Mobile Security

Mobile Devices

With the trend toward a highly mobile workforce, the acquisition of handheld devices such as Personal Digital Assistants (PDAs) and PC tablets is growing at an ever-increasing rate. These devices offer productivity tools in a compact form and are quickly becoming a necessity in today’s business environment. Many manufacturers make handheld devices using a broad range of hardware and software. Handheld devices are characterized by small physical size, limited storage and processing power, restricted stylus-oriented user interface, and the means for synchronizing data with a more capable notebook or desktop computer. Typically, they are equipped with the capability to communicate wirelessly over limited distances to other devices using infrared or radio signals. Many handheld devices can also send and receive electronic mail and access the Internet.

While such devices have their limitations, they are nonetheless extremely useful in managing appointments and contact information, reviewing documents, corresponding via electronic mail, delivering presentations, and accessing corporate data. Moreover, because of their relatively low cost, they are becoming ubiquitous within office environments, often purchased by the employees themselves as an efficiency aid. Unfortunately, several major issues loom over the use of such devices, including the following items:

Because of their small size, handheld devices may be misplaced, left unattended, or stolen.
User authentication may be disabled, a common default mode, divulging the contents of the device to anyone who possesses it.
Even if user authentication is enabled, the authentication mechanism may be weak or easily circumvented.
Wireless transmissions may be intercepted and, if unencrypted or encrypted under a flawed protocol, their contents made known.
The ease with which handheld devices can be interconnected wirelessly, combined with weak or no authentication of the parties involved, provides new avenues for the introduction of viruses or other types of malicious code, and also other forms of attack such as a man-in-the-middle attack.

Mobile Agents

Mobile agents are autonomous software entities that can halt their execution, transport themselves to another agent-enabled host on the network, and continue their execution on the new host, deciding where to go and what to do along the way. Mobile agents are goal-oriented, adaptive, can communicate with other agents, and can continue to operate even after the machine that launched them has been removed from the network.

Mobile agents applications are currently being developed by industry, government, and academia for use in such areas as telecommunications systems, personal digital assistants, information management, on-line auctions, service brokering, contract negotiation, air traffic control, parallel processing, and computer simulation.

The mobile agent computing paradigm raises several security concerns, which are one of the main obstacles to the widespread use and adaptation of this new technology. Mobile agent security issues include: authentication, identification, secure messaging, certification, resource control, non-repudiation, trusted third parties, and denial of service. Moreover, the mobile agent frameworks must be able to counter new threats as agent hosts must be protected from malicious agents, agents must be protected from malicious hosts, and agents must be protected from malicious agents.

Resources

Further Reading

A Location-Based Mechanism for Mobile Device Security, World Congress on Computer Science and Information Engineering, March 2009, Wayne Jansen, Vlad Korolev.

Guidelines on Cell Phone and PDA Security, SP 800-124, October 2008, Wayne Jansen, Karen Scarfone.

Fingerprint Identification and Mobile Handheld Devices: An Overview and Implementation, NIST IR 7290, Mar 2006. Wayne Jansen, Ronan Daniellou, Nicolas Cilleros.

Smart Card Authentication for Mobile Devices, Australian Information Security Management Conference, September 2005. Wayne Jansen, Serban Gavrila, Clément Séveillac.

Proximity-Based Authentication for Mobile Devices, The 2005 International Conference on Security and Management (SAM’05), June 2005. Wayne Jansen, Serban Gavrila, Vlad Korolev.

A Unified Framework for Mobile Device Security, The 2004 International Conference on Security and Management (SAM’04), June 2004. Wayne Jansen, Vlad Korolev, Serban Gavrila, Thomas Heute, Clément Séveillac.

Authenticating Mobile Device Users Through Image Selection, Data Security 2004. May 2004. Wayne Jansen.

A Framework for Multi-Mode Authentication: Overview and Implementation Guide, NISTIR 7046, August 2003. Wayne Jansen, Vlad Korolev, Serban Gavrila, Thomas Heute, Clément Séveillac.

Picture Password: A Visual Login Technique for Mobile Devices, NISTIR 7030, July 2003. Wayne Jansen, Serban Gavrila, Vlad Korolev, Rick Ayers, Ryan Swanstrom.

Security Policy Management for Handheld Devices, The 2003 International Conference on Security and Management (SAM’03), June 2003. Wayne Jansen, Tom Karygiannis, Michaela Iorga, Serban Gravila, and Vlad Korolev.

Authenticating Users on Handheld Devices, Proceedings of the Canadian Information Technology Security Symposium, May 2003. Wayne Jansen.

Policy Expression and Enforcement for Handheld Devices, NISTIR 6981, May 2003. Wayne Jansen, Tom Karygiannis, Vlad Korolev, Serban Gavrila.

Assigning and Enforcing Security Policies on Handheld Devices, Proceedings of the Canadian Information Technology Security Symposium, May 2002. Wayne Jansen, Tom Karygiannis, Serban Gravila, and Vlad Korolev.

Secure Routing and Intrusion Detection in Ad Hoc Networks, Third IEEE International Conference on Pervasive Computing and Communications, Kauaii Island, Hawaii, March 8-12, 2005. A. Patwardhan, J. Parker, A. Joshi, A. Karygiannis and M. Iorga.

Intrusion Detection with Mobile Agents, Computer Communications, Special Issue on Intrusion Detection Systems, vol. 25, num. 4, September 2002. Wayne Jansen.

Determining Privileges of Mobile Agents, Proceedings of the Computer Security Applications Conference, December 2001. Wayne Jansen.

A Privilege Management Scheme for Mobile Agent Systems, First International Workshop on Security of Mobile Multiagent Systems, Autonomous Agents Conference, May 2001. Wayne Jansen.

A Denial-of-Service Resistant Intrusion Detection Architecture, Computer Networks, Special Issue on Intrusion Detection, Elsevier Science BV, November 2000. Peter Mell, Donald Marks, and Mark McLarnon.

Countermeasures for Mobile Agent Security, Computer Communications, Special Issue on Advanced Security Techniques for Network Protection, Elsevier Science BV, November 2000. Wayne Jansen.

Privilege Management of Mobile Agents, National Information System Security Conference, October 2000. Wayne Jansen and Tom Karygiannis.

Mobile Agent Attack Resistant Distributed Hierarchical Intrusion Detection Systems, Second International Workshop on Recent Advances in Intrusion Detection, September 1999, Purdue University. Peter Mell and Mark McLarnon.

Applying Mobile Agents to Intrusion Detection and Response, NISTIR 6416, September 1999. Wayne Jansen, Peter Mell, Tom Karygiannis, and Don Marks.

Mobile Agent Security, National Institute of Standards and Technology, Special Publication 800-19, August 1999. Wayne Jansen and Tom Karygiannis.

Agents for the Masses: Is It Possible to Make Development of Sophisticated Agents Simple Enough To Be Practical? IEEE Intelligent Systems, Special Issue on Agents, May-June 1999. Jeffrey M. Bradshaw, Mark Greaves, Heather Holmback, Wayne Jansen, Tom Karygiannis, Barry Silverman, Niranjan Suri, and Alex Wong.

Mobile Agents and Security, Canadian Information Technology Security Symposium, May 1999. Wayne Jansen.

Network Security Testing Using Mobile Agents, The Third International Conference and Exhibition on The Practical Application of Intelligent Agents and Multi-Agent Technology, London, UK, March 1998. Tom Karygiannis.