Ron: Interesting backgrounder from e-week yesterday.
Tom D.
Thursday July 06 11:15 AM EDT
Unplugged and insecure
By Carmen Nobel and Scott Berinato, eWEEK
In wireless world, security comes second to getting apps out the dooreWEEK was formerly pc weekBy Carmen Nobel and Scott Berinato
The industry is rushing to wireless as it did to the Internet, and it's making the same hurried mistakes regarding security: minimizing its importance to get applications in the hands of users.
In an environment where beating the market reigns supreme and security takes second chair to proliferation, many experts predict that, much like on the wired Internet, wireless users and IT managers will end up fending off a steady stream of virus attacks, dealing with hacks into user accounts and scrambling to patch security holes. Security efforts that are under way are hampered by divergent networks and protocols and bickering over which methods are best for the wireless world.
"It's a question of how much business you think you're going to lose by having people break into the system vs. how much you think you're going to lose by not providing wireless capability at all," said Ajit Prabhu, CTO (chief technology officer) of U.S. Interactive Inc., a Web integration services company in Philadelphia.
Bullish numbers indicate that the number of wireless devices accessing the Internet will soon surpass that of PCs. International Data Corp. predicts 50 million handheld devices will be in the work force by 2003, a good portion of them with wireless capabilities. IGI Consulting foresees an 88 percent increase in the number of smart phones produced by 2003, jumping to 330 million units. And Forrester Research Inc. expects that 57 percent of the total work force will be mobile within two years.
Within those numbers, vendors see companies eager to tap wireless access for commerce, messaging and other mobile work force functions as soon as possible. Security is rarely a primary concern.
"Secure sockets didn't evolve until a year or two after we had had already sent terabytes of data over the Web without it," noted Matt Puccini, CTO of Muze Inc., in New York. "This marketplace was not built on massive security."
"In the Internet space, time to market is much more important than it was 10 years ago. What we end up doing is, we start to ratchet down," Prabhu said. "How low can I go and still get away with it?"
In some cases, vendors don't even need to ratchet down; the protocols being implemented in the wireless world simply don't lend themselves to high security.
WAP (Wireless Application Protocol), which is set to become the default standard for getting Internet data to cell phones, has a known security hole: the point where the data goes from the wires to the air for wireless transmission. At that juncture, called a WAP gateway, HTML data must decrypt and re-encrypt itself as WML (Wireless Markup Language) because it's going from SSL (Secure Sockets Layer) encryption, which supports HTML, to WTLS (Wireless Transport Level Security) encryption, which supports WML.
If you can access that gateway, you can intercept decrypted traffic before it's rescrambled.
This problem is supposed to be fixed in the next version of WAP, 2.0. But some in the WAP engineering community point to networks such as iMode, a system from Tokyo-based NTT Mobile Communications Network Inc. iMode uses compact HTML and is accepted in Japan because it lets wireless devices talk directly to Web servers. Most cell phones in Japan employ iMode, which has 7 million users.
In the United States, WAP 2.0 won't be out before November. When it's finalized, it is supposed to represent the baseline for wireless secu rity, but in the meantime, several other solutions exist: iMode; Palm.Net, a service from Palm Inc. (Nasdaq:PALM - news); and Phone.com Inc.'s Handheld Device Markup Language technology all incorporate their own security into the wireless infrastructure. It will take them time to adapt to WAP 2.0.
"Who's going to win, and who will dictate standards? I can't tell," said Michael Vergara, a wireless security project manager at RSA Security Inc. (Nasdaq:RSAS - news), in Bedford, Mass. "The debate is still too strong. There's a lot of pride on each side."
Developing security for the unplugged set faces other hurdles: The short battery life and limited processing power inherent in the devices are not conducive to high security, which consumes a lot of CPU cycles—and, hence, battery power.
Adding security to a handheld device is a complex issue, said Alan Kessler, chief operating officer at Palm, in Santa Clara, Calif. "It has to be simple, elegant, massively reliable and low-cost," Kessler said. "The big question is, How do you do this without needing a Cray [supercomputer]?"
