Deutsch Intern
  • 50-jähriges Jubiläum des Rechenzentrums
Information Technology Centre

Security of mobile devices

Mobile devices include laptops/notebooks, mobile phones, PDAs, smartphones as well as accessories such as USB sticks, memory cards, external hard drives, wireless headsets/keyboards, CDs/DVDs. These devices are characterised by the fact that they are relatively small and easy to transport. They are often used outside the "secure" office environment or connected to the Internet via networks other than the office's "secure" wired data network. Sensitive information such as passwords, contact details, documents, etc. is often stored on these devices.

In principle, the same "golden rules" apply to mobile devices as to permanently connected end devices. However, due to the nature of the devices, there are additional risks that require additional consideration. These hazards are, for example

  • a higher risk of theft/loss (including from office premises),
  • working in "public environments" where bystanders can visually read the information displayed on the device,
  • data traffic via insecure infrastructure (e.g. hotspots, unsecured home networks, ...),
  • the use of wireless interfaces beyond the "secure" cable infrastructure in the office (e.g. WLAN, Bluetooth, infrared, ...),
  • Data loss due to hardware damage (e.g. external hard drives) or empty buffer batteries (e.g. PDAs),
  • shared use by family members,
  • the necessity to hand over the device in the course of a repair, when entering a sensitive area (e.g. in companies with a mobile phone/camera restrictioins) or at border controls.

Possible damage scenarios are

  • Loss of the device,
  • Loss of data
  • Disclosure of sensitive information,
  • Costs due to misuse of the device by a third party (e.g. by "externally controlled" dialling into a mobile phone network).

The following recommendations are intended to help minimise these risks:

  • Do not leave a device unattended or in a place where it is not clearly visible.
  • When leaving a device for a short time, you should secure it to a fixed object if possible. Even a thin wire rope with a Kensington lock will deter opportunist thieves.
  • Record and take inventory of the serial numbers of devices. In the event of damage or loss, this will help with reporting the incident. Reporting the serial number enables manufacturers to take a stolen device out of circulation if it is sent in for repair.
  • Do not store smaller devices such as mobile phones, PDAs, USB sticks, external hard drives, etc. in easily accessible outer pockets. This applies in particular to the outside pockets of backpacks.

  • Set your own "Power On" password or PIN to prevent unauthorised persons from switching on the device.
  • For laptops, set the desired boot options and their order.
  • In particular, switch off unwanted boot options (PXE, USB stick, CD/DVD).
  • Secure the BIOS settings with your own password.
  • Encrypt relevant files, partitions or hard drives. As it is not clear where the system stores sensitive data, e.g. in the form of temporary files or system entries, especially on laptops, basic system encryption is recommended.
  • Store passwords in encrypted password safes.
  • Remove data that is no longer required from the device.
  • Lock the screen when you move away from the device.
  • Disable the autostart function on laptops before inserting external media (CDs, DVDs, USB sticks, etc.).

The above measures will prevent an attacker/finder/thief from gaining access to the stored data, either immediately or after a successful theft. In extreme cases, the "Power On" password or PIN means that the device is nothing more than electronic waste for a thief. Deactivating the autostart function prevents malware from executing automatically from compromised data carriers. In Windows, this can usually be done by pressing the Shift key during media recognition.

  • Disable the network interfaces for WLAN, Bluetooth, infrared, ... if you are not actively using them.
  • Depending on the device, the interfaces can be disabled/enabled via software or a physical slide switch.
  • If the interfaces are enabled, the following settings can be used to reduce the attack surface.
  • Depending on the interface, the use of a restrictive personal firewall can further reduce the attack surface.

If the drivers or settings are faulty, an attacker can access the device via the interfaces and, in extreme cases, control it remotely (e.g. to initiate a dial-up process to the Internet from outside via Bluetooth and misuse the device as a modem). Disabling the interfaces when not in use also ensures a longer battery life.

WLAN settings

  • Keep the WLAN drivers up to date via the manufacturer's website. These are not part of the Windows Update service!
  • Only allow automatic connection to known, secure WLAN networks.
  • Only allow connections to access points.
  • If possible, only allow access via WPA/WPA2 encrypted networks.
  • Disable interface when not in use

Bluetooth settings

  • Operate in "hidden mode" when in active use
  • Check incoming connection requests. In particular, do not accept any unexpected connections.
  • When pairing with other Bluetooth devices, save the assignment permanently instead of using a PIN each time.
  • Change standard PINs and device names if possible.

In contrast to laptops, mobile phones, smartphones and PDAs often have a proprietary operating system which is available on the device in the form of firmware. The latest firmware versions can usually be obtained from the retailer or the manufacturer. Before updating the firmware, it is essential to back up the data/applications stored on the device, as these may otherwise be overwritten during the update!

  • Sensitive data should only be stored on encrypted media.
  • In the case of mobile phones or smartphones, data can be stored on the PIN-protected SIM card, for example.
  • If possible, the medium should be removable (CF, external disc, SD card, SIM card, USB stick)

This can be relevant in cases where the actual device has to be handed over. This may be the case, for example, if a user is not allowed to enter a certain company area with a mobile phone, if a device is checked in the course of a border control or if it simply has to be returned to the retailer/manufacturer for repair.

  • Depending on your network access, use a restrictive firewall setting on the device.
  • In an unfamiliar environment (especially at a WLAN hotspot), the firewall should not allow any access to the device.
  • Different firewall profiles can be used to cater for the different security levels in the secure network at the workplace and in external networks.

Under Windows XP/Vista, the restrictive setting can be achieved by ticking the box "Block all incoming connections" (Vista) or "Do not allow exceptions" (XP) in the firewall settings.

  • Use the university's VPN for communication.
  • If it is not possible to use a VPN, please ensure that you use secure protocols such as HTTPS, IMAPS, ...

In unfamiliar environments (especially in WLAN environments), data traffic can otherwise be recorded by third parties, giving them access to sensitive data such as user IDs, passwords or confidential documents.

  • Regularly back up the data on the mobile device.
  • Particularly for mobile phones, smartphones and PDAs, back up the installed applications, contact data and calendar entries using the software supplied.
  • Synchronise the data on the mobile device with any existing local systems.

A data backup is also necessary for devices such as external hard drives, USB sticks, SD cards, ... as the data stored on these can also be lost due to a user error or hardware defect.

If the battery runs out, the applications and data loaded on PDAs in particular can be lost, as these are often only stored in a RAM-based file system.

  • In public environments, use a privacy filter for displays when editing/viewing sensitive information.
  • Darken your display if necessary.
  • Avoid phone calls with confidential content in public environments.

On the train, plane, train station, ... you are constantly surrounded by other people. Without any precautions on your part, they can have a good view of your display from a relatively flat viewing angle or from diagonally behind you when using a modern laptop. If required, the above-mentioned privacy filters can be clamped in front of the display with holders and restrict the possible viewing angle to approx. +- 30 degrees to the vertical. Outside the permitted viewing angle, only a black display can be seen. The films are available for a 15" display for around 50 euros.