Just How Dangerous Are PDAs?

John in marketing went out on Saturday and spent his bonus on a shiny new handheld computer. He has spent the weekend playing with it, and now he's trying to install the handeld's back-up software on his work PC.

Should his IT manager stop him? Company policies range from laissez faire to completely banning outside devices, for fear of opening the network to the risk of attack. With virus companies offering firewalls and virus scanners for PDAs (personal digital assistants), do companies need to worry or is it all hype to sell more security software?

Users, analysts and even security companies agree that the threat of PDA viruses is low to nonexistent right now. First, the devices themselves aren't yet sophisticated enough to execute very complicated code, including malicious code. Second, at the moment, there isn't a large enough number in use to make it worth a hacker's effort. But perhaps this is the time when companies should start looking at how they will manage when PDA viruses do, inevitably, start to appear.

There have, so far, been very few instances of PDA-focused malware or malicious code, Laura Garcia-Manrique, a Symantec group product manager said.

"In August 2000, we saw the first examples: three trojans written for the Palm operating system (OS). Since then, there's been one virus, written for Windows with a combined payload that got delivered to the Palm when it was synched. But that's it. That's everything we've seen," Garcia-Manrique said. The combined virus was found in October 2001 and nothing has been seen since, she said.

But that doesn't mean management or users can be complacent, Garcia-Manrique said. Malicious code will be written for handheld devices as soon as the installed base of devices is big enough, "and I can see that happening probably within two years," and as the communications capacity of the devices grows, she said.

The concern about PDA viruses has changed, said Garcia-Manrique, in that in 2000 most of the concern was from users themselves, worried about what could happen to personal devices they had bought for themselves. Now many companies provide them for staff, and IT managers are looking at the effect they have on the network.

Mervyn Eyles, UK infrastructure manager at Honda Motor Company Ltd., said his company used to supply PDAs to staff, but stopped doing so some 18 months ago. Since then, he said, they just manage whatever devices staff choose to buy.

While Eyles recognises the risks posed by viruses, "any mobile device brings the same risks. As do disks. We have a fair degree of confidence in our virus protection software, and it's already saved us from some big viruses," he said.

The software on PDAs is a limiting factor for malicious coders, Garcia-Manrique said. "The version of (Microsoft's) Outlook on a Pocket PC device doesn't have the same capacity to execute code as the version on a PC, so script viruses wouldn't operate, and nor would macro viruses, as macro code doesn't execute on a Pocket PC device. It's the scripting capabilities that open the door for malicious code," she said.

The limited scripting environment, which doesn't support Visual Basic, means that most malicious code won't operate, agreed Steve Crayson, a device specialist with Microsoft EMEA (Europe, Middle East and Africa) Mobile Devices Division.

"In three years using a Pocket PC, I've never seen a virus," Crayson said. There has been plenty of hype about the danger, "but I'm not aware of any real threats. And I download all sorts of applications all the time," he said.

However, hackers will undoubtedly use PDAs to get at PCs and networks in future, Garcia-Manrique said. "Viruses are transmitted using the most popular communication methods, and today that's (regular) e-mail. Ten years ago it was floppies. Once the (PDAs) have 802.11 LAN access and direct Internet connections, you get much more information flowing back and forth and the door is much more open."

Jack Clark, product marketing manager for Network Associates, sellers of McAfee antivirus products, agrees with the floppy analogy. "The PDA is the modern version of the floppy, but with much greater storage. I've seen it happen myself. I synched my handheld with my PC and it picked up a virus I'd received by e-mail." That virus had been written for PCs, he said, not for the PDA itself.

McAfee has developed antivirus and firewall products for PDAs, he said, not because it believes that dangerous code is rife but because hackers "have demonstrated that it's possible. And so we're just saying let's get firewalls and scanning on there, close the door before the horse bolts."

From an organisational viewpoint, Clark said, the first step is to find out where the vulnerabilities are. "Scan your network and find ... where the PDAs are connecting."

Symantec, too, offers security products to ease these concerns, but Garcia-Manrique stresses that, so far, it's more important to watch what's happening with wireless laptops. "The impact to the network hasn't really changed with PDAs. The perimeter is extended a little, but the recommendations are the same. You need integrated security across all devices," she said.

Other mobile devices

If PDAs aren't such a big concern, what about the other ubiquitous mobile device in every office — the mobile phone? Modern mobile phones can give access to e-mail and company documents too. Are they a cause for concern?

It is harder for Microsoft to control the security on its smart phone products than on PDAs, Steve Crayson, a device specialist with Microsoft EMEA (Europe, Middle East and Africa) Mobile Devices Division said. "We let the mobile operator choose whether it's locked to third party developers or not, whether they demand that applications have been assigned digital signatures." For the most part they do, he said, because they want to protect their networks from trouble.

However, there is a strong push from developers wanting access to the devices to run their own applications, and several have proved that the phones can be unlocked to accept unauthorised code. On developer Web sites earlier this year, for example, users discussed how to unlock the security on Orange SA's SPV Smart Phone.

Now is the time to look at the security on phones, before the problem grows too large, said Alyn Hockey, director of Clearswift's Future Products Group. There are relatively few smart phones in use, so a virus wouldn't get mass distribution at the moment, he said.

And while developers may like to add their own software, anyone who unlocks the security on their phone has to recognise how vulnerable they make themselves, he said "It's like taking all the locks off your front door."

Craig Heath, strategic product manager, security, at Symbian says that "malware is typically quite small, a few K at most," and so even the more limited operating system on a smart phone, compared to the average PDA, represents a potential danger if it has access to a company's network.

"It's a difficult risk to quantify. I wouldn't say there's no need to worry, but I wouldn't say you should throw your phone in the bin. Certainly, phones with open operating systems that allow third party development are more vulnerable, because you have to give people access to the development kit," he said.

Symbian works with antivirus companies to ensure scanning software works with its OS, and also with the device manufacturers on certification programs, Heath said. "(But) we are very much at the mercy of licensees, who choose what software to put on the phones," he said.

Users also have to recognise that they have an "obligation of care," Heath said, "and not go installing any old rubbish that people send them."

Copyright © 2003 IDG Communications, Inc.

The 10 most powerful cybersecurity companies