At the same time that mobile itinerary management apps are
opening up possibilities for business travelers to be more efficient on the
road and more effectively tracked and supported by travel managers, they also
have the potential to make travelers and their companies vulnerable to new
risks.
While some mobile apps literally can open doors for
travelers, without proper protections mobile devices can open companies to
corporate espionage, expose confidential information to theft, provide access
to previously secure enterprise networks and compromise the safety and property
of travelers.
At the same moment that some companies are embracing
itinerary management services like TripIt and WorldMate that can help them
track travelers and offer social networking opportunities to share rides or
information that can facilitate business meetings, some are beginning to clamp
down on unsecure mobile tracking solutions and unprotected company data.
"We need to have a little more conversation about where
the balance is between convenience and safety and security," travel
security company IJet president Bruce McIndoe recently told Business Travel
News.
IJet has been piloting mobility tracking solutions with a
couple of companies that McIndoe said "understand there is a certain
amount of freedom that people need to go out and surf for information and get
itinerary-related information. They're OK with that, but disclosing company
information or where you are outside of the privacy of their shell, they are
not going to allow. The TripIts and the WorldMates that put this information on
LinkedIn are not going to happen because being time- and place-predictable
increases your threat level by orders of magnitude. It's robmyhouse.com."
While acknowledging that TripIt users can decide to share
their itineraries with others, including through Facebook and LinkedIn, TripIt's
Scott Hintz, cofounder and vice president of business development, said users
have to take proactive steps to do so and can suppress any individual
itinerary. Hintz also noted that TripIt, which has relationships with BCD
Travel and more than 20 other travel management companies, has built in strong
privacy and security controls and has "passed some very detailed security
audits from major financial services institutions."
What McIndoe is concerned about, however, is "another
environment where itineraries are being exported out of the trusted provider
stream, and we need to look at who is controlling that and who has access to
that.
"When I get on LinkedIn and see three guys saying, I'm
going to be here on this trip, then if I'm a corporate espionage guy or someone
who would rob your house or go after you particularly, I have been handed that
information on a silver platter. What people don't understand is that a product
marketing manager or a senior-level person at a company or an intelligence
officer is who I want to get access to. If I know where they are and what they're
doing, that's solving 80 percent of my problem."
While individual safety and property is a major concern, the
very whereabouts of certain individuals also can compromise business deals and
competitive activities. Instead of providing an open channel to track the
movements of individual travelers, IJet is developing a more secure solution
that only informs the company of a traveler's location when the traveler is in
a secure place. McIndoe said it's "like an OnStar on your hip. It opens a
channel to an operator and transmits your location, but there's no Big Brother
watching. We're taking that model with these two clients so that we can blast
out to the devices a message that says the company would like to determine
where you are, and then you can say yes or ignore. Saying yes activates a GPS
signal that shows where they are. It's more of an opt-in strategy. I think that's
a model that will play well, ultimately."
McIndoe also warned about other pitfalls of smart devices.
Travelers who carry confidential contact lists and e-mail addresses risk them
being stolen, copied or lost. Hackers also may have the ability to enter
otherwise secure corporate intranets through the phones' virtual public
networks or Bluetooth devices.
A study of mobile telephone security published in June by independent
researchers Don Bailey and Nick DePetrillo, "The Carmen Sandiego Project,"
examined the risks posed to travelers by such telecommunications networks and
databases as GSM phones and caller ID systems. Their research shows how easily
caller ID systems can be used to identify individuals and how their mobile
devices can be used to track them and to intercept their data. It also advises
individuals and organizations about how they can mitigate such threats.
DePetrillo, who subsequently joined Harris Corp. subsidiary
Crucial Security as a security researcher, told BTN that such threats are
particularly dangerous for executives who are meeting to conduct sensitive
negotiations for potential acquisitions or in areas where they might be subject
to kidnapping.
"One of the most basic ways that companies can be
exposed to threats from their mobile phones is through their caller ID
footprint. By using techniques that we outline in our research, anyone using a
GSM phone anywhere in the world is vulnerable," DePetrillo said. "It's
not the GPS device that puts it at risk, it's the phone's back end."
By asking the cellular network where the phone is currently
roaming, the network will divulge the phone's general location and when the
phone's owner travels to another area. "Someone can use that information
to exploit a person, attack them or follow their behavior," DePetrillo
said. "What companies should do is contact their mobile provider and have
them make their mobile phone caller IDs unavailable or private so they won't
show up in a search."
Not all providers are vulnerable, as one in the United
States recently made changes in reaction to security concerns that mitigated
this, he said.
Through threat modeling, companies can assess risks and
create policies for employees to limit their exposure when appropriate. When
traveling on sensitive trips, employees should consider not using their regular
phone. Depending on the employee, DePetrillo said, "you might consider
switching out someone's phone every couple of months to avoid malicious
applications that create a back door to company information. Literally
unwrapping new phones ensures you are going to have a clean phone. One of the
best things a business can do is review internal policies and do proper threat
modeling for specific executives and create new policies to protect themselves.
They have to be vigilant and go the extra steps because it really could be a
billion-dollar deal that you put at risk."
DePetrillo warned that bad applications that can spy on
people or steal passwords have found their way into app stores. Data on mobile
phones also can be at risk. "Malicious code can be installed on phones not
just from an application but the operating system can be exploited through
other means," he said. "Sending malicious text messages to a user can
compromise the phone. You can only take steps to mitigate the dangers to the
cellular phones and the data stored on them, but you can never be 100 percent
protected. Users can set passwords on phones or encrypt storage memory to help
secure phones."
Research from such companies as Independent Security
Evaluators and Lookout indicates tablet computers, such as the iPad and one
coming to market soon based on the Android operating system, are just as
vulnerable as the phones via their cellular modems and Wi-Fi.
DePetrillo also cited research by Vericode's Tyler Shields
that shows that malicious applications can turn on cell phone microphones so
that an attacker can record the audio and eavesdrop on sensitive business
conversations.
To thwart such intrusions into corporate privacy, McIndoe,
DePetrillo and others recommend corporate IT departments take full control of
devices that travelers use on the road—if their corporate culture permits
it—monitor the channels through which they access the company, establish policy
and provide training for travelers using such devices.
This report originally
appeared in the Oct. 25, 2010, issue of Business Travel News.