1

Seite 1

/59© R. Grimm 1

Rechner (Hosts)

Pysikalische Netze(Subnets)

Router

Security for Mobile Applications

SM2: Security of the Mobile Workplace

R. GrimmInstitute for Information Systems Research

University Campus Koblenz

/59© R. Grimm 2

Abstract

1. The electronic workplace– Servers, desktop, laptop, smartphone, PDA– Responsibilities

2. Vulnerabilities– The vulnerable areas acc. reference model

3. Communication3.1 Local access3.2 Communication lines (e.g., Bluetooth)3.3 Communication parameters3.4 Communication formats / protocols (e.g., WLAN)3.5 Communication organization (e.g., BlackBerry)

4. Security mechanisms4.1 Corporate mobile security framework4.2 Example smartphone4.3 Controlling communication lines4.4 Example TrueCrypt4.5 PGP / X509 encryption4.6 Registration of lost devices

2

Seite 2

/59© R. Grimm 3

Content

1. The electronic workplace2. Vulnerabilities3. Communication4. Security mechanisms

/59© R. Grimm 4

Devices: desk and lap

• Servers – not mobile, but responding to mobiles

– Data base, directories, enterprise applications

– Communication control• e.g. BlackBerry ES, Mail Server, Web Server

• Desktop– not mobile, but synchronized with mobiles

• e.g., Outlook diary organizer, address organizer

• Laptop– Mobile desktop

• with LAN /mobile, WLAN, UMTS card

• Subnotebook– “Easy-to-move-laptop”, e.g., iPad

3

Seite 3

/59© R. Grimm 5

Devices: hand and palm

• Mobile telephone (in German: “handy”)– Speak and play

• SMS, mp3, photos

• Smartphone– Telephone, more functions

• SMS, multimedia, games, organizer

• PDA (“Personal Digital Assistant”)– Telephone, organizer, multimedia

– esp. diary, address manager

– esp. e-mail: BlackBerry (RIM/Can)• E-mail and more via UMTS

per specific push protocol from BlackBerry Enterprise Server (BES)

/59© R. Grimm 6

Devices characteristics

• Servers, desktop– not mobile, but responding to mobiles– Synchronized with mobiles– Central data, control and backup

• Laptop, subnotebook– “Mobile desk”– Full workplace functionality– Access to network worldwide– Access to business environment worldwide

• Mobile telephone (in German: “handy”)– Conversation supplement to laptop

• PDA/smartphone– Easy-to-carry-laptop– Plus mobile telephone integrated

4

Seite 4

/59© R. Grimm 7

Responsibilities – all devices

• Manufacturer– Functional organization

– CC: security target

– Implementation and certification

• Issuer– Environment organization

– CC: trust model

– ISO 27001/2/5 (BSI-GSH): installation, integration and usage

– Parameter pre-settings

• User/admin– Parameter settings

– Appropriate usage

– Communication content

/59© R. Grimm 8

Responsibilities – servers

• Admin– Availability

– Intrusion detection

– Policy definition and enforcement

– Prove my authenticity + check your authenticities

– Avoid/correct/recover from errors, attacks

– Updates, new versions

– Cost management

– Content management

• Remote user– Prove my authenticity + check service authenticity

– Policy compliance

– Appropriate synchronization (back-reports)

5

Seite 5

/59© R. Grimm 9

Responsibilities – laptop/subnotebook (admin)

• Admin– Initial functionality

– Parameter pre-settings

– Network/business compatibility

– “BYOD”: Bring Your Own Device!

/59© R. Grimm 10

Responsibilities – laptop/subnotebook (user - 1)

• Remote user: “my device”– Safe functional environment

• Updates, new versions• parameter settings• Downloads, local installs• Error recovery• Backups

– Safe physical environment• Avoid/report loss/theft• Social engineering• Access through USB and CD

– Safe network environment• Check air interface and access points• Access through network

6

Seite 6

/59© R. Grimm 11

Responsibilities – laptop/subnotebook (user - 2)

• Remote user: “my device”– Safe business environment

• VPN• Check service• E2E encryption and authorization• Resource management

– Safe content• Protect access to notebook: PIN / biometrics• Protect content on notebook: encrypt (TrueCrypt)• Content management

/59© R. Grimm 12

Responsibilities – PDA

• Same as Laptop/notebook– Plus personal functionality (organizers)– Plus conversation (telephone, chat, SMS)

• Increased threats:– Loss of privacy → Privacy protection– Misusage → Audits– Loss of device → Disable function and content protection

