The Always Onslaught

Always-on leaves subscribers connected all of the time, but could vulnerabilities hurt performance and cripple customer expectations?

The always-on capabilities of GPRS and 1X bring with them the always-there expectation by end users. In questioning the security of always-on, the issue for wireless carriers not only includes how iron-clad their own networks are, but what the vulnerabilities are in linking to the Internet.

Over time, the Internet has been fraught with security issues. For example, East Coast Verizon DSL customers experienced intermittent delays with their e-mail service in December. The company attributed the network problems to a flood of spam that overloaded the company's Reston, VA, servers.

Although the company was able to head off the spam that day, the backlog of real e-mail messages continued to cause delays for customers. The company deployed security equipment and software to filter out the spam, as well as extra servers to expand capacity and restore service. Verizon officials said the spam was similar to "denial of service" attacks that other Web sites have experienced.

A now-familiar Internet hiccup was caused by another recent attack. A worm known as Shockwave wreaked havoc when it circulated the Web last month. It renamed JPG, ZIP and MP3 files and sent copies of itself to all contacts in a user's Outlook address book. A worm is a virus that seeks and finds all or specific data in a user's hard drive and changes it according to specifications given by the worm's designer. In the case of Shockwave, the worm was disguised as an attachment to an e-mail message.

Trying to head off duplication of the conventional Internet's mistakes, the wireless industry met with the Federal Trade Commission (FTC) in December to identify potential security problems that could arise as the Internet goes mobile. At a 2-day conference hosted by the FTC, industry leaders admitted there are potential problems such as hacker theft of subscriber data, but nothing insurmountable.

Wirelessly Enabled According to Mike Walters, Nokia system marketing manager for 3G, there are two distinct segments of the network that require security in the GPRS or packet environment in which the subscriber is connected all of the time. The first is between the handset and the servers or the network.

"From the technical point of view, there already is security from the handsets into the network in varying layers of security," Walters said. "We can already do 128-bit security, for instance, from a WAP handset to a WAP server."

The second segment is between the servers and the portal for an application, such as a corporate intranet. (See Figure 1.) In the instance of a corporate intranet, security would be handled as a virtual private network (VPN) tunnel between one router and another.

"If we are doing banking or e-commerce, we can do it as secure as you are on the Internet," Walters said.

Walters doesn't expect to see anything startlingly new as far as security is concerned. However, as the mobile Internet takes on applications such as m-commerce and banking, secure tunneling will take on added importance.

Using the GSM air interface as an example, Walters described current security layers.

"Classically in GSM, we have the A5 algorithm, which means everything is encrypted to begin with," Walters said. "On top of that, we use what are fairly standardized security layers in the applications that allow a handset to connect to a server - say, for instance, a WAP server, if we are doing WAP over GPRS or WAP over circuit-switch data."

In those security layers, it can be anything from requiring customers to put in challenge passwords or these persons to be authenticated to a certain database where phone numbers or their equipment ID numbers are listed.

"Once we go from the wireless network into the IP world, which is from the wireless carrier over to the applications - for instance, an intranet - then we are in the same environment that the intranet is," Walters said. "At that point, we would use all of the lessons we've learned on the Internet, on filtering, on routing, on setting up VPNs. It's then pretty much standard operating procedure as how we would set up a network."

Walters said that carriers will have to be diligent in periodically reviewing the measures they set up just as they would for any other type of connection.

"It means we have to put the right information not only in the handsets but into the servers, into the networks and into the connections when we set up, say for instance, a VPN to an intranet."

Business Reticence? Other industry officials agreed with Walters' assessment of wireless network security. And taking an it's-not-been-crippled-yet view of the Internet, some suggested it simply boils down to addressing security concerns as they arise and establishing trust relationships.

"One of the gives-and-takes in the security question is the exciting potential for new services versus the cost, or maybe the headache of plowing through the security concerns," said Jack Kozik, Lucent's e-services group director of architecture.

Kozik used the mass-market service of instant messaging (IM) communities on the Internet as an example. Carriers are rolling out mobile Internet services that link wireless phones and the presence information in wireless networks to IM, thus making the wireless phone a part of a buddy list or contact list. Although consumers are picking up the service, Kozik said enterprises are having a difficult time committing to this type of service.

"The CIO organizations and the managers of corporate firewalls say, `Why should we open anything on the mobile Internet?'" he said.

Certainly, IT managers are reticent because they think of the worst-case scenarios. However, those are the same as in the wired Internet world. A port is open in the firewall to the Internet, whether it is to an endpoint that happens to be on mobile network or some other place in the Internet.

