Always-on Society - Security

First the bad news: All the problems we’ve already experienced on the Internet—viruses, worms, Trojan horses, denial-of-service attacks and more—we’ll also experience on our mobile terminals in the future, regardless of whether they’re ordinary cell phones or smartphones. The good news is that we already know most of the security problems the always-on society will have to contend with. We know them from the Internet. So mobile communications aren’t subject to any totally unknown risks.

On the contrary: While mass attacks of viruses paralyze entire corporations and millions of private PCs more and more frequently because those potential targets are all using the same operating system, invasions like this will cause much less damage in mobile terminals. "That’s because, unlike in the PC world, there isn’t a uniform platform for mobile terminals," explains Dr. Stephan Lechner, who is responsible for the security of information technology at Siemens Corporate Technology.

Experts predict that, even after the expected market consolidation for mobile communications systems, there will be at least three to five different manufacturers. But their operating systems—for example Windows CE, Palm and Symbian—are very well-known to hackers. In theory, that means a virus attack could affect some 20 to 25 % of all mobile phones.

Until now, viruses have been able to successfully attack mobile phones only by exploiting particular, model-specific weak spots. The Cabir cell-phone virus for instance, which was rampant in early summer 2004, exploited a weak spot in the Bluetooth wireless technology. Only four mobile phone models of one manufacturer were affected, and then only if the Bluetooth function had also been activated. And though that virus only caused the word "Cabir" to be displayed on the cell phones, there’s simply no way we can predict the potential damage from mobile phone viruses. They could cause the display to freeze, for instance, trigger calls to expensive pay-per-minute numbers or unleash SMS mass mailings.

Avoiding Nightmares. "Hackers have to have a great deal of information about the cell phones or smartphones they want to attack," notes Otmar Knoller of Siemens Communications. What kind of software is installed? Which protocols are supported? When a user connects a mobile terminal to a PC to synchronize data, for instance, this creates a new, potentially unprotected connection to the internal data network that bypasses the firewall. At that very moment, it would be possible for a hacker to obtain unauthorized access to the Intranet, or a worm could enter the Intranet from the cell phone.

That’s a nightmarish thought for companies, but it remains purely hypothetical for the time being, according to Lechner. "Hackers would not only need a wealth of technical information; they’d also need to know exactly the time when the data was synchronized with the PC, which person was doing the synchronizing and which data that person could access via the Intranet," explains Lechner. This scenario also assumes that no security mechanisms exist at the time the synchronization takes place.

The technological cognoscenti actually know about many worst-case scenarios like these. But a technical solution already exists for most of them. Today, few manufacturers are supplying firewalls for mobile terminals. But when cell phones with high-speed Internet access come into widespread use a few years from now, users will be able to choose from among many security solutions for their phones—as with PCs today. Mobile personal firewalls will shield the terminal. Companies will establish a centralized profile that defines which users are authorized to access which applications. But it’s possible that private users, on the other hand, might lack the know-how required to set up a complex security profile. They’ll be able to get standardized profiles.

Secure Tunnels. And virtual private networks (VPNs) will also be technically feasible. With this technology, data transfer, for example data sent from a cell phone to a corporate server, takes place via a secure "tunnel" over the Internet. Along with precise authentication, this technology is the ideal way today of providing security in mobile Internet communications. And regardless of whether the connection is made from outside to the Intranet or using Voice-over-IP telephony, VPNs can transmit sensitive data securely. A virtual connection is established between a company’s special security server and the mobile terminal. All of the security transactions are transmitted through this connection, as is the encrypted user data.

The security awareness of mobile users is quite limited at present. Anyone who surfs the Internet using public WLAN access in hotels, airports or cafes without activating the recommended security features is easy to spy on. This is because today’s wireless networks frequently provide standard encryption of data packets with a key length of only 40 bits. The longer a key is, the more secure it is. That’s because the number of possible keys doubles with every additional bit.

The standard for high security is a key length of at least 128 bits. With key lengths like this, it would take a hacker using special software too long to test all possible combinations in a key. Before the software could find the right combination, the key would in most cases have already been changed.

Automated Security. At present, though, private users of open WLANs probably run no greater risk than having someone read their private e-mail. In truly sensitive transactions such as online banking, customers are protected anyway by end-to-end encryption and secure authentication by means of PIN and TAN codes. Data entered and encrypted in the terminal are decrypted only in the bank’s computer center. The browser automatically activates these safety provisions when it opens the banking site.

The same kind of automatic features will also protect the users of mobile multimedia devices. "Siemens is guided by the principle that security must originate in the product and not depend on the customers’ awareness," Lechner points out. Experience has shown that private users as well as many smaller companies hardly bother with consistently updating the protection of their Internet access to the latest status—both mobile and in the home. One solution would be updates of already purchased software that are transmitted automatically and securely. This approach could also be used to protect smartphones against virus attacks.

Absolute security, however, will still be technically and organizationally impossible to achieve. "Just imagine you’re aboard a flight. You’re using your notebook to communicate via a VPN Internet connection with your marketing chief, and it’s about a highly confidential marketing strategy. Sure, you’d have a secure communications link, but the person behind you could easily spy on anything that’s happening on your screen," Lechner cautions.

Katrin Nikolaus