Do PDAs Pose a Security Risk?

John in marketing went out on Saturday and spent his bonus on a shiny new handheld computer. He has spent the weekend playing with it, and now he's trying to install the handheld's backup software on his work PC.

Should his IT manager stop him? Company policies range from laissez-faire to completely banning outside devices for fear of opening the network to the risk of attack. With virus companies offering firewalls and virus scanners for PDAs, do companies need to worry, or is it all hype to sell more security software?

Low Risk

Users, analysts, and even security companies agree that the threat of PDA viruses is low to nonexistent right now. First, the devices themselves aren't yet sophisticated enough to execute complicated code, including malicious code. Second, at the moment there isn't a large enough number in use to make it worth a hacker's effort. But perhaps this is the time when companies should start looking at how they will manage when PDA viruses do, inevitably, start to appear.

So far, very few instances of PDA-focused malware or malicious code have surfaced, says Laura Garcia-Manrique, a Symantec group product manager.

"In August 2000, we saw the first examples: three [Trojan horses] written for the Palm operating system. Since then there's been one virus, written for Windows with a combined payload that got delivered to the Palm when it was synced. But that's it. That's everything we've seen," Garcia-Manrique says. The combined virus was found in October 2001 and nothing has been seen since, she says.

But that doesn't mean management or users can be complacent, Garcia-Manrique says. Malicious code will be written for handheld devices as soon as the installed base of devices is big enough, "and I can see that happening probably within two years" as the communications capacity of the devices grows, she says.

New Concerns

The concern about PDA viruses has changed, says Garcia-Manrique, in that in 2000 most of the concern was from users themselves, worried about what could happen to personal devices they had bought for their own use. Now many companies provide them for staff, and IT managers are looking at the effect they have on the network.

Mervyn Eyles, UK infrastructure manager at Honda Motor Company, says Honda used to supply PDAs to staff but stopped doing so some 18 months ago. Since then, he says, they just manage whatever devices the staff members choose to buy.

While Eyles recognizes the risks that viruses pose, "any mobile device brings the same risks. As do disks. We have a fair degree of confidence in our virus protection software, and it's already saved us from some big viruses," he says.

Setting Limits

The software on PDAs is a limiting factor for malicious coders, Garcia-Manrique says. "The version of [Microsoft's] Outlook on a Pocket PC device doesn't have the same capacity to execute code as the version on a PC, so script viruses wouldn't operate, nor would macro viruses, as macro code doesn't execute on a Pocket PC device. It's the scripting capabilities that open the door for malicious code," she says.

The limited scripting environment, which doesn't support Visual Basic, means that most malicious code won't operate, agrees Steve Crayson, a device specialist with Microsoft EMEA (Europe, Middle East, and Africa) Mobile Devices Division.

"In three years using a Pocket PC, I've never seen a virus," Crayson says. There has been plenty of hype about the danger, "but I'm not aware of any real threats. And I download all sorts of applications all the time," he says.

Coming Soon?

However, hackers will undoubtedly use PDAs to get at PCs and networks in the future, Garcia-Manrique says. "Viruses are transmitted using the most popular communication methods, and today that's [regular] e-mail. Ten years ago it was floppies. Once the [PDAs] have 802.11 LAN access and direct Internet connections, you get much more information flowing back and forth, and the door is much more open."

Jack Clark, product marketing manager for Network Associates, sellers of McAfee antivirus products, agrees with the floppy analogy. "The PDA is the modern version of the floppy, but with much greater storage. I've seen it happen myself. I synced my handheld with my PC, and it picked up a virus I'd received by e-mail." That virus had been written for PCs, he says, not for the PDA itself.

McAfee has developed antivirus and firewall products for PDAs, he says, not because it believes that dangerous code is rife but because hackers "have demonstrated that it's possible. And so we're just saying, let's get firewalls and scanning on there, close the door before the horse bolts."

From an organizational viewpoint, Clark says, the first step is to determine where the vulnerabilities are. "Scan your network and find ... where the PDAs are connecting."

Symantec, too, offers security products to ease these concerns, but Garcia-Manrique stresses that, so far, it's more important to watch what's happening with wireless laptops. "The impact to the network hasn't really changed with PDAs. The perimeter is extended a little, but the recommendations are the same. You need integrated security across all devices," she says.

Mobile Phones: Reason to Worry?

If PDAs aren't such a big concern, what about the other ubiquitous mobile device in every office--the mobile phone? Modern phones can give access to e-mail and company documents too. Are they a cause for concern?

It is harder for Microsoft to control the security on its Smartphone products than on PDAs, Crayson says. "We let the mobile operator choose whether it's locked to third-party developers or not, whether they demand that applications have been assigned digital signatures." For the most part they do, he says, because they want to protect their networks from trouble.

However, there is a strong push from developers wanting access to the devices to run their own applications, and several have proved that the phones can be unlocked to accept unauthorized code. On developer Web sites earlier this year, for example, users discussed how to unlock the security on Orange's SPV Smartphone.

Protect Yourself

Now is the time to look at the security on phones, before the problem grows too large, says Alyn Hockey, director of Clearswift's Future Products Group. There are relatively few smartphones in use, so a virus wouldn't get mass distribution at the moment, he says.

And while developers may like to add their own software, anyone who unlocks the security on their phone has to recognize how vulnerable they make themselves, he says. "It's like taking all the locks off your front door."

Craig Heath, strategic product manager for security at Symbian, says that "malware is typically quite small, a few [kilobytes] at most," and so even the more-limited operating system on a smartphone, compared with that of the average PDA, represents a potential danger if it has access to a company's network.

"It's a difficult risk to quantify. I wouldn't say there's no need to worry, but I wouldn't say you should throw your phone in the bin. Certainly, phones with open operating systems that allow third-party development are more vulnerable, because you have to give people access to the development kit," he says.

Symbian works with antivirus companies to ensure that scanning software works with its operating system, and also with the device manufacturers on certification programs, Heath says. "[But] we are very much at the mercy of licensees, who choose what software to put on the phones," he says.

Users also have to recognize that they have an "obligation of care," Heath says, "and not go installing any old rubbish that people send them."