• Admin– Higher demand of integration (BYOD!)– Higher demand of help desk

• Holder– Higher separation of private/business– Higher demand of synchronization– Higher demand of content protection and backups

7

Seite 7

/59© R. Grimm 13

Responsibilities – Telephone

• Admin/issuer– Conversation management (telephone, chat, SMS)

– Integration with data functionality (laptops)

• Increased threats:– Privacy, Misusage, Loss as with PDAs

– Leakage of confidential information by careless usage

• Holder– Higher separation of private/business

– Higher awareness of physical environment• Loud speaking• Faraday shield

– Higher awareness of network environment• BSC attacks, downsized encryption• Availability problems in roaming and Faraday shields

/59© R. Grimm 14

Content

1. The electronic workplace2. Vulnerabilities3. Communication4. Security mechanisms

8

Seite 8

/59© R. Grimm 15

Place in reference model

authentication

air

mobile deviceaccess point

air

mobile device authenticationaccess point

service

Alice

Bob

application object

5

5

2

2

16 3

4

4

7

7

ICT network

/59© R. Grimm 16

Areas of failure/attacks

The following areas may be broken or manipulated:

1. The ICT infrastructure

2. The air interface between a mobile device and its access point

3. The end-to-end communication between a mobile device and the application object steering device

4. A mobile device

5. The access mechanism between a mobile device and its owner

6. The end-to-end communication between two users – human beings and/or application objects

7. Persons and application environments may be attacked or manipulated

9

Seite 9

/59© R. Grimm 17

Re 2. Air interface – Requirements / Measures

• Availability of network access

– Mobile device cannot enforce (except good location)

• Authenticity of both, mobile deviceand network access point

– 2-ways authentication mob.dev. ↔ network access point

– SIM: mob.dev.→ BSC, and

challenge-resp. BSC → mob.dev

• Confidentiality of data on air

– Encryption of air interface

/59© R. Grimm 18

Re 3. E2E between devices – Requirements / Measures

• E2E authenticity between devices

– 2-ways E2E authentication protocol

• Secure identification of mobile device by partner site

– Well designed registration and selection/decision functions

• Semantic compatibility + plausibility

– Language design

– Mapping of requests and answers

• Trustworthiness of appl. service

– Control and transparency of application

– Forensics, logging, analysis of logged data

• E2E confidentiality between devices

– E2E encryption

10

Seite 10

/59© R. Grimm 19

Re 4. Mobile device – Requirements / Measures

• SW authenticity

– Authentication measures at download and install

– SW management functions

• No malfunctions

– Anti-virus, anti-spy, updates

– Security guarantees of manufacturer

– CC protection profiles and certification

• Systems up-to-date

– Default settings by seller (e.g., bluetooth etc)

– Update services

• User awareness

– Education, usability

– Update and warning functions

/59© R. Grimm 20

Re 5. Interaction user-device – Requirements / Measures

• Possibility to report loss

– Report and disable service of device issuer

– EIR – equipment identity register

• Device recognizes authorized user – Authentication procedure by device

to authenticate user (e.g., pin, biometrics)

• User recognizes the authentic device – Anti-skimming (“skim” = “absahnen”)

– C.f. money delivery at bank machines

– User and employee education

11

Seite 11

/59© R. Grimm 21

Content

1. The electronic workplace2. Vulnerabilities3. Communication

• 3.1 Local access• 3.2 Communication lines (e.g., Bluetooth)• 3.3 Communication parameters• 3.4 Communication formats / protocols (e.g., WLAN)• 3.5 Communication organization (e.g., BlackBerry)

4. Security mechanisms

/59© R. Grimm 22

Interface areas of mobile devices

mobiledevice

Communication Lines• CD tray• Plug-in card• USB• LAN cable• WLAN card (integrated)• Infrared• Bluetooth (see example below)•GSM/UMTS card

Local Access• Login to device• Encrypted areas (TrueCrypt)• Encrypted data (PGP)• Stored passwords• Safe copies• External hard disk

specific for mobile devices

12

Seite 12

/59© R. Grimm 23

Interface areas of mobile devices

Communication parameters• Cookies• Contact data, addresses• Production numbers for protected SW• UserId/PW for external services• Certificates/PKI (see below)• X.509 / PGP keys for encryptionand signature

• Privacy policies• P3P preferences / privacy bird

Communication formats• GSM voice• UMTS data• Ethernet data• WLAN access (s. below )

