Traversing the carpeted walkways of the Las Vegas Convention Centre last week, Caleb Sima looked like many other programmers at Comdex: young, lean, laid-back and with a taste for earth tones.
What was less apparent is that he also has a penchant for uncovering new security threats.
"I dabble in cell phone security for fun," said the CTO and co-founder of Spi Dynamics, an Atlanta company that makes software for uncovering vulnerabilities in Web applications.
Sima spoke on a panel about the growing handheld security threat, a hot topic at a conference where dozens of mobile network products were on display.
What Sima said he had learned dabbling with cell phone security was that nobody - not software developers, carriers, corporate network executives and certainly not end users - appeared to have looked seriously at this issue. This, despite the fact that millions of cell phones are now in the hands of corporate employees.
Sima recently began playing with Short Message Service (SMS) as a way to launch a denial-of-service attack against cell phone users, using his own phone and those of co-workers.
"I can send 1000 SMS messages to your cell phone in the blink of an eye," he said. "And I can do it anonymously." Sima created an SMS flood, as he terms it, that rendered his cell phone unable to make or take calls.
After the experiment, he contacted his cellular carrier, T-Mobile, and asked if it could stop or block an SMS flood. Sima said the answer was "no." Rubbing salt into the wound was his subsequent discovery that T-Mobile charges the subscriber on the receiving end of the flood for every SMS message over a certain limit.
Sima paid more than $US30 for being attacked.
Two IT professionals from a big aerospace company sat glumly at the end of Sima's presentation. They heard him say, "People can attack your phones and PDAs very easily. "
"It's alarming," says Fred Brooks, who heads an IT team supporting executives at the aerospace company, which he requested not be named. His end-users have Research In Motion Blackberries, which sport an array of built-in security and data-protection features. But cell phones and smart phones are another matter.
"We forbid cell phones with cameras," Brooks says. "But how do you enforce that? We don't have the resources or the mandate to pat people down [and physically search them]."
That could be next, as network executives realise the scope and seriousness of the potential security problem.
"One of our enterprise customers stated the problem very clearly," saidDave Nagel, chairman and CEO of PalmSource, the recent Palm spin-off that has responsibility for the PalmOS operating system. "He said, 'I have a $US250 device with $US250 million worth of corporate data. How are you going to help us protect that?'
"A lot of the problems have to be solved in the network and in the device itself," Nagel said.
The next release of PalmOS, due by year-end, will feature protected memory and support digitally signed applications.
Among other things, protected memory could prevent malicious applications from accessing data or parts of the operating system, Nagel said. Digital signatures would make it easier to block malicious or untrusted applications from finding a home on the PalmOS device.
But security experts, and at least some users, are underwhelmed by what vendors and service providers are doing to solve the problem of device security. Most of that work falls to network, IT and security professionals.
Information security manager at the J. Craig Venter Science Foundation, Jody Patilla, said she spent about six months building security policies into the organisation.
Patilla still struggles to keep those policies enforced across wireless LANs (WLAN) and mobile clients. One problem is end-users who consider themselves exempt from following security policies.
She recommended getting human resources or upper management backing for wireless and mobile security.
The potential problems are daunting.
Vice-president of operations at Bluefire Security, Tom Goodwin, spoke on the handheld security panel and ran through a litany of threats: theft and corruption of corporate data; unauthorised access; disruption of transactions to and from the handheld; loss of data; and malicious code passed to an enterprise network from the handheld.
If the device was stolen or lost, and unprotected, corporate emails and other data were exposed, Goodwin said. With handheld memory capacities on the rise, the amount of data lost could be substantial.
Worse, Goodwin said, your current tools, which were designed for wireline networks over which you had broad control of client PCs anchored to desks, didn't work.
"Conventional [security] techniques don't reach out to protect handheld devices," he said.
Goodwin cited the practice of businesspeople "beaming" their electronic business cards to each other, via infrared, Bluetooth or a peer-to-peer WLAN connection.
"That data could have a Trojan horse," he said. "Then when you sync your handheld to your desktop PC, you introduce that Trojan horse to the corporate net."
He recommendsed in-depth security: policies that spelt out the threat to users, and their responsibilities; and an analysis of what corporate data was on the handhelds or accessed by them, its sensitivity and how it was accessed. Then, make use of personal firewalls, create a solid anti-virus architecture, and run regular scans of the software versions and patches on the handhelds.
Use VPNs for connections and file encryption on the device, he said.