Early indications are that vendors will trade off rigorous encryption for lighter-weight technologies. Some are offering 56-bit rather than 128-bit encryption for wireless devices. And RSA's new BSafe tool kit for WTLS encryption uses multiprime technology, which officials said sacrifices some security for size and performance.
But even if vendors secure transactions, the devices themselves might not be so secure.
In fact, some say the disposable nature of handheld devices and cell phones, coupled with little security, makes them a prime tool for hackers intent on launching new viruses into the public network.
"The reality is, the time will come when there's a reasonable chance one of these viruses will originate from a PDA [personal digital assistant] that's used to launch a virus, then thrown in a dumpster," said Simon Perry, a security expert at Computer Associates International Inc. (NYSE:CA - news), in Islandia, N.Y. "Try tracking that down."
Perry outlined the probable sequence of security problems in the wireless world, starting with Windows CE-based handheld devices being used to propagate malicious code, since CE accepts script and is tightly integrated with applications such as Microsoft Corp.'s (Nasdaq:MSFT - news) Outlook. That will be followed by other handheld devices being used as a spread mechanism. Perry said it's made easier by the fact that many PDA applications are shareware, which means hackers can download them to find holes.
Then, the devices themselves—PDAs first, then cell phones—will be targeted by viruses. Last month, a low-risk virus, Timofonica, sent messages to cell phones in Spain; eventually that kind of message could have a payload attached.
To many vendors, the solution to preventing these relatively disposable devices from catapulting new attacks on all computers is simple and available: certificates.
A PKI (public-key infrastructure) for wireless devices would make it necessary for users to authenticate to their devices before anything could be transferred to or from them. Certificates could be stored on a chip on the device or in tokens, such as smart cards, which plug into the devices.
Vendors want to adapt their PKI technologies to the wireless world. Officials with Certicom Corp. (Nasdaq:CERT - news), of Mississauga, Ontario, and Toronto-based Diversinet Corp. (Nasdaq:DVNT - news) said their companies are working with device manufacturers to ship PKI capabilities directly with their products; however, no plans have been announced. Officials expect solutions for PDAs to appear first, with secure phone browsers becoming available next year.
Without committing to specific plans, Kessler said Palm was looking at areas such as biometrics and digital certificates to address security.
It will take that time to make certificates small enough for wireless devices and also to adapt the certificates to wireless protocols.
Even if these goals are met, users are skeptical. Take financial trading companies, which are at the head of the wireless fray: Most use only password authorization.
New York-based w-Trade Technologies Inc., which created the wireless trading applications for Quick & Reilly Inc. and Merrill Lynch & Co. Inc., said those companies are steering clear of digital certificates.
"Generally, you see certificates only in business-to-business transactions," said Sergey Fradkov, CTO of w-Trade. "My issue with that whole thing is that the acceptance by the end user of the certificate will be slow unless the device makers embed this into the system. You need to go somewhere, register, download, and then it needs to be screened by someone. The consumers, at the end of the day, are the ones who pay. You don't want to turn away a customer who doesn't have a certificate. In general, the businesses will assume the risk."
There's also the management of all those certificates. Many IT managers are skeptical of PKI even in their staid client/server infrastructures—managing certificates for boxes that never move and have much longer life cycles than wireless devices is itself considered a huge challenge.
In short, vendors have many plans but few developed offerings—and users have yet to buy into some of the technology that is available.
"There's a whole can of worms that can be opened up on this end ... things like using voice print for biometric authentication, smart cards, etc. ... Lots of interesting technol ogy," U.S. Interactive's Prabhu said. "But it's not here yet."
That market is moving forward unabated, and many security experts said they believe a period of major setbacks—similar to this year's spate of Web site hacks, virus attacks and network compromises—will ultimately befall the wireless world.
"Until we get everyone working on security from the beginning, from the bottom up, we won't see that much improvement in general," said Katie Moussouris, a security engineer at TurboLinux Inc., in San Francisco. "We'll still be just closing holes and hiring consultants."
"Back in the early '90s, no one thought about security, so everyone tried to solve it later," RSA's Vergara said. "PKI came in at the end, and it was really too late to fix what we had built. This time, we know what will happen. We can do this from the beginning, not the end."
So far, they haven't. |
