Why the Network Can't Protect Mobile Devices from All Threats
I thought I'd write a blog entry around this, as it seems that it is a question that comes up a lot when speaking to press, operators, enterprises, and users alike. The common question is usually along the lines of: "Why not build security into the network to protect mobile devices?" In this case the “network” could be cellular, WiFi, WiMax, or a hybrid of technologies; “mobile devices” can be cell phones, SmartPhones, PDAs or laptops, among others.
Well, there are two reasons why a network can’t mitigate all the risks involving mobile devices. First, mobile devices today are not always connected via a network that is controlled by just one entity. For example, it is feasible (although in my experience, rare) within GPRS (2.5G) or UMTS (3G) to ensure that a roaming user's traffic never touches the home operator’s Gateway GPRS Support Node (GGSN) when the user is, say, accessing the Internet using a mobile device (this is dependent on the policies of the operator in question). The result of which is, if you had relied on your home operator to provide network-based protection against everything nasty on the Internet, you wouldn't have the same level of protection. This is not only true for cellular, but also with many other types of ad-hoc wireless networking we use today such as WiFi hot spots. This is especially true here in Europe, where there are strong roaming agreements in place between hotspot providers. So, although I only use one set of credentials, I can utilize many networks and paths to the Internet.
The second reason is that aside from the many different networks a mobile device may visit during a single day, there is also the non-network-based wireless communication we engage in. These days, the best example of this is Bluetooth. I won't harp on about this, as I've discussed it in previous blog entries, but what it does demonstrate is at least one instance where there is a requirement for on-device protection (in addition to other wireless technologies, such as IrDA, 802.11 ad-hoc, and soon Wireless USB, which can operate device to device, or in pico networks).
All of this creates the requirement for a comprehensive approach. While networks can provide some degree of protection, be it IPS, antivirus, or anti-spam, there is still a compelling reason for on-device protection such as antivirus, personal firewall, IPS, encryption, and (in the case of enterprises) policy deployment and compliance tools. These on-device solutions can complement network protection when in place, replace network protection when it isn’t present, and they can address threats which network protection can’t—such as the case when a device is lost or stolen.
Hopefully this addresses this question in a satisfactory manner. Also, while I do not want to wade into the frenzy regarding mobile malware that’s going on at the moment (“oh, yes there is” / “oh, no there isn’t”), I want to reiterate something I said in a recent blog posting. As the desktop environment becomes harder to exploit, attackers will look for softer targets. I suspect that mobile devices (SmartPhones in particular) are going to be those targets. While the threats exist today (our own research shows this), it will take some time for them to be gain the ground anywhere near to the degree that desktop malicious code has. However, in the meantime, we can take one of two approaches: one that uses the “we’ll deal with it when it comes around” method, or, a more proactive approach of “understand, educate and mitigate”. The first option will save money in the short term, but will potentially cost more in terms of data loss, time, and money. The second option has a very real chance of heading off a majority of the risks before they are realized, and thus stopping a repeat of the **bleep**-for-tat attack/defense world that we’ve seen on the desktop.