More and more applications are being accessed through wireless systems, including commerce, medical, manufacturing, and others. Wireless devices have become an extension of corporate databases and individuals. Their security compromises are as serious as any attack to the corporate database and may have damaging effects on the privacy of individuals and the protection of assets of an enterprise. Wireless devices include cellular phones, two-way radios, PDAs, laptop computers, and similar. These are normally portable devices with limitations of weight, size, memory, and power. The increase in functions in cellular devices creates new possibilities for attacks. Standard attacks against the Internet may now take new forms. Lists of vulnerabilities are already available, showing flaws in many existing products.
Communicating in the wireless environment has its own issues and challenges. It is characterized by relatively low bandwidth and data rates, as well as higher error rates, and the need for low power consumption (for mobile devices). The mobility of the nodes in cases such as ad hoc networks adds another significant layer of complexity and unpredictability.
There exist many different forms of wireless communications and networking.
Some popular forms of wireless communications include:
Satellite communication;
Cellular networks, Cordless systems;
Mobile Internet Protocol (Mobile IP);
Wireless Local Area Networks (WLANs) including LAN extensions, Cross-building interconnects, Nomadic access, Mobile ad hoc networks (MANETs).
The security of wireless systems can be divided into four sections:
1. Security of the application. This means the security of user applications and standard applications such as email.
2. Security of the devices. How to protect the physical device in case it is lost or stolen.
3. Security of the wireless communication. How to protect messages in transit.
4. Security of the server that connects to the Internet or other wired network. After this server the information goes to a network with the usual security problems of a wired network (not discussed here).
There is serious concern about the vulnerabilities of wireless systems. The easy access to the medium by attackers is a negative aspect compounded by the design errors in the early protocols. The US Department of Defense recently issued Directive 8100.2 that requires encrypting all information sent in their networks according to the rules of the Federal Information Processing (FIP) standard. The provision also calls for antivirus software.
On the other side, Ashley et al. arrived to the conclusion that WAP provides excellent security. It is true that Wi-Fi is becoming more secure and Bluetooth appears reasonably secure but they (and WAP) cover only some of the security layers. A basic security principle indicates that security is an all- layer problem, one or more secure layers is not enough.
Third generation systems will have voice quality that is comparable to public switched telephone networks. Voice over IP will bring its own set of security problems. The new systems will have also higher data rates, symmetrical and asymmetrical data transmission rates, support for both packet and circuit switched data services, adaptive interface to the Internet to reflect common asymmetry between inbound and outbound traffic, more efficient use of available spectrum, support for wide variety of mobile equipment, and more flexibility. All of these are the potential sources of new security problems.
Web services are not delivered directly to portable devices but transformed in the gateway. However, this situation is changing and predictions indicate that web services in cell phones will be arriving soon.
Security patterns are a promising area to help designers build secure systems. Several patterns have been found in the Bluetooth architecture, including versions of the Broker, Layers, Lookup, and Bridge patterns. However, no security patterns for wireless systems have been found yet. This is an area to explore.