Mobile Computing Security Through Obscurity
Make sure your company's mobile phones don't broadcast their presence via Bluetooth.
June 22, 2004
I wonder if part of your job as security administrator or manager includes handling mobile phone security? Someone at your company should be tending to that responsibility, especially if employees are storing company information on their phones.
Last week, Kaspersky Labs announced the discovery of the first virus to infect mobile phones. The virus, which Kaspersky named Cabir, affects mobile phones that use the Symbian OS. The virus is relatively harmless--its only purpose is to propagate itself, and it does so only to other phones that have Bluetooth enabled and are broadcasting their presence. However, Denis Zenkin, head of Corporate Communications at Kaspersky Labs, said that sooner or later, more malicious forms of mobile phone malware that will possibly destroy or steal data will begin to spread.
http://www.viruslist.com/eng/viruslist.html?id=1689517
Since Cabir spreads to mobile phones that broadcast their presence via Bluetooth wireless technology, you might want to configure Symbian to use Bluetooth in an invisible mode that doesn't broadcast the phone's presence. Configure other mobile phone OSs too to prevent any future attacks against them. Using invisible mode is similar to configuring wireless Access Points (APs) to not broadcast their SSID. If an AP broadcasts its SSID, intruders can detect it and use it as a starting point for penetrating your network. Bluetooth invisible mode is also similar to using a firewall, which makes your internal networks invisible to connected networks.
These security measures are probably common sense for you, but they might not be for mobile phone users in your organization. You could explain the security needs to users by comparing their Bluetooth-broadcasting mobile phone to a wallet or purse left lying on a car seat while they're out of the car. The wallet or purse is essentially begging somebody to break into the car and steal it. A little security through obscurity might save a lot of frustration sooner or later. Some people might disagree, but I think you can gain a fair amount of security by obscuring the presence of anything, whether it be a wallet, purse, or wireless network.
Of course, you can gain plenty of security by adding device protection, such as antivirus software for mobile phones, which is available from many antivirus software vendors. And, as I mentioned earlier, you might also consider some configuration changes to your mobile phone OS, particularly disabling Bluebooth broadcasts to make the devices somewhat invisible.
If you're interested in other problems with Bluetooth and mobile phones, you might want to read about a few other related vulnerabilities, which are mentioned in a recent Integralis press release.
http://www.integralis.co.uk/about_us/press_releases/2004/150604PR.html
About the Author
You May Also Like