The number of WAP (Wireless Access Protocol) phones in use in Europe this year is said by Datamonitor to be 15 million, with 45 million forecast by the end of 2001. Ericsson predicts 600 million mobile Internet subscribers worldwide by 2004. But not all of them will be using phones. Some will be using devices like RIM’s BlackBerry, a PDA with an always-on Internet connection for instant e-mail receipt and Web access. Others will enable constant Internet connections to their existing PDAs and laptop computers via GSM and GPRS modems. A whole range of yet-to-be-delivered devices will be talking to the Internet, and each other, via Bluetooth connections.

Of course, the chance to multiply and expand the productivity benefits and revenue potential of the wired Internet through wireless connections has a lot of companies spending big bucks to make sure they don’t miss this latest phase of the information economy. But not everyone is happy. You can already hear the rising chorus of groans from those whose job responsibilities include protection of corporate information assets. Many security professionals are less than thrilled by the prospect of valuable data being pumped into the ether. And consumers concerned about privacy are concerned that personal data will be snatched out of thin air, by persons with less than honorable intentions.

Wireless security is certainly a challenge, and for those who relish a challenge, it represents an intriguing mix of old and new problems. What is new is the removal of many physical protections upon which wired data has historically relied. For example, it is typical for organizations today to provide different levels of protection for the different points of entry into their networks. Workstations on desktops behind closed doors may only be protected by user name and password; whereas laptops used to access the network from remote locations may require security tokens as well. There is probably some level of control over access to wiring cabinets, network hubs, switches and routers and so on. If someone within the office was going to attach a sniffer to the network, there is a fair chance it would be detected.

Wireless access puts not only the client device, but also the data, well beyond the physical control of the organization. Sniffing of data traffic can be done without any risk of detection, over a much wider range of locations. Furthermore, the client device, in the case of a cell phone or PDA, is even easier to steal than a laptop computer. Although today’s mobile devices cannot store as much data as today’s laptops, they can store a lot more than many early PCs. Compromise of the wireless client thus poses a double threat to data: the remote access to data which the device enables, and immediate access to the downloaded data which is stored within it. When such devices are accorded larger roles in corporate systems, the scale of both of these threats will increase.

Old problem, new look
What is not so new in the wireless security challenge is the security architecture. Consider the “WAP gap” as one example. Any Web search for the words “security” and “wireless” will turn up plenty of articles about the WAP gap, a reference to the lack of end-to-end encryption in early deployments of WAP. But this gap is more about system architecture and design, than a weakness in the protocol itself.

In fact, WAP 1.0 starts out at a level of security which should be the envy of other protocols. WAP 1.0 has built-in encryption, provided by WTLS (Wireless Transport Layer Security), which is derived from TLS 1.0 (Transport Layer Security), the standard Internet security protocol based on SSL 3.0 (Secure Sockets Layer). WTLS is optimized for wireless operation, specifically formulated to enable secure transactions, with low power and memory requirements. This is achieved by minimizing protocol overhead, using better compression and employing efficient cryptographic algorithms.

The gap occurs because WAP 1.0 only provides for encryption of traffic between the WAP client (handset) and the WAP gateway. The gateway deciphers the traffic to determine where to send it, then re-encodes it, typically with SSL, for transmission to the destination Web host. This means there is an opportunity for compromise of data integrity and confidentiality at the gateway. However, this is not a problem if the gateway and the Web host are within the same trust domain, which is how the WAP architecture was probably envisioned to begin with. The gap is introduced when the gateway is operated by someone other than the Web host, which has tended to be the way that WAP has been deployed in the real world.

Trust and encryption gaps in Wireless Application Protocol

This means that when your company looks towards implementing wireless connectivity, either for itself or for clients, there needs to be a clear sense of trust domains. One security methodology that stresses the importance of trust domains is 3LA or Three-Layer Analysis, developed by David Brussin, director, security technology for Rainbow Technologies, Spectria Division. This reveals common errors that result in flawed designs that are vulnerable to attack. Errors are typically made in three areas, or layers, of system design: architecture, protocols and applications (hence the name, 3LA).

When 3LA is applied to a system, established principles of risk assessment are used at each layer to determine appropriate levels of security, based on risk acceptance, cost of risk mitigation and business context. For example, if you have outsourced your WAP gateway, to what extent do you trust the entity that operates it? Under 3LA, a system such as wireless access to customer data is analyzed in terms of trust. Trust boundaries are drawn and appropriate levels of trust are determined, resulting in a model of the system based on trust domains.

In addition, "allowed path analysis" is used to determine which data and which parts of the system have to be exposed to provide desired system functionality. Because 3LA is a multi-stage process, a system requirement which cannot be altered due to technical reasons within one layer, such as a weak hardware-specific protocol, or a gap in trust domains, such as in the WAP example, can be offset by design adjustments in the other layers.

One such design adjustment available in the WAP example is provided by Cylink, which offers an application layer security solution that rides above the WTLS layer, providing two-way cryptographic authentication between the user and the content provider's server, which ensures seamless end-to-end security and user authentication. Other solutions in this area are offered by Phone.com, whose forthcoming Secure Enterprise Proxy server will support existing WAP handsets with a technique known as tunneling. With a future version of its Up.Link client browser, also due in early 2001, Phone.com will provide a way for WAP handsets to dynamically reconnect with a company's Web site via the proxy server so even the encrypted data doesn't pass through the wireless operator's gateway. Nokia, which also sells WAP gateway software, provides security features in its current system but isn't yet able to dynamically connect client WAP devices to enterprise gateways.

Back to the future
What we have learned from the wireless revolution so far is that security is taken seriously, but users need to keep an eye on reality. While each new version of client and server software promises improved security, the version in your handset or other mobile device may not be there yet. And your service provider might not have all of the possible security measures enabled. Beware of making false assumptions about the level of security actually implemented in your wireless systems and make sure you have them tested before going live with production data.

Despite its futuristic capabilities, wireless data access also requires a solid dose of old-fashioned common sense to achieve appropriate levels of security. Indeed, the best advice to heed amid the techno-hype surrounding wireless data is probably this: Avoid the temptation to think of information system security as a technology issue. Security always boils down to nature. From what are we protecting our data? Natural disasters and human nature, the latter being embodied in employees, customers, clients, vendors and anyone else with whom our systems connect and communicate.

That means we have to educate and encourage these constituencies to practice mobile data defense, which probably starts with dire warnings about the consequences of losing devices, and quickly moves on to the topic of password hygiene. Despite the promise of hardware tokens and biometrics for user authentication and access control, the vast majority of systems still rely on passwords, and will continue to do so for some time to come. Even our sophisticated digital certificates, which enable us to extend the protection of Public Key Infrastructure to mobile devices, are ultimately protected, in most cases, by passwords. So these need to be strong, fresh and as unique and hard to guess as possible.

Wireless data users need to ask themselves: If someone else gets hold of my mobile device, how hard would it be for them to figure out the password I chose to protect my sensitive data and connections? Fortunately, the benefits of educating wireless users about password hygiene will spill over into other areas where security could be improved, such as network workstations within the office.

Conclusions
Stronger protection mechanisms for mobile devices, such as cryptographically strong hardware tokens, voice verification and other biometrics, are under development. Until these are widely deployed, we will need to make sure users understand the importance of protecting their mobile devices, both physically and logically.

Improved protocols and smarter network architectures are also in the works for wireless data systems. The rewards for organizations that succeed in deploying wireless securely should be ample justification for the expense of putting the necessary protection measures into place.