• Chat• E-mail, FTP, Web (HTML)• Web-Services (SOAP)

• e.g. “mobile PKI”• P2P• Proprietary (programmed

application)• e.g. Organizer• e.g. BlackBerry(see example below)

mobiledevice

/59© R. Grimm 24

3.1 Local Access – Login and content protection

Loginpasswordbiometricsbrute access to

physical disk

Contentfreeor encrypted (password)

usagegranted

accessdenied

usagedenied

accessgranted

Protect lost devices(see TrueCrypt example below)

13

Seite 13

/59© R. Grimm 25

3.2 Physical communication lines – Example Bluetooth

• Replace cables ~10-100 m• 2,4 GHz (ISM band), frequency hopping• EDR – enhanced data rate

– 2.1 MBit/s, 7 parallel connections

• Data packets:– 72 bits access code, 54 bits header, 0-8168 bits payload

• Error correction (yet error-prone)• Application profiles,

– e.g. head set, printer, audio distribution, video remote control

(See extra lectures on mobile technology, SM3, SM4)

/59© R. Grimm 26

Bluetooth security

• Security concerns– Connection intrusion (e.g., BTCrack – Bluetooth Crack Tool)

– Unauthorized access to device through Bluetooth

– Eavesdropping

– Data and communication manipulation

– Denial of connection (error, flooding)

• Security modes:1. No authentication, no encryption, frequency hopping

2. Service level: encryption/authentication by applications

3. Link level: mandatory authentication optional encryption

(See extra lectures on mobile technology, SM3, SM4)

14

Seite 14

/59© R. Grimm 27

3.3 Communication parameters – access to external se rvices

• Passwords are stored in browser data base– Available to any user who has access to device functions

– Threatened by lost devices

– Threatened by social engineering

• Solutions:1. Don’t store passwords

2. Use protected password manager, e.g. USB stick-based

3. Use signature keys. e.g. X,509 PKI (see X.509 below)

4. Use single sign-on with signature keys (later lecture)

/59© R. Grimm 28

3.4 Communication protocol – Example WLAN

• Wireless access to network resources (data, printers, etc.)• Wireless access to Internet

– at home

– in the office

– at public places (hot spots)

air

access point /router

Internet

networkmobile device

15

Seite 15

/59© R. Grimm 29

WLAN technical data

• IEEE standards group 802.11 since 1990• Send-receive range: 30-100 m• Frequency 2,4 GHz or 5 GHz (license-free ISM-Band)

Gross data transfer rates:– 802.11b: 11 Mb/s

– 802.11g: 54 Mb/s

– 802.11h: 54 Mb/s

– 802.11n: 300 Mb/s

/59© R. Grimm 30

WLAN threats and requirements

• Eavesdropping (passwords, communication content)– Required: confidentiality of air interface

⇒ Mechanism: encryption of air communication

• Illegal access– Required: authorized users

⇒ Mechanism: authentication protocol, e.g. EAP

• Manipulation of data– Required: integrity of data

⇒ Mechanism: MAC and encryption of air communication

• Denial of service– Required: protected hardware, access control

⇒ Mechanism: awareness, firewall, user authentication

16

Seite 16

/59© R. Grimm 31

WLAN security protocols

authentication encryption

without

WEP

WPA

WPA2

MACno encryption

WEP-Auth.fixed keys - RC4

without

without

TKIP (temporary key integrity) - RC4

AES - CBC-MAC

PSK

without

EAP

802.1x

PSK

MAC

without

MAC

without

MAC

without

(PSK = Pre-Shared Key:Password, known by all participants, only good for small networks)

Access Client(mobile device)

Authentication Server(RADIUS)

/59© R. Grimm 32

WLAN Extensible Authentication Protocol EAP

2

authentication server

1 deliver ID token (user-id+pw or smartcard)

air

mobile deviceaccess point

negotiate connection to server

identity response – user info

auth token request

auth token response

success / master key

protected communicationand key management

EAP3

45

6

802.1X

7

PPP RADIUS

17

Seite 17

/59

EAP over RADIUS

• EAP between access client and RADIUS server

• RADIUS client = access server = pass-through device passing EAP messages between the access client and the RADIUS server

• An EAP message sent between the access client and access server is formatted as the EAP-Message RADIUS attribute (RFC 2869, section 5.13), and sent in a RADIUS message between the access server and the RADIUS server