"All of the denial of service, man in the middle, spoofing attacks can bring down your site," Kozik said. "Those are well-understood problems in the Internet. As those problems come up, the Internet as a whole quickly works out an architecture or security patches to heal them. The worst-case scenario is that it's not worse than anywhere else on the Internet. GPRS and 1X and 3X simply become another channel to the Internet. As long as the mobile Internet is the Internet, it will ride with the wave of security enhancements as they come out."

For example, variations on denial of service attacks that have happened on the Internet have been applied to things like SMS where there's a concentrated flow of messages. There are now filters where carriers can shut off message attacks.

According to Kozik, that's the beauty of having an architecture in which the mobile Internet is the Internet. When an attack pops up, the mobile Internet is able to take advantage of and build on the fixes that come up from it.

However, he expressed concern for the flip side of security.

"Because security concerns are very difficult, will that mean that mobile Internet services for business will forever be gated by the lack of trust and therefore be lagging?" he asked. "I hope not."

Trying to steer everything to look like the Internet and trying to enable mobile Internet services for businesses by opening firewalls isn't that much different than it was for early Internet business applications. For example, corporate firewall managers didn't initially allow any Real Audio traffic in their networks. They were afraid the volume of traffic would completely wreck their networks. When they understood the value of streaming media to their enterprises, they slowly began to open those ports in the firewall. Kozik predicted that the new services are promising enough that businesses will want to overcome the security hassles.

"I predict that some of the mobile Internet concerns will follow the same sort of path for business customers," he said. "Initially distrust, earn the trust, open up the firewall a little bit, business customers discover super-powerful features, and because they want to make it work through their corporate firewalls, they open up. Then it becomes a forcing function for security issues to be addressed."

Kozik said security certificates and the public key infrastructure (PKI) will play a role in how the mobile Internet security channels open up to business customers.

As the mobile Internet moves from today's circuit-switch technologies to the 1X and the 3X always-on technologies or GPRS, the technology will enable applications that go beyond simple WML scripts to things that look more like applets or little segments of Java code. Conceivably, handset owners could download these applets for their use. The question the terminal and infrastructure vendors are currently pondering is how do you authorize or certify that a certain applet is safe to run on a particular phone?

Although part of the concern is for security, Kozik suggested that it begins to sound too much like a gatekeeper function.

"Do you want to create an architecture that only things that have been blessed and approved by the carrier are usable on the mobile Internet?" Kozik asked. "That's a good question. The rest of the Internet doesn't operate that way. People are perfectly free to put up a Web site with an applet on it that will crash a PC. It happens sometimes. That isn't necessarily someone trying to do a security hack. It's just someone who has a bug in the Java script."

"We're not really inventing anything new here," Walters said. "The matter of security has been beaten to death in the Internet for a long time."

In spite of the blows the Internet has taken, Walters pointed out that e-commerce is growing. Five or six years ago, customers may not have felt comfortable doing their Christmas shopping on the Internet. However, today that segment has grown dramatically. People even are doing their banking on the Internet.

"It comes down to how much do I trust that security, and that's going to be a personal issue with the end users," Walters said. "I'm not saying there won't be incidences. It's like the old saying: The only thing locks do is keep honest people out. Sooner or later, someone is going to figure out a way to crash into a network. It's just like the DOJ, the FCC and the Pentagon. All of these guys have been crashed. They all have fairly elaborate security networks. If you can build a security network, someone else can figure out a way to get into it."

To some extent, the tools that hackers use are based on standard IPs. That's why you have to build the concrete firewall at the IP layer. Wireless technologies fall below that. Although there are vulnerabilities at specific lower-layer protocols in general, it's easier for hackers to focus on a really broadly deployed protocol because then it's easier to find vulnerable sites. According to John Stevens, Cayman Systems CTO and founder, it's just a matter of scale for the hackers.

"If you look at it that way, the security responsibility for the carriers and the consumers of the service are fairly similar," Stevens said. He said that is why it is important that you have a hardened OS in whatever device is connecting you to the Internet and that you have tools that will both repel attacks and detect attacks.

"You certainly want to know that you've got your front door locked, but it's also nice to be able to look at the outside of the door and see the hatchet marks and figure out who put them there. The challenge for anyone implementing security for a broadband service is to have those types of features available and useful to whoever is monitoring the security of the system. That monitoring can be done by the IT manager of the business or there are cases where the service provider offers that as part of the service either as a value-added cost or a higher end offering."