As we explained in Learn the Basics of Handheld Security parts one and two, PDAs and smartphones are vulnerable to a vast number of security exploits. In short, if you connect your PDA to a network or computer of any sort, it is vulnerable to the same types of security vulnerabilities that plague your average laptop or desktop PC. The good news is that there is an extensive array of security products that you can use to protect your PDA. The following types of security products exist for PDAs:

· Anti-virus products
· Authentication products
· Bit wiping products
· Database security products
· Encryption products
· Firewalls
· Forensic products
· VPNs
· Wireless security products

Keep in mind that the cost of security products can add up, so you don't want to just go out and randomly purchase these products without doing your homework. First you need to determine what it is that you really want to protect. Do you need to protect all the data on your PDA or smart phone, or just certain files?

Perhaps you are more concerned with ensuring that the connection is secure when you logon to download email from your corporate intranet to your PDA? Or maybe you have a database that is storing classified information on your PDA? Does your PDA use Wi-Fi or cellular wireless networks? Or is the only connection your PDA ever makes with another computer when you hotsync it with your laptop or desktop PC? Do you use your PDA to surf the Web?

These are the types of questions you need to ask before you start shopping for PDA security products.

Select the Right Product for the Right Situation
If you never use your PDA to login to another computer, and the only time your PDA exchanges bits with another computer is when you hotsync it, chances are the best security product you can buy for it is an anti-virus product. PDAs are susceptible to numerous viruses. You don't want your PDA to send a virus to your desktop or laptop, and you wouldn't want your desktop or laptop to hotsync a virus back to your PDA.

If you are protecting classified information with your PDA, you'll surely want a product that encrypts the file or database the classified information is stored in. If you never connect your PDA with classified information to any other computers, a standalone encryption product will suffice. However, if you connect your PDA to other computers, you should really consider a Virtual Private Network (VPN) product since these products often come bundled with software that encrypts both the link and the files

Since PDAs are extremely vulnerable to becoming physically lost, or being stolen, if you have any type of sensitive information on it—whether it is credit card numbers, passwords to online bank accounts, classified information, or proprietary company secrets—you may want to consider using bit-wiping software.

This type of it software will wipe out all your sensitive information so that it can’t be accessed by unauthorized users. However, you should not use bit-wiping software unless you truly need it, as you could inadvertently delete all your own data by, say, fat fingering the keyboard and typing in the wrong password and exceeding the number of password attempts.

If you are in the military and have data on your PDA that could put human lives at risk if it were compromised, you would be crazy not to have bit wiping software on your PDA. Good bit wiping software will not only delete the data on the PDA, it will also delete the data stored in Random Access Memory (RAM), and any external memory cards that are plugged into the PDA.

If you do any Web surfing with your PDA or smartphone, you really should have a firewall installed on it. There are some security exploits that can inadvertently be downloaded through port 80, which is the port that Web surfing occurs on.

Sneakier security exploits might even use non-standard ports to download rogue security exploits. While anti-virus products are good at protecting your PDA from viruses that are transmitted through either e-mail, hotsync, or activesync, you cannot count on your anti-virus program to protect your PDA from exploits that could be transmitted from Web browsing.

Wireless
If your PDA or smartphone uses wireless connectivity, you need to understand what type of wireless connectivity it uses, and what the risks are. There are three main types of wireless connections to be concerned with:

· Bluetooth
· Wi-Fi
· CDMA, TDMA, PCS, and GSM

Bluetooth is what cordless keyboards and cordless mice use. It is also what many smartphones use to sync their Outlook contact information to their phone. Not all smartphones are Bluetooth enabled today, but in time all of them will be. Bluetooth devices typically have no built-in security that protects the Bluetooth connection. Bluetooth devices use either Bluetooth class 1, class 2, or class 3 transmissions.

If you are using a Bluetooth class 2 or 3 transmission, anyone who is intercepting your connection would in most cases have to be close enough to you that you'd see them since these transmissions are limited to 10 meters. If you are using a Bluetooth class 1 transmission, you need to take more precautions since Bluetooth class 1 can travel up to 100 meters.

Unless you are using something to encrypt your Bluetooth class 1 link, don't transmit any type of sensitive information via Bluetooth, e.g. passwords, credit card numbers, national secrets. It is worth knowing, however, that there are such things as "Bluetooth sniper guns." Bluetooth sniper guns, known as BlueSnipers, can intercept the data on Bluetooth devices from 1000 meters away capturing passwords and anything else.


Figure 1. Bluetooth Sniper Gun
(Source: Tom's Hardware Guide)

CDMA, TDMA, PCS, and GSM are the type of wireless connections a cell phone or smartphone makes. The bottom line is that without strong encryption, no one should be having conversations that put human lives at risk via a PDA or smart phone.

To secure your audio line, you need to purchase a secure mobile phone. There are no good solutions to add on an extra security product to protect your audio connection on a PDA. While I won't be covering the particulars of secure mobile phones, it is worth knowing that they do exist, and if you need one, get one.

PDAs and smartphones are generally insecure as far as auditory communications go. For transmitting data, there are some nice VPN options you can use on CDMA, TDMA, PCS, and GSM connections to encrypt the link and protect your data. If you need to transmit data securely over a cellular link, research the VPN options for your PDA to find a VPN client that works with your PDA platform.

Wi-Fi wireless connections need to connect to a wireless access point. Using Wi-Fi is like using a cordless telephone—the connection must ultimately pass through an access point that connects to a wired line and is relatively close by. To hack into Wi-Fi, the hackers have to be close to the wireless access point.

Many PDAs (and soon smartphones) come bundled with Wi-Fi, and if you use your PDA with any sort of Wi-Fi transmission, you'll want to take appropriate precautions. At the very least, you'll want to use either WPA or WEP to protect your Wi-Fi transmissions.

WEP is the minimum amount of security you'll want to enable on a PDA that uses Wi-Fi. WEP works by encrypting the wireless radio frequency between the access point and your PDA.

PDA Security Product Upshot
If you have something on your PDA you need to protect, take the time to put some security in place. The PDA security market is a nascent market, and new products appear on the market monthly.

You should also take the time to understand what vulnerabilities your PDA operating system is susceptible to. Some of the best places to learn about the vulnerabilities that affect your particular PDA are on MITRE's Common Vulnerabilities and Exposures (CVE) website, the sites of anti-virus vendors that make PDA anti-virus products, and on the United States Computer Emergency Readiness Web Team website.

Glossary

CDMA	Code Division Multiple Access
GSM	Groupe Spécial Mobile
PCS	Personal Communications Service
TDMA	Time Division Multiple Access
WEP	Wired Equivalent Privacy
WPA	Wi-Fi Protected Access