• Different EAP types to be negotiated:TSL (SSL), OTP, MD5 challenge, any

© R. Grimm 33

authentication server

air

mobile deviceaccess point

PPP, e.g. CHAP (*) RADIUS

RADIUS server

access clientRADIUS client =access server

(*) Challenge Handshake Authentication Protocol

/59© R. Grimm 34

3.5 Communication organization – Example BlackBerry

• Canadian enterprise „Research In Motion (RIM)“ (1999)• Electronic communication (E-mail, Web, IM)• Synchronized Personal Information Manager (PIM:

Dates, contacts etc.)• Enterprise data• Clients-server proprietary protocol• Network access via GPRS/EDGE, UMTS, or WLAN

• Functions• Organization of communication• Security• Privacy

18

Seite 18

/59© R. Grimm 35

BlackBerry – functions

• Push-service in small (2K) text data portions• Alert signal to handheld on reception of data• Filter and synchonization by BlackBerry Enterprise

Service• E-mail, Web, IM• PIM (diary, contacts etc.)• Enterprise data• GPS positioning

/59© R. Grimm 36

BlackBerry – organization of communication

• BlackBerry handhelds• Other handhelds via BlackBerry Connect

1. BlackBerry services– E-mail, IM and Web server

– Communication via BlackBerry

– Forward settings by user

2. Individual enterprise solution– BES – BlackBerry Enterprise Server

(filters BlackBerry communication)

– Integration of enterprise E-mail, IM, Web

– Back office services (as usual)

19

Seite 19

/59© R. Grimm 37

BlackBerry Mobile Data System

BlackBerry® Mobile Data System (BlackBerry MDS) v4.1 is an optimizedapplication development framework for the BlackBerry® Enterprise Solution.[RIM 2006]

E-mail

InstantMessaging

BlackBerryConnectDevices

BlackBerryWeb and E-mail Servers

/59© R. Grimm 38

BlackBerry security concerns

• Unauthorized access to handheld, e.g. on stolen device• Unauthorized reading of handheld content, e.g. from lost

devices• Eavesdropping on air and in the Internet during

BlackBerry communication• Integrity attacks on server and handheld data• Malfunctions by downloaded software

• Misusage (vs. privacy)

20

Seite 20

/59© R. Grimm 39

BlackBerry security means (1)

– Unauthorized access to handheld, e.g. on stolen device

– Unauthorized reading of handheld content, e.g. from lost devices

– Integrity attacks on server and handheld data

• Enforcement of strong passwords• Device blocked after pre-defined time• Periodic challenge: password prompt in predefined time-

intervals, idle and busy• Encryption of handheld data

/59© R. Grimm 40

BlackBerry security means (2)

– Eavesdropping on air and in the Internet during BlackBerry communication

– Integrity attacks on server and handheld data

• E2E encryption by Triple-DES (112 bit keys) and AES (256 bit keys) between handheld and BES

• Individual symmetric keys between handheld and BES• Key-exchange forced by BES administrator• Key-exchange forced by handheld user („paranoia

button“)

21

Seite 21

/59© R. Grimm 41

BlackBerry security means (3)

– Malfunctions by downloaded software

– Misusage (vs. privacy)

• Restriction of functions possible– e.g. SMS, MMS, games, camera, external storages (Micro-SD)

• External remote administration– Push of policies

– OTA (“Over-The-Air”) download control

– OTA upgrades

– OTA „Erase Data and Disable Handheld” command (for lost device!)

/59© R. Grimm 42

BlackBerry privacy concerns

• Security means against misusage– Complete audits

– Copies of all communication to central admin server

– OTA control over handhelds

• Privacy challenge:– How to deal with these control features

– How to protect communication profiles

– How to protect communication content

⇒ organizational means by data protection audit team

22

Seite 22

/59© R. Grimm 43

Content

1. The electronic workplace2. Vulnerabilities3. Communication4. Security mechanisms

• 4.1 Corporate mobile security framework

• 4.2 Example smartphone

• 4.3 Controlling communication lines

• 4.4 Example TrueCrypt

• 4.5 PGP / X509 encryption

• 4.6 Registration of lost devices

/59© R. Grimm 44

4.1 Corporate mobile security framework (1-6)

• Security basis• Protection of device• Protection of communication• Protection of information and data• Protection of assets and resources• Technical solutions

M. Geldermann (2006)

23

Seite 23

/59© R. Grimm 45

Corporate mobile security framework (cont. 1)

