Likelihood of a Successful Attack
In addition to looking at security from the perspective of the most common types of threats, enterprises need to consider the main potential targets of attack—the mobile device and the mobile infrastructure—which overlap in several areas.
Attacks on Mobile Devices
Attacks against a device can be made using any of the following three methods:
- Physical attacks involve stealing a wireless device and getting access to confidential information stored there, or using the device to access confidential data in the enterprise's network.
This is the easiest attack to launch because wireless devices are small and easily stolen or lost. For this reason, this method of attack poses, by far, the greatest security risk. An enterprise should secure any device that connects to its network and should fully understand the carrier¿s high-level security policies and practices.
- Attacks on the airlink (also called over-the-air interception) require highly specialized equipment and a high level of cryptoanalytical skill and computing power. The penalty for illegally intercepting a wireless transmission is up to $250,000 and five years in prison. The cost, difficulty, and risk make this method of attack uncommon, but it is potentially very dangerous.
- Peripheral-interface attacks involve attacking a mobile device using communications other than the cellular signal, such as Bluetooth, infrared (IR), or Wi-Fi. Accessing a device through these interfaces presents risks of intrusion (from both humans and malware) and of compromising confidentiality and data integrity.
Peripheral-interface (or peripheral-port) attacks are becoming more common and are a growing concern among enterprise security experts. Users should be taught to turn on Bluetooth (and especially to make their devices Bluetooth "discoverable") only when the feature is needed. They should also change the default name in their Bluetooth settings.
Attacks on the Infrastructure
Infrastructure attacks are directed against the wireless network or the carrier's internal IT systems. Two broad categories of infrastructure attacks are denial-of-service and attempts to obtain or alter confidential information. This latter category is what the general public thinks of as "hacking."
Motivation for infrastructure attacks can be malicious or financial. Examples include stealing credit card or other financial information and modifying billing records.
An enterprise's well-run security regime can make it difficult for these attacks to succeed, but they are much more common and more likely to cause damage than are attempts at over-the-air interception.