S 4.255 Use of the IrDA interfaces
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: User, Administrator
The Infrared Data Association (IrDA) released specifications initially defining the lower layers of a protocol for an infrared interface where light in the form of infrared radiation is used as a carrier for exchanging data over short distances. Meanwhile, the IrDA also provides higher protocols for different fields of application. Today, the IrDA is supported by all commonly used operating systems; communication of devices such as PDAs and mobile phones to the PC or amongst each other via infrared interface has been established in practice.
The IrDA standard does not specify any security mechanisms against eavesdropping on the data traffic. The data is only protected against transmission errors at the protocol level using checksum methods. Security mechanisms such as authentication, cryptographic integrity protection, and encryption are not available. These must be implemented at an application level, if required. To a certain extent, transmissions are protected due to the very limited range of the infrared beams and the need for a direct line of sight. The security afforded by these systems, though, is less than that afforded by cabled input devices due to the potential for scattering.
When operating devices with IrDA interface, it must be ensured that this interface is only activated if required. Since the protocol does not provide for any authentication, any partner may use the IrDA interface to provide a device with data. For example, a mobile phone with activated IrDA interface accepts SMS messages for sending. A PDA or laptop may also be provided with programs using the