Printer Friendly Version

PDA Security Products

There are a wide variety of PDA security products on the market to protect PDAs from becoming susceptible to vulnerabilities and threats. The leading PDA security products available today are typically made for the PalmOS and WindowsCE platforms. PalmOS is bundled on PDAs made by both Palm and Handspring. WindowsCE is Microsoft's PDA operating system and comes bundled on PDAs that are marketed as PocketPCs. PocketPCs are made by a wide variety of vendors including Compaq, HP, Sony, Toshiba, and Dell.

Except for PDA security products related to hotsync functions, most of the PDA security products on the market are similar to security products for desktop systems. There are authentication products, encryption products, anti-virus products, and password products that work in similar ways as products of this type made for desktop and laptop systems.

One product that stands out as very unique to PDAs is an electronic shielding bag made by MobileCloak. PDAs typically operate in "always on" mode. If you remove the battery, you actually lose your data. (This is why end-users should hotsync their PDA regularly.) Therefore, in one sense, PDAs are never completely turned off. To ensure that wireless transmissions are protected and not leaking into wireless access points that you may not know about, you can put your PDA into an electromagnetic shielding bag while carrying it around with you.

On PDAs that have highly sensitive information that could, for example, compromise national security, you can install bit wiping packages. Bit wiping occurs when the entire memory is over-written, basically wiping out all of the data completely so that it can't be recovered even by a PDA forensics tool. Bit wiping is just a terminology for reformatting or completely erasing the stored memory. Typically, you would set-up bit wiping to kick in if the PDA was not synchronized within a certain timeframe, or if there were too many bad password attempts. However, bit wiping is not for the average everyday user. If not used correctly, bit wiping can destroy your valuable data so that even the data owner cannot recover it.

If you allow PDAs on your enterprise network, you should at the very least set up a password enforcement product that will require all your PDA end-users to supply a password for authentication. The best way to deploy a PDA password enforcement solution is to set-up a backend system to automatically install password enforcement software on the enterprise PDAs when they hotsync to their desktop hosts.

PDA Security Vendors

There are a wide variety of PDA security vendors that have products to secure your PDA. PDA vendors that seem to have particularly useful products are listed below.

PDA Security Vendors
Vendor	Product Name	Web Site	Description
Cisco	VPN 3000	www.cisco.com	VPN gateways for PDA VPN clients
FreeWarePalm	CCrypt	www.freewarepalm.com	Data encryption
Certicom	movianVPN	www.certicom.com	VPN clients for PDAs
MobileCloak	mCloak	www.mobilecloak.com	Electromagnetic shielding bag
DentonSoftware	Cradle Robber and ALP	www.dentonsoftware.com	Secure databases and authentication solutions
F-Secure	FileCrypto, SSH, Anti-Virus	www.f-secure.com	Anti-virus, encryption, and authentication solutions
Asolutions	PDA Defense	www.asolutions.com	Hotsync security and IrDa port security, database security, password enforcement, bit wiping
Pointsec	Pointsec for Pocket PC, Pointsec for PalmOS	www.pointsec.com	Encryption and authentication solutions
Paraben	PDA Seizure	www.paraben-forensics.com	PDA forensics tools
Trust Digital	PDA Secure	www.trustdigital.com	Password protection, hotsync protection, data encryption, bit wiping, VPN client

A Word to the Wise

The CERT Coordination Center at Carnegie Mellon University (www.cert.org) has been publishing advisories on information technology security threats and trends since 1988. For at least a year, CERT has been publishing information about vulnerabilities and threats that affect PDAs. With the debut of PDA-based cell phones, security vulnerabilities to PDAs and their associated hotsync hosts will only increase over time.

Not securing PDAs from viruses and all the other threats that exist increases the possibility of data corruption on the PDA itself, and on the devices to which they pass traffic. If you allow PDAs on your network infrastructure, then you need security controls and policies to keep these devices from damaging your valuable data and infrastructure. If no security controls or policies are in place for PDAs, it is best to keep them off your network infrastructure until policies and security controls can be implemented.

Keep in mind that if you leave your PDA in a taxi or a restaurant, a person finding it will likely be more interested in the device itself than in the data on the device. If you have a password enforcement package that prevents access to the device making it unusable to an unauthorized user, it is possible that a finder might be motivated to give it back. Therefore, a simple suggestion is to label your PDA with an address or phone number so that it can be returned to you in case it is recovered by an honest finder.