YOU ARE HERE: LAT HomeCollections

Is the Wireless Web Safe? Almost

Hackers have a tiny window for breaking into 'smart' phones and hand-held computers, but a number of companies are working to close it.


Consumers aghast at the prospect of their wireless phone conversations' being picked up by the neighbor's baby monitor have a hornet's nest of worries--some real, some imagined--coming with the wireless Web.

The good news is that today's Web-enabled cell phones and wireless palm-top computers are so simple and limited that they are, by default, difficult to hack for theft of information or to impregnate with a virus. And the encryption standard for wireless Web transactions is 99.99% secure.

The bad news? That 0.01% window.

The predominant system for protecting wireless transmissions through hard-to-crack encryption doesn't provide a 100% lock against the most sophisticated hackers. Moreover, by being in the open air, wireless data is theoretically easier to intercept than data transmitted on wires. And the next generation of wireless Web devices could be so widely used and sophisticated that they will only whet the appetites of virus writers and e-commerce hackers.

It's already beginning to happen.

Just this year, as the palm-top computer revolution began veering sharply to the wireless Web realm, the first viruses and Trojan horses were detected. Though relatively contained, they telegraphed hackers' increased fascination with the world of hand-helds and "smart" phones.

Also this year, some users of AT&T and Sprint PCS wireless smart phones were surprised to discover that their private cell phone numbers were being displayed to Web sites they accessed, allowing them to be identified by number the way "cookies" label the wired users of personal computers.

As the number of wireless Web subscribers worldwide blossoms from an estimated 6.6 million in 1999 to an expected 400 million by 2003, according to Bank of America, the problems could quickly magnify, analysts said.

"It's the Wild West all over again," said William Gimello, strategic account manager for RSA Security Inc., a computer security company based in Bedford, Mass. Worse, he said, "everybody's got a gun and there are no licenses."

Aside from an errant smart-phone application that caused some trouble on the wireless data-phone network in Spain earlier this year, there's still no sign that viruses and hacking have made major headway into the wireless world. But that doesn't make the hundreds of security companies, wireless service providers and wireless transaction companies rest any easier about the future.

Even the most tech-savvy companies, such as Cisco Systems Inc., have policies limiting the use of wireless Web devices to send sensitive corporate e-mails, said Rick Smith, engineering manager for Cisco's Internet communications software group. Authentication of the user for each wireless transaction or session will be key to building early confidence in the system.

Smith uses an application known as Soft Token that provides him with a unique ID for each wireless transaction, verified at the receiving end when it is decrypted. Users must enter continually changing personal identification numbers each time they make a stock trade or send an e-mail, matched to a log-in name when starting a session.

Future devices with more storage capability will have built-in encryption, Smith and others said.

Dominick Delfino, systems architect for networking solutions company Integrated Systems Group in Hauppauge, N.Y., said companies and consumers will have to reevaluate their security policies and practices to tailor them for the wireless world. New measures and technologies will be needed to shore up the breaches.

Said Gimello, "It's up to the service provider or the device maker to provide the security protection, but it's up to the consumer to understand the threats."

Though a certain level of healthy concern is justified, Simon Perry, vice president of security solutions at Internet security giant Computer Associates International in Islandia, N.Y., said misperceptions about wireless security threats stand as a major impediment to widespread acceptance. Breaking into the small gap in the wireless Web wall and deciphering vital information would take ultra-sophisticated tools and would even then prove challenging.

"It would be beyond the average Joe with a home PC" to crack that code, Perry said. That noted, Perry added that it's "literally impossible to find out if someone is intercepting wireless data."

The answer, experts agree, is encryption.

At present, nearly 80% of voice cell phone traffic is unencrypted, though digital technology makes it much more difficult to listen in. But wireless data traffic using the Wireless Application Protocol, which lets users link to the Net via any digital wireless network and any wireless device, application and service provider, is encrypted. The encryption is almost total, aside from a minute window when signals jump from the wireless to the wired world. So it's up to companies offering services to protect customers.

Los Angeles Times Articles