• Security basis– Security Policy

– Organizational framework

– Central administration of• devices, software, keys, access rights

• Protection of device• Protection of communication• Protection of information and data• Protection of assets and resources• Technical solutions

/59© R. Grimm 46

Corporate mobile security framework (cont. 2)

• Security basis

• Protection of device– Access protection to device functions

– Encryption of content data

– Backup of content data

– Report and disable register for lost devices

• Protection of communication• Protection of information and data• Protection of assets and resources• Technical solutions

24

Seite 24

/59© R. Grimm 47

Corporate mobile security framework (cont. 3)

• Security basis• Protection of device

• Protection of communication– E2e encryption of conversation and data exchange

– SPAM filter

– Firewall against attacks

• Protection of information and data• Protection of assets and resources• Technical solutions

/59© R. Grimm 48

Corporate mobile security framework (cont. 4)

• Security basis• Protection of device• Protection of communication

• Protection of information and data– DAC for read/write/administration

– Remote deletion of content for misused/lost devices

• Protection of assets and resources• Technical solutions

25

Seite 25

/59© R. Grimm 49

Corporate mobile security framework (cont. 5)

• Security basis• Protection of device• Protection of communication• Protection of information and data

• Protection of assets and resources– Usability of devices

– Easy update services

– Easy roll-out and training

– Access and usage control for central enterprise data

– Audits for device usage

• Technical solutions

/59© R. Grimm 50

Corporate mobile security framework (cont. 6)

• Security basis• Protection of device• Protection of communication• Protection of information and data• Protection of assets and resources

• Technical solutions– Encryption, both symmetric and PK

– PKI, key management

– Encryption and authentication for data and conversation

– DAC service

– Protected storages on devices

– Firewalls, anti-virus, anti-spy

– Audit service

– Report, disable services

26

Seite 26

/59© R. Grimm 51

4.2 Example smartphone (1)

• Backup of content data– Sync software, exchange server

– Encrypted communication with backup:exchange server uses https

– Micro-SD-cards (*) for external card readers:beware unencrypted storage!

• PIN protection– access to SIM card

– after every 20-30 idle minutes

• Password sitter for mobiles• Bluetooth and WLAN parameters• PK certificates for signature and encryption

(*)SD = SanDisk (corporate name)

/59© R. Grimm 52

Smartphone (2, cont.)

• Disable lost devices• Beware IMSI catcher (how to check??)

– E2E security, e.g. encrypted telephone calls

• Beware encryption downsize– Weak connection signal

• Beware software download– Trustworthy sites

• Personal behavior:– Signal tones with appropriate loudness

– Don‘t shout into mobile phone (privacy)

27

Seite 27

/59© R. Grimm 53

4.3 Controlling communication lines

• CDs / USB sticks – don’t execute every lousy .exe• Plug-in card – use e2e security like VPN• LAN cable – VPN if remote • WLAN – protect your WLAN at home /

on business• Infrared – disable if not used• Bluetooth – see below (and disable if not used!)• GSM/UMTS card – VPN for data,

smartphone rules for conversation• GSM encryption – of air interface (automatically)• E2E encryption – of telephone conversation• E2E encryption – of programmed proprietary

applications (BlackBerry, Remotile, …)

/59© R. Grimm 54

4.4 Encrypt your local content – TrueCrypt

• Encrypt files, directories, partitions, devices• Password-protected encryption key• Password prompt at “mounting” process• Decrypted area is “linked” to the work place• Many symmetric encryption algorithms supported

incl. AES and Triple-DES• Volume sizes up to many GB possible• Hidden volumes

28

Seite 28

/59© R. Grimm 55

TrueCrypt:

Decrypted file mounted as “device H”

/59© R. Grimm 56

4.5 X.509 Signature and Encryption

• Registration• Certification• Integration in Web and E-mail• Usage

• Secure communication integrated in a hierarchic PKI• Example: DFN / TERENA / Eduroam

29

Seite 29

/59© R. Grimm 57

Equipment Identity Registerfor lost devices

4.6 Report and disable service of lost devices

MS BTS

BTS

BTS

BSC

BSC

VLR

HLR

MSC

AUC

EIR

OMC

Radio Subsystem Network and Switching Subsystem

Operation Subsystem

/59© R. Grimm 58

Report of lost devices

• Admins’ duty : to install– Report service

– Help desk

– Emergency telephone and disable service

– Authentication procedures through EIRs

• Users’ duty : to keep knowing– Telephone numbers and registration sites for

• Lost EC cards• Lost credit cards• Lost mobiles/PDAs• Lost laptops

30

Seite 30

/59© R. Grimm 59

Summary: What we‘ve learnt

• Devices need protection in different areas– See for example, the corporate mobile security framework

• Responsibility of manufacturers, issuers, admins, users• Organizational integration and control• Technical solutions

• There are efficient security tools available– WLAN protection, Bluetooth encryption, TrueCrypt local protection– Password sitter, backup syncs, signatures– and more…

• User education and awareness!

