HCI blog

Friday, December 10, 2004

WAP security gap

The challenge of preventing security breaches in wireless communication is essential. The obvious reasons spring to mind, for example, data protection issues when sending personal information and also secure transactions. Most communications have a physical barrier, e.g. the individual machines are bolted to workstations and are contained within a padlocked tower. The doors have various security checks, for example the computer labs in the school's main building. However, when dealing with a wireless connection, it becomes hard to keep the communications self-contained. As the data is not traced it could be intercepted and there will be no detection of this activity occuring.

The main device used to access WAP related content is a mobile phone. These are a lot smaller than laptops and are more easily misplaced/lost and also stolen. This means that another person has access to WAP content dedicated to the owner and also could potentially download information from the phone for other fraudlent activity. When you consider the data stored could be a link to the corporate database security becomes a key issue.

When the first WAP was being developed, namely WAP 1.0, the high levels of security it provided was impressive. It had built in encryption, WTLS(Wireless Transport Layer Security). WTLS used less power, due to the efficient cryptographic algorithms and also less memory because of the better compression methods utilized.

Data is sent from the sender to a gateway, which deciphers the meesage and then encrypts it to be sent to the destination. As long as the gateway at which this occurs is within the trusted domain it is not a problem. However, if the gateway occurs outside of the trusted domain there is a potential security risk.

Firms have developed solutions to combat this risk, namely Cylink. Cylink developed an application layer which sits above the WTLS layer and provides two way cryptographic authentication, seamless end-to-end security levels.

Security measures are constanltly being updated. Until strong security measures have not been enforced, for example, biometrics, it is essential that useres of such devices are made aware of the potential risks and that they should protect their devices physically and logically, by enforcing password restricted access maybe ?

A good website with more information of the security gap can be found at: http://www.digigan.com/WAPGap/WAP%20Gap%20for%20Web_files/frame.htm another good site is http://www.serverworldmagazine.com/sunserver/2001/01/wapgap.shtml

2 Comments:

  • This comment has been removed by a blog administrator.

    By Blogger The Inspired Blogger, at 13 December 2004 at 01:00  

  • I understand what you are saying, but then isn't that the same with people that have a wireless network, because if they access their online banking from that machine then does it mean that they could be easily a threat than a user of WAP on a secure WAP site, also is there a way to tell if a WAP site is secure, like a Padlock image??

    By Blogger The Inspired Blogger, at 13 December 2004 at 01:02  

Post a Comment

<< Home