Friday | 10 July, 2009
CSO
Ten dangerous claims about smartphone security
Our columnist sees Barack Obama with that BlackBerry and shudders
Jon Espenschied (Computerworld) 27/03/2007 15:04:37
Page:

3. Communications are encrypted from end to end.

BlackBerry and Sidekick users may have heard that their communications are encrypted "end to end," but e-mail and other communications are encrypted only from the phone to the phone company or service provider's servers. Beyond that point, e-mail, instant messages, and file transfers may be transmitted unencrypted over the public Internet by default.

This is less of a concern for closed organizations where everyone involved uses the same services, but vendors, partners, consultants, and others outside the organization often use their own e-mail addresses and smart phones on other carriers. There's no guarantee of message encryption in these cases, and the risk is no better or worse than any other Internet e-mail.

4. The connection's secure unless I use Wi-Fi in a cafe.

Some might be concerned about the cellular connection itself. The GPRS and EDGE data protocols used by T-Mobile and Cingular are based on GSM, and GSM authentication algorithms such as A5 have been broken in ways that allow a motivated eavesdropper to reconstruct voice and data conversations with only a few thousand dollars of equipment. CDMA and associated algorithms are mildly more secure (PDF format ), but many carriers choose not to implement all of the security controls available because of performance and handset compatibility.

Using a VPN can mitigate this problem for sensitive data, and make sure essential services are encrypted at the application level using SSL or similar protocols. While it might seem redundant, using a voice over IP client through a smart phone's VPN data connection is one way to ensure that voice calls are private. Direct SIP-compliant VoIP clients are best for this; closed-protocol solutions such as Skype Mobile may try to route across a public connection even if a VPN is available. It also may relay connections between NAT 'ed endpoints through random clients on the Internet, so it's not a good candidate in this scenario.

It's also worth noting that "VoIP with AEC," one of the features of Windows Mobile 5, is not encryption. AEC refers to "Acoustic Echo Canceling," not the NIST Advanced Encryption Standard ("AES ") described in FIPS 197.

Page:
More about Creative, Skype, AES, HIS Limited, T-Mobile, Sony, Advanced Encryption Standard, Symbian, Protocol Solutions, OFT, Data Connection, RIM, EndPoints, Apple, Sony Ericsson, Core Design, Ericsson, BlackBerry, Microsoft

Comments

Post new comment

Login or register to link comments to your user profile, or you may also post a comment without being logged in.
The content of this field is kept private and will not be shown publicly.
Enter the fully qualified URL, eg. http://www.example.com/
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Add to Google
Additional Resources
Newsletter Subscription
Sign up for our CSO Online newsletters!
RSS Feeds
Syndicate content
 
Get a job Careerone
Whitepaper


Read Whitepaper

The business justification for data security

In the information security world we face two major types of threats: "noisy" threats which directly interfere with our ability to do business and "quiet" threats which cause real damage, but don't necessarily prevent people from doing their jobs. Read on to discover how to combat both types of threats and to justify the use of data security within your business.

Sponsored Links