Securing the Wireless
Securing the Wireless
By: Jason Conyard
Jan. 1, 2000 12:00 AM
With anytime, anywhere access to the Web, e-mail, Internet applications, and more, mobile professionals are enjoying the convenience and flexibility of being cable-free. But what would happen if suddenly 5,000,000 cellphones dropped their calls and stopped working for several hours or days? The repercussions would be enormous.
Given the low bandwidth nature of today's and even tomorrow's wireless networks, even a single virus event like LoveLetter could easily take down an entire wireless infrastructure in minutes. The traffic resulting from such a worm spreading to thousands or millions of devices would sap the limited bandwidth quickly, preventing other legitimate traffic from traversing the airwaves.
Analysts expect that, by the end of 2004, there will be more than one billion wireless devices in use, and over 100 million of them will be connected to the Internet. The always-online, open nature of these next-generation Internet-enabled products will make them increasingly susceptible to malicious code.
Wireless Internet connectivity promises to enable businesses to take significant steps toward employing a truly mobile workforce. With anytime, anywhere access to the Web, e-mail, Internet applications, and more at their fingertips, mobile professionals will enjoy the convenience and flexibility of being cable-free. Corporations, in turn, will benefit from an increasingly productive mobile community of executives, sales and service, business development staff, and other business-critical personnel.
While these promises have yet to be realized on a widespread scale, they are beginning to materialize as carriers launch 2.5G and 3G networks around the world, and hardware manufacturers bring a variety of sophisticated wireless and mobile devices to market. If the success of today's SMS is any indicator of the future potential of wireless services, then the demand for wireless Internet connectivity will accelerate; according to the GSM Association, from January 2000 to December 2001, the number of SMS messages sent monthly worldwide, grew from 4 billion to 30 billion.
Before the global embrace of wireless Internet occurs, a number of issues must be addressed. Perhaps the most important issue is security. Users want to be able to use their wireless devices and services without putting themselves and their assets at risk.
For businesses, the burgeoning wireless market means more flexibility and higher employee productivity. For hackers, however, it means another platform for creating, distributing, and using malicious code to gain unauthorized access to individual or corporate resources.
Such individuals may capture data and exploit network-based resources, including Internet access, fax servers, and disk storage. More important, wireless access to a network can represent the entry point for various types of attacks that can render services unavailable, and potentially subject the organization to legal liabilities.
The Wireless Domain
In the PAN space are PDAs and laptops that use either infrared or a wireless protocol such as Bluetooth to communicate with one another in close proximity. In the U.S. and other markets around the world, cellphones embedded with Bluetooth are beginning to ship. For users, a wireless PAN represents significant cost savings over traditional wired-device connections by obviating the need for cables and time-consuming setup and configuration.
Campus or building area networks typically use wireless Ethernet, or Wi-Fi, to provide wireless private network capabilities. Wi-Fi, based on the IEEE 802.11 standard, enables companies of all sizes, as well as individuals with home networks, to easily deploy one or more LANs without investing time and money in stringing cables.
In the carrier-based or metropolitan network space are increasingly complex cellular phones and PDAs. These devices offer more memory, faster processing, and sophisticated operating systems, which enable mobile users to leverage more powerful wireless networks to access the Internet, send and receive e-mail and, in general, conduct business as they would from a desktop PC.
PDA exploits were not far behind. Two months after the Timofonica cellphone virus incident, the first Trojan horse for the Palm OS appeared. This Trojan horse, dubbed Liberty Crack, was followed less than a month later by yet another Trojan horse, called Palm Vapor. The introduction of PDA-specific malicious code represented a threat not only to PDAs, but it also called attention to the potential spread of such code throughout a company as users synchronized their handheld devices with their desktop or laptop systems.
Use or in this instance, misuse also represents a security vulnerability with Bluetooth-enabled devices. With many Bluetooth systems, users are able to configure their unit to discover other similar devices, to allow other devices to discover it, and to share some or all of their system resources with another device. Without adequate training, users can find themselves exposing their systems and resources to other Bluetooth-enabled devices as they form a temporary network with other laptops, cellphones, or PDAs. In such a scenario, another Bluetooth-enabled device user could exploit this vulnerability to make a long-distance phone call through an unwitting user's cellphone, to secretly gain access to another user's contact list on their PDA, to share files with an unsuspecting user, and more.
Another incident that made headlines in June 2001 demonstrated just how crippling a wireless-based security breach can be. Emergency services were made unavailable in a region of Japan when a virus took over the wireless-enabled Internet phones of i-mode service subscribers, and dialed the country's emergency hotline number, the equivalent to 911 in the U.S., creating a distributed denial-of-service attack. Estimates are that more than 13 million phones were directly impacted, and countless more people faced the disturbing experience of not being able to reach an emergency operator.
An Evolving Risk
Wireless networks are not restricted to physical structures, but instead provide service through walls, ceilings, and floors, with a range of 260 feet or so. Users in the "bleed" space the area outside the intended boundary of the LAN have the same network access as authorized internal users if the wireless LAN is not configured properly. Although drive-by hacking is therefore a real possibility with wireless LANs, it is less probable than those accidental security breaches caused by user configuration errors.
Compounding these security risks is the emergence of more and more powerful wireless devices, giving malicious users an enticingly robust platform for hosting their code. The arrival of increasingly sophisticated wireless devices such as Java- or Symbian-enabled systems and hybrid wireless devices that include PDA, GSM phone, Internet access, and always-on e-mail capabilities offer a fresh challenge to hackers. They also pose an interesting test to software developers who are tasked with writing more concise code to create compact applications for these small footprint units.
Several steps have already been taken to address some of the issues of wireless security. Some wireless notebooks support the use of fingerprint readers or sensors that rely on biometrics to identify authorized users. A growing number of devices include public key infrastructure (PKI) support built into their products. In addition, standards are being evaluated and approved to require wireless terminals to use advanced security technologies to protect their wireless computing environments.
Again, as evidenced in the wired world, businesses and individuals alike no longer have the luxury of procrastinating about making security decisions. Although wireline security incidents far outpace those of the wireless IT domain, the rapid adoption of sophisticated technologies will drive a parallel increase in security breaches to wireless devices and networks. As each new wireless technology appears, hackers will devote more and more time to discovering and exploiting new vulnerabilities paralleling what has occurred in the wired world.
By employing a complementary combination of security solutions and common-sense best practices, wireless users can significantly reduce their exposure to security threats. And, as security standards and products evolve, users can prepare to embrace next-generation wireless devices and services that will help ensure their continued success in the wireless future.
Even as new vulnerabilities are identified and exploited, businesses can
mitigate or eliminate many of the wireless security risks with careful
education, planning, implementation, and management. The following 10 tips
will aid this process:
Reader Feedback: Page 1 of 1
Latest Cloud Developer Stories
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
SYS-CON Featured Whitepapers
Most Read This Week