Wireless Week
By Brad Smith
May 06, 2003

Security, like freedom, makes demands on those who enjoy it. Just as there is no perfect freedom, there is no perfect security. It requires eternal vigilance.

As wireless telecommunications enters the digital age with its packet-data networks, new security concerns are raised and new measures must be employed. Because the millions of handsets in use offer a huge opportunity for mischievous and criminal behavior, awareness of security has to be a prime concern for network operators.

The new 2.5G and 3G networks being deployed around the world present security opportunities and challenges. On one hand, security measures have been beefed up in these network standards. But, partly because these air interfaces are getting into the realm of Internet protocols, there is a much larger group of sophisticated hackers who'd like nothing better than to break into a cellular network.

Mike Gerdes, research director for the security firm Red Siren and a member of several international security groups, says one of his concerns is network operators won't take advantage of the security measures made possible in such standards as UMTS. Security is written into the standards, but still must be implemented, sometimes by installation of additional hardware such as servers.

Gerdes fears some cash-strapped carriers will be tempted not to install security features in their networks if the security comes with a cost. In addition, Gerdes says, security is only as good as its weakest link. If a secure 3G network is connected to a less-secure 2.5G network, the subscriber could unknowingly find himself open to intruders.

Internet Connection The security expert also thinks consumers won't feel comfortable about security on wireless devices until they know their private information is safe. He compares wireless security to the Internet before Internet browsers and Web sites had security features built-in, including the padlock icon shown on Web sites that use such protective protocols as SSL (secure socket layer) for transactions.

Consumers, Gerdes says, will need to know that their personal and financial information is secure before they will use wireless networks to send this information. Fortunately, some of the same tools used on the Internet also can be used for wireless transactions.

SSL is an example. It was developed by Netscape for transmitting private information over the Internet and uses a public "key" to encrypt the data. Both Netscape Navigator and Internet Explorer use SSL and many Web sites also use it for such things as credit card information. URLs for sites using SSL normally carry the "https" designation rather than "http."

"SSL can take care of some of this," he says of wireless network encryption, "but not all. It depends on the type of services. SSL is good for some things. It provides one level of encryption of the traffic but not strong authentication." In other words, the data will be encrypted but there is no guarantee who is sending the data.

At some point, SSL will be replaced by another Internet security standard called transport layer security, which is backwards compatible with SSL but uses stronger encryption protocols.

Article continued IT Toolbox