The thing about smartphones that makes them smart – the ability to do many of the things a personal computer can do – is also what makes them a threat to organizations: A stolen or lost smartphone could contain sensitive data or an easy entry to a network.
Because smart cards are increasingly being used by organizations for ultra-secure office and PC access, four years ago Research In Motion began selling a wearable smart card reader for BlackBerrys.
Next month the Waterloo, Ont. company will release an updated version of the $199 device which is thinner, has a larger and backlit screen on the back and improved security features.
The purpose is to give an extra layer of security for BlackBerrys. The reader connects via Bluetooth to the handset, letting the user’s smart card be used as a secure token in addition to a password before the handset can be accessed.
Industry analysts say it’s a device mainly used by the military or companies involved in sensitive research who want the ultimate in handset security.
“This version improves the usability of the product,” said Michael Brown, RIM’s director of product management, “while there are additional [software] controls for the user and administrators, such as the ability to use the reader without a smart card as a proximity access token to your BlackBerry” – that is, if the device isn’t within the proximity of the reader, it locks.
It’s an extra level of protection in case, as Brown puts it, “your BlackBerry walks away from you.”
The reader weighs 64 grams (2.26 oz.) and is 1.44 cm. (0.57 inches) thick and can be worn around a neck or kept in a pocket. It’s powered by an integrated lithium ion battery. Security keys can be managed through BlackBerry Enterprise Server.
The software lets administrators set up policies such as mandatory encryption of every e-mail or maintaining that before making a call the user has to unlock the handset with a smart card.
The upcoming version of the reader supports a wider range of smart cards, including all ISO 7816-compliant cards such as Personal Identity Verification (PIV) cards, Common Access Cards (CACs) and Safenet 330 cards.
It also supports more complex Bluetooth Bluetooth pairing PINs, with numbers, letters and characters instead of only numbers.
As before, the new version includes an AES-256 encryption overlay for Bluetooth, and an FIPS 140-2 validated encryption module.
Few organizations need such security, but there’s little on the market between this device and a handset password.
“I certainly see the attraction and value of the BlackBerry Smart Card Reader,” said Bill Nagel, an Amsterdam-based security and risk management analyst, “and to be honest, I wish they had more traction” because most smartphones are “very poorly secured.”
But most IT administrators feel it isn’t cost-effective for the risks in their organizations, he said, and other IT and network problems are getting higher priority.
“In enterprises,” he added, “it’s difficult enough to get people to put passwords on their BlackBerrys,” let alone get them to carry something else with them.
To be fair, a staffer who doesn’t have access to sensitive data through a PC won’t have it on their handset either. Still, a number of industry analysts noted that fingerprint readers give laptops better integrated security than handsets.
For the time being, Nagel said, handset security for those not needing a smart card reader will rely on using the strongest passwords and PIN policy the handset can handle, as well as the ability to remotely wipe data on a handset if it goes missing. On top of that, a virtual private network for connectivity may be in order.
Microsoft’s System Centre Mobile Device Manager for Windows Mobile and CE devices as well as Apple’s iPhone OS 3.0 has these capabilities. Other helpful mobile management software features to watch for include the ability to turn off a handset’s camera, to lower the possibility of in-house secrets being photographed.
Many virtual private network (VPN) solutions from companies such as RSA and CheckPoint Software include PIN-restricted protection.
Security software for Android-powered phones is not thought to be up to enterprise standards yet.
Encrypting data is an option on some devices. However, Mark Tauschek, lead research analyst for Info-Tech Research in London, Ont., says that iPhone OS’s encryption has some flaws.
The biggest security mistake organizations with mobile users make is relying on verbal policies as the only security control said John Pescatore, a Gartner vice-president of research who specializes in network security. “Many companies don’t force passwords on users,” he said, “but they tell them ‘Don’t leave your device unattended et cetera.’ But they are going to be lost.” Users should also be given tools to help them stay secure, he added.
Sean Ryan, a mobile enterprise research analyst at IDC, said one reason smartphones haven’t been attacked as much as PCs is that like in-house security, mobile security has to be layered.
The biggest mistake he’s sees organization make is not addressing mobile security until it’s too late.