Is the Wireless Web Safe? Almost

Consumers aghast at the prospect of their wireless phone conversations’ being picked up by the neighbor’s baby monitor have a hornet’s nest of worries--some real, some imagined--coming with the wireless Web.

The good news is that today’s Web-enabled cell phones and wireless palm-top computers are so simple and limited that they are, by default, difficult to hack for theft of information or to impregnate with a virus. And the encryption standard for wireless Web transactions is 99.99% secure.

The bad news? That 0.01% window.

The predominant system for protecting wireless transmissions through hard-to-crack encryption doesn’t provide a 100% lock against the most sophisticated hackers. Moreover, by being in the open air, wireless data is theoretically easier to intercept than data transmitted on wires. And the next generation of wireless Web devices could be so widely used and sophisticated that they will only whet the appetites of virus writers and e-commerce hackers.

It’s already beginning to happen.

Just this year, as the palm-top computer revolution began veering sharply to the wireless Web realm, the first viruses and Trojan horses were detected. Though relatively contained, they telegraphed hackers’ increased fascination with the world of hand-helds and “smart” phones.

Also this year, some users of AT&T; and Sprint PCS wireless smart phones were surprised to discover that their private cell phone numbers were being displayed to Web sites they accessed, allowing them to be identified by number the way “cookies” label the wired users of personal computers.

As the number of wireless Web subscribers worldwide blossoms from an estimated 6.6 million in 1999 to an expected 400 million by 2003, according to Bank of America, the problems could quickly magnify, analysts said.

“It’s the Wild West all over again,” said William Gimello, strategic account manager for RSA Security Inc., a computer security company based in Bedford, Mass. Worse, he said, “everybody’s got a gun and there are no licenses.”

Aside from an errant smart-phone application that caused some trouble on the wireless data-phone network in Spain earlier this year, there’s still no sign that viruses and hacking have made major headway into the wireless world. But that doesn’t make the hundreds of security companies, wireless service providers and wireless transaction companies rest any easier about the future.

Even the most tech-savvy companies, such as Cisco Systems Inc., have policies limiting the use of wireless Web devices to send sensitive corporate e-mails, said Rick Smith, engineering manager for Cisco’s Internet communications software group. Authentication of the user for each wireless transaction or session will be key to building early confidence in the system.

Smith uses an application known as Soft Token that provides him with a unique ID for each wireless transaction, verified at the receiving end when it is decrypted. Users must enter continually changing personal identification numbers each time they make a stock trade or send an e-mail, matched to a log-in name when starting a session.

Future devices with more storage capability will have built-in encryption, Smith and others said.

Dominick Delfino, systems architect for networking solutions company Integrated Systems Group in Hauppauge, N.Y., said companies and consumers will have to reevaluate their security policies and practices to tailor them for the wireless world. New measures and technologies will be needed to shore up the breaches.

Said Gimello, “It’s up to the service provider or the device maker to provide the security protection, but it’s up to the consumer to understand the threats.”

Though a certain level of healthy concern is justified, Simon Perry, vice president of security solutions at Internet security giant Computer Associates International in Islandia, N.Y., said misperceptions about wireless security threats stand as a major impediment to widespread acceptance. Breaking into the small gap in the wireless Web wall and deciphering vital information would take ultra-sophisticated tools and would even then prove challenging.

“It would be beyond the average Joe with a home PC” to crack that code, Perry said. That noted, Perry added that it’s “literally impossible to find out if someone is intercepting wireless data.”

The answer, experts agree, is encryption.

At present, nearly 80% of voice cell phone traffic is unencrypted, though digital technology makes it much more difficult to listen in. But wireless data traffic using the Wireless Application Protocol, which lets users link to the Net via any digital wireless network and any wireless device, application and service provider, is encrypted. The encryption is almost total, aside from a minute window when signals jump from the wireless to the wired world. So it’s up to companies offering services to protect customers.

“What we would expect,” Perry said, “is that the hand-held device will support encryption and the server itself will support encryption, or that the base stations that hand-held device goes back to will have it.”

One recent development that suggests the urgency of plugging the “gap in the WAP” comes from wireless-application pioneer Phone.com.

Last month, Phone.com introduced a secure wireless network infrastructure that plugs the gap, allowing companies to say for the first time that all their wirelessly transmitted data is encrypted end to end.

The product it developed, called Uplink, will be available to wireless service providers soon.

“It’s the first product that solves the issue,” said Kevin Ellis, senior product marketing manager of security and enterprise applications at Phone.com.

It comes none too soon.

Companies that offer wireless Web services are making some heady predictions about the number of users and the types of services customers will one day be comfortable performing online. For companies such as Great River, N.Y.-based Hand-Trade Technologies, which is developing a service that lets users trade stocks via wireless personal data assistants, there’s an assumption of security from the companies providing the wireless infrastructure.

Wireless Web service providers say despite the pinhole in the encryption process, security of online transactions remains high, perhaps even higher than wired access.

“We have some security schemes in place now that allow wireless transactions to be very secure,” said Ken Woo, a spokesman for AT&T; Wireless.

Among other measures, the company has a full-time security group in its wireless division and “about 100 PhDs at AT&T; Labs whose full-time work it is to develop new algorithms. We are trying to stay at least 20 steps ahead of the bad guys,” Woo said.

The development of hybrid palm-top computers and smart cellular Web phones, presaged by a recent joint-venture agreement between Motorola Inc. and Palm Inc., suggests that the simplicity and lack of storage capacity that made early smart phones difficult to infect could soon make them the next great challenge for the hacking community.

Larry Swasey, senior vice president of communications research for Allied Business Intelligence, a research company based in Oyster Bay, N.Y., said mobile device makers will have to weigh their desire to build the best encryption hardware into their products against their desire to boast of the best functions and features.

“You’ll need heavy encryption in the handset, but that will come at the expense of something else,” Swasey said. “It could be less viability for the address book, for instance. It’s always a trade-off.”

He suggested that the lucrative potential of the business will force companies to opt for heightened security, primarily for fear of killing the goose before it lays a golden egg.

“It doesn’t take much to scare people away from putting their credit card online,” Swasey said. “Wireless Web access will become lucrative soon, given the investments of some of the world’s largest banks. Initially there may be some worries, but the security and wireless and financial industries will make this happen.”