makers, mobile software makers, and service providers.

"Security problems seen in PCs haven't been seen as much in the mobile world, but they're coming," says Mark Redman, principal engineer at Freescale Semiconductor, which joined the Trusted Computing Group before the chipmaker was spun off by Motorola.

Many mobile devices have evolved to the point where they offer a lot of the same security features as PCs. Data can be encrypted and protected with passwords, and mobile hard drives can be wiped or locked if a device is stolen. Good thing, given that about 30% of all smartphones are lost or stolen annually, compared with about 10% of laptops, says Iain Gillott, founder and president of iGillottResearch. "The more portable something becomes, the more likely you are to lose it or damage it, and the more likely it is to be stolen," he says.

When the Mobile Trusted Module, or MTM, specification's final draft is completed by year's end, it will create an industrywide approach to developing mobile devices that includes stronger security, ensures data privacy, and reduces the risk of malware-ridden mobile devices infecting company networks. This protection will be a boon to businesses like Visa and MasterCard, which want customers to pay for purchases using mobile handsets that contain radio frequency chips that can be read at the point of sale.

The draft MTM specification is designed to supply the core framework, commands, and control specifications needed to provide the security building blocks within a mobile phone or one embedded in a PDA. The draft specification is designed to be complementary with existing mobile phone components, including subscriber identity modules and universal integrated circuit cards, and with specifications from industry organizations such as the Third Generation Partnership Project, Open Mobile Alliance, Open Mobile Terminal Platform, and Mobile Industry Processor Interface Alliance.

"You can find out a lot about a person in a business by stealing their BlackBerry or cell phone," says Scott Totzke, director of BlackBerry maker Research In Motion's global security group. "This leads to the need for encryption, of both data in transit and data at rest."

Although RIM isn't working with the Trusted Computing Group, a company spokeswoman says that many of the MTM's specs are already implemented in the BlackBerry security model. For more than two years, RIM has offered Content Protect to protect data stored locally on BlackBerry devices. For the past five years, RIM has given administrators the tools to remotely lock or wipe lost and stolen devices so their data can't be accessed by thieves.

Security Chaos
While all manufacturers of wireless devices have had their own approaches to security, they've never been standardized, says Lark Allen, executive VP of business development for Wave Systems, a provider of security applications that run on top of the Trusted Computing Group's Trusted Platform Module specification. "This means wireless service providers have to support different security infrastructures, depending upon the different wireless devices they offer," he says.

This is far from an ideal situation as wireless devices increasingly are used for more than simply making phone calls or exchanging E-mail. "Phones have moved from being dedicated to communication to become much more open platforms for surfing the Web," Allen says. As these devices do more things, they hold more information to protect. Surfing the Web makes them vulnerable to a variety of malware and network-based attacks.

Thieves can change the identity of a stolen phone because security connected to the International Mobile Equipment Identity, a unique number given to every mobile phone and typically found behind the battery, is insufficient. The number is reported to a carrier when a user wants to shut down a stolen mobile device. One of the MTM's goals is to prevent thieves from assigning a new number to a stolen device.

The Trusted Computing Group is saying that the best place to do security is at the hardware level, so it's created a standard for mobile hardware and software, just as it did with its Trusted Platform Module specification. PC makers including Dell and Hewlett-Packard are supporting the TPM spec by including microcontrollers in their products that can be used to securely store data outside of the PC's hard drive.

The existence of the Mobile Trusted Module specification is a step in the right direction, but the standard means little if organizations either don't have or don't enforce mobile security policies, Gillott says. "There are mobile VPNs for smartphone users," he says. "If users want to use their Treos to get E-mail, they should be made to use your mobile VPN."

One of the strengths of the Mobile Trusted Module spec is the involvement of Motorola, Nokia, and Samsung on the handset side and Intel on the processor side. With this level of support, "there's no choice for other vendors," Gillott says. Look for handset makers to start delivering MTM-enabled devices late next year or by early 2008. "If you buy a device every 15 months, your next one won't have it, but maybe the one after that will," he says.

The 51 million smartphones shipped last year may have made up only 6% of all handsets shipped, but this percentage will grow disproportionately over the next few years, according to iGillottResearch. By 2010, smartphones are expected to comprise about 21% of all mobile handsets shipped worldwide.

Whether those handsets are issued by your company or bought by your employees, you'd better know what to do when you find out one of them was left behind in a taxi.