Cell Phone Security CMPT 585 Special Topics in Computer Science Computer and Data Security December 19, 2005 By Jay TrentPage 2 Table of Contents Introduction....................................................................................................................... 3 Functions............................................................................................................................ 3 Standards........................................................................................................................... 3 M-Commerce..................................................................................................................... 4 What’s at Risk................................................................................................................... 5 Vulnerabilities ................................................................................................................... 5 Bluetooth®...................................................................................................................... 6 Improving Bluetooth Security......................................................................................... 6 Bluesnarfing and Bluebugging ....................................................................................... 7 Threats ............................................................................................................................... 7 Viruses................................................................................................................................ 8 Methods of Wireless Security .......................................................................................... 8 Future................................................................................................................................. 9 Conclusion ......................................................................................................................... 9 Sources ............................................................................................................................. 10Page 3 Introduction Cell phones communicate through the air by radio waves within areas, or cells, each with its own base station which can use the same frequencies as the other cells. The base station connects to the operator's backbone network and the wider public telephone network as well as the networks of other mobile phone operators. So cell phones are a combination of radio and telephone technology. [02] Mobile phones and the network they operate under vary significantly from provider to provider, and from nation to nation. However, the phones typically have a low power transceiver that is designed to transmit voice and data up to a few kilometers to where the tower is located. The handset constantly listens for the nearest tower with the strongest signal as it moves or roams around the network. The dialogue between the handset and the tower is a stream of digitized audio. The technology that achieves this depends on the system which the mobile phone operator has adopted. [01] However, most phones today are 2G, or second generation, meaning they use digital transmission. Functions Cell phones have all the basic functions of land line phones. Cell phones also support other services such as Short Message Service (SMS) for text messaging, packet switching for access to the Internet and Multimedia Messaging (MMS) for sending and receiving photos. [01] There are PDA (personal digital assistant)/phone hybrids known as smartphones that have Microsoft Office applications and can access data from the corporate office. One of the industry leaders in this area is the Research in Motion (RIM) Blackberry. The BlackBerry handheld provides email service and access to corporate data. Through the BlackBerry Enterprise Server, system administrators can create and send wireless commands that enable and disable BlackBerry Wireless Handheld functionality, such as changing handheld passwords, and locking or deleting information from lost handhelds. The BlackBerry uses the Triple-DES encryption method to protect data while it is in transit between the BlackBerry Wireless Handheld and BlackBerry Enterprise Server. The BlackBerry end-to-end security model establishes a secure link between the BlackBerry Enterprise Server on the corporate network and the BlackBerry handheld. [04] StandardsPage 4 Under the Information Technology Management Reform Act (Public Law 104-106), the Secretary of Commerce approves standards and guidelines that are developed by the National Institute of Standards and Technology (NIST) for Federal computer systems. These standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for use government-wide. NIST develops FIPS when there are compelling Federal government requirements such as for security and interoperability and there are no acceptable industry standards or solutions. [08] Federal guidelines set by NIST for the use of wireless devices state that a user must be able to remotely manage and wipe clean the device, that data should be encrypted using FIPS 140-2 encryption, and that some features, such as cameras, could be restricted. When the U.S. Department of Veterans Affairs put into use the Research in Motion BlackBerry and wireless handhelds based on Microsoft's Pocket PC and the Palm operating system, Trust Digital's Mobile Edge Security software designed for PDAs first had to be added. [05] Wireless Application Protocol (WAP) is an open international standard for applications that use wireless communication, for example Internet access from a mobile phone. WAP was designed to provide services equivalent to a Web browser, being specifically designed to address the limitations of very small portable devices. It is now the protocol used for the majority of the world's mobile internet sites, otherwise known as wap-sites. The Japanese i-mode system is the other major competing wireless data protocol. The Wireless Transport Layer Security (WTLS) provides public-key cryptography-based security similar to TLS. Its use is optional. [23] SSL provides endpoint authentication and communications privacy over the Internet using cryptography. In typical use, only the server is authenticated (i.e. its identity is ensured) while the client remains unauthenticated; mutual authentication requires public key