/59© R. Grimm 60

References (all links checked April 2015)

Mobile Security:Boyles, Jan Lauren; Smith, Aaron; Madden, Mary: Privacy and Data Management on Mobile

Devices. Pew Research Center’s Internet & American Life Project, Washington, D.C., Sep. 2012. http://pewinternet.org/Reports/2012/Mobile-Privacy.aspx [22.4.2015]

Geldermann, Martin (2006): Corporate Mobile Security, Sep 2006, in http://www.securitymanager.de/magazin/corporate_mobile_security_ein_neues_sicherheitskonzept_fuer.html --- outdated. Look for “enterprise mobile security” instead

BlackBerry:BlackBerry Mobile Data System (MDS), Features and Technical Overview,

http://docs.blackberry.com/en/admin/deliverables/20998/BB_MDS_267706_11.jsp [22.4.2015]

Dave Mabe (2005): What is a BlackBerry? Wireless DevCenter, O’Reilly, www.oreillynet.com/pub/a/wireless/2005/09/15/what-is-blackberry.html [22.4.2015]

Research In Motion (RIM) Limited (2006): BlackBerry Mobile Data System - A Development Framework for Wirelessly Extending Applications. http://www.rim.com /symposium/press/pdf/BlackBerry_MDS_brochure_lowres_022006.pdf [22.4.2015]

WLAN:Grimm, R.; Hundacker, H.; und Meletiadou, A. (2008): Anwendungsbeispiele für

Kryptographie. Arbeitsberichte aus dem FB Informatik, Nr. 2/2008, Univ. Koblenz,http://www.uni-koblenz-landau.de/de/koblenz/fb4/forschung/publications/Reports [22.4.2015]

31

Seite 31

/59© R. Grimm 61

Questions to check your knowledge

1. List responsibilities of manufacturers, issuers and users of mobile devices for the maintenance of their security.

2. List responsibilities of laptop users for the maintenance of their security.3. Which communication lines are subject to security concerns of mobile devices?4. Suggest a security means to protect a lost device against brute force reading of

hard disk by an unauthorized person. (e.g., OTA delete command (BlackBerry), encryption of content (TrueCrypt))

5. Map security concerns of BlackBerrys (or of another handheld family) on appropriate security means to protect the handhelds.

6. Discuss privacy concerns of BlackBerrys.7. Sketch the corporate mobile security framework. Explain some of the technical

functions (three at least).8. How does TrueCrypt help to protect content of laptops even if the laptop is

stolen? How does the authorized user get access to the protected content?

/59© R. Grimm 62

Testfragen

1. Nennen Sie die Verantwortlichkeiten der Hersteller, der Auslieferer (Betreiber) und der Nutzer von Mobilgeräten für die Sicherheit der Geräte.

2. Nennen Sie die Verantwortlichkeiten der Laptop-Nutzer für die Sicherheit ihrer Laptops.

3. Welche Kommunikationsschnittstellen von Mobilgeräten sind sicherheitsgefährdet?

4. Machen Sie einen Vorschlag dafür, wie ein verlorenes Mobilgerät dagegen geschützt werden kann, dass ein unberechtigter Nutzer die Daten durch direkten Zugriff auf die Festplatte (oder die Micro-SD) ausliest. (z.B. OVT-Löschkommando (BlackBerry), oder Festplattenverschlüsselung (TrueCrypt))

5. Ordnen Sie den Sicherheitsbedrohungen von BlackBerrys (oder einer anderen Handheld-Familie) angemessene Sicherheitsmaßnahmen der Handhelds zu.

6. Diskutieren Sie Datenschutzprobleme der BlackBerrys.7. Skizzieren Sie den Sicherheitsrahmen der betrieblichen Sicherheit für

Mobilgeräte („corporate mobile security framework“). Führen Sie zumindest drei zugehörige technische Lösungen aus.

8. Wie hilft TrueCrypt den Inhalt von gestohlenen Laptops zu schützen? Wie greift der berechtigte Nutzer auf den geschützten Inhalt zu?