Securing Smartphones for Government Use

SPECIAL REPORT: Smartphones & PDAs

By Barbara DePompa, 1105 Government Information Group Custom Media

As the use of smartphones and PDAs in the federal government continues to grow, so to do the security risks, which range from loss or theft of devices to malware infections, text, voice or email spam (used for phishing), to electronic eavesdropping, location tracking, theft of service through cloning and exposure of sensitive data at the server.


Via a range of specialized features such as cameras, Global Positioning System navigation, removable-media card slots and wireless interfaces that include infrared, WiFi, Bluetooth, as well as multiple cellular interfaces, these handheld devices can introduce a variety of vulnerabilities that federal agencies must somehow address.


Although the actual number of attacks on smartphones and PDAs is relatively low in number, especially as compared to attacks on agency networks and computers, as the industry shifts from multiple relatively proprietary solutions to devices that are based on open architecture standards, those safeguards are likely to diminish.


Luckily, Scott Totzke, RIM’s vice president of BlackBerry Security, explains that proper planning, specialized access controls and added tools and assistance from RIM and its partners can help federal agencies safely implement smartphones and PDAs in almost any environment, to gain the mobility they need, while still keeping agency data safe.


BlackBerry devices undoubtedly offer a host of advanced security features. “None of the benefits provided by handheld devices – greater productivity, quicker, better decision making – can be realized without ensuring the security of the communications channel and information stored on these devices,” he said.


Totzke pointed to current BlackBerry implementations in federal agencies, among first responders and in healthcare, each of which use a FIPS 140-validated encryption module. RIM was the first embedded operating system to successfully complete the validation process, a process the company has since repeated 15 times to keep pace with the demand for greater security, he said.


The National Security Agency (NSA) conducted a presentation on side-channel attacks on AES encryption not long ago, showing how hackers could get physical control of a device when it’s performing encryption, because the processor will draw different amounts of power and hackers can use this information to help them determine the encryption key. “We decided to work out a fix, working with University of Waterloo to implement electronic countermeasures against this differential power analysis vulnerability to minimize exposure to this type of threat,” Totzke explained.


Although the National Vulnerability Database, which is sponsored by the Department of Homeland Security’s National Cyber Security Division, lists 17 vulnerabilities for BlackBerry devices, RIM’s Totzke asserted none of those items are “open,” as RIM has worked to close each vulnerability as quickly as possible after it’s listed.


A Policy Matter
RIM officials recommend the enforcement of mobile security policies such as:

*Mandate device passwords with a minimum length, complexity and update frequency;

*Encrypt data, depending on its sensitivity or classification level, or based on specified agency parameters;

*Require inactivity timeouts;

*Prevent user changes to read-only parameters;

*Permit only voice calls on locked handheld devices;

*Disable riskier features such as Bluetooth and instant messaging.


Application policies can also go beyond the native capabilities, letting employers control custom and third-party applications installed on the device and the resources they are permitted to access. For example, an application can be permitted to reach internal and/or external domains, or prohibited from using Bluetooth or GPS. Controls like these can reduce risk. For example, BlackBerry devices have flown under the radar for mobile malware by running only IT-vetted applications.


Clearly, multidimensional policies and procurement guidelines are required for most federal environments. RIM offers over 500 IT policies that administrators can choose from to selectively implement the controls required to meet an individual agency’s security constraints. “It’s the granular level of security controls that set RIM apart,” Totzke explained, “because agency IT administrators can tailor these controls by the personnel or the specific agency’s security requirements.”


Meanwhile, through the use of the Secure Mobile Environment Portable Electronic Device (SME-PED), Department of Defense personnel can now more securely access classified information systems, while away from stationary mediums. The SME-PED is designed to provide up to Top Secret voice and Secret data communication capabilities for users.


The key to securing handheld devices ultimately boils down to maintaining some sense of balance between security and usability, according to industry observers. Totzke maintains that agencies must remember handheld PDAs are tools to enhance mobility and speed decision-making to improve responsiveness. There’s a requirement to manage constrained resources for battery power and CPU performance. “Multiple advanced security tools and requirements can drain power from these devices in hours rather than days,” he explained.