Use of Personal Digital Assistants (PDAs) continues to increase as new applications become available for them on almost a daily basis. While the PDA market has not grown as quickly in the last two years as it did in the mid and late '90s, as the U.S. economy recovers, the market will likely get a second wind. If your organization has not taken PDA security into consideration previously, now is the time to do so. While PDA security is often a forgotten piece of the security infrastructure, PDAs have the ability to transmit and receive viruses, and can be exploited in numerous ways.

PDA Security Concerns

Early market forecasts anticipated that businesses would at some point start purchasing PDAs for all their employees. While this phenomenon has not occurred on a remarkable scale, individual employees continue to purchases these handy devices out of their own pockets, and link to them to the corporate desktop through the backdoor. End-user ownership is not necessarily a bad thing for corporations, as it means that end-users are responsible for the support and upkeep of their own handheld devices. However, connecting these devices to the corporate desktop does create security liabilities that ought to be taken into consideration.

If businesses are going to let their employees use PDAs, and connect them to the corporate desktop, though they may not need to offer HelpDesk support for end-user applications, they should enlist security policies, and hold the employees accountable for compliance. Security policies are rules of the road that describe rules of behavior, and configuration guidelines that end-users and administrators must adhere to. Without security policies, it's hard to hold uses and administrators accountable for security transgressions. In fact if you're not going to provide your users with any security guidance at all for their PDAs, you really don't have any reason to expect they will take security into consideration.

PDA Vulnerabilities

PDAs, and smartphones that are based on PDA operating systems, are subject to the same types of vulnerabilities that affect laptops. The most predominate vulnerabilities affecting PDAs include:

· Viruses, Trojans, and worms
· Theft of the physical PDA device
· Data theft
· Mobile code exploits
· Authentication theft
· Wireless exploits
· Denial of service attacks
· TCP Session Hijacking

While PDAs are probably more likely to be a carrier of viruses, than the actual target of a directed attack, it is possible through automated port scans for hackers to identify PDAs that they can attack directly. Though currently the likelihood of a directed attack may not be high, as Wi-Fi and CDMA (cellular) wireless access becomes more available it can be expected that these types of attacks will increase. When used in standalone mode, and not connected to any types of networks, your PDA has no vulnerability at all to direct attacks.

One of the biggest security risks to PDAs is theft of the device itself. While most PDA thieves are probably more interested in obtaining the device for their own use, than obtaining the data, any sensitive data (classified information or propriety trade secrets) should be encrypted. While most PDAs probably do not come bundled with encryption software, add-on products exist which you can purchase separately to encrypt just about anything.

Since PDAs and smartphones, and cell phones are small and very mobile, they are easy to lose and huge numbers get lost every year. If your PDA or smartphone is password protected, and ownership information is visible, it is possible that if you lose it, someone who finds it may be motivated to give it back since it would be difficult for the finder to use it without the password. If you want a lost PDA to be returned to you, put a phone number in some visible location on the outside of the device. Airports have reported collecting vast amounts of handheld devices lost in the shuffle by heedless travelers.

PDA Safeguards

Fortunately, a number of products exist that can strengthen the security of PDAs in a variety of ways. If you have classified or highly sensitive information on your PDA that could impact lives or national security, you'll want to have bit wiping software installed on it. In the event that you lose your PDA, if a finder inputs the wrong password, or if the PDA is not synchronized within a certain timeframe, the data is automatically erased. No one should use bit wiping software unless they truly need it, as there exists the possibility to remove your data permanently so that even the rightful owner cannot recover it.

PDAs operate in "always on" and if you're PDA is Wi-Fi enabled and you're not careful, you could transmit data to wireless access points unknowingly. MobileCloak makes a nifty electronic shielding bag that you put your PDA in to prevent wireless transmissions from leaking out to unknown access points.

Anti-virus vendors are starting to port their products to PalmOS and PocketPC operating systems and a handful of VPN clients are also available for PDAs. Various encryption solutions, authentication products, and firewalls are also available for PDAs. Examples of some of the better-known PDA security products are found in Table 1.

Table 1. PDA Security Products

PDA Security Policies for Businesses

If you're a business or organization that allows its end-users to connect their PDAs to their corporate desktop, you'll want to be sure they follow a minimum subset of policies to safeguard your corporate infrastructure. Basic policies that you may want to enforce could include the following:

· PDAs connected to the corporate infrastructure must be password protected
· While connected to a corporate desktop, the wireless port on PDAs must be disabled
· PDAs connected to the corporate infrastructure must have anti-virus software installed on them
· PDAs must be scanned for viruses prior to connecting to the corporate network
· PDAs cannot connect to the corporate infrastructure using any wireless means unless the traffic is transmitted through a secure remote access VPN
· Storing sensitive corporate information is not allowed unless it is encrypted
· PDAs connected to the corporate infrastructure must have the latest security patches installed on their operating system
· PDAs the contain classified information must have automatic bit wiping software installed on it
· Password enforcement software must be installed on all PDAs that connect the corporate infrastructure

PDA Security Upshot

PDAs and smartphones can increase productivity and businesses and organizations should not discourage their use. However, it is important to ensure that end-users understand the vulnerabilities these devices are susceptible to. Publication on the corporate intranet of PDA security policies, and periodic reminders to read these policies, will provide safeguards that will allow your end-users to make use of PDAs, and at the same time hold them accountable for security lapses. Don't assume that your average end-user understands that their PDA is susceptible to viruses and other exploits. Businesses should articulate clear guidelines for safe usage of PDAs if they allow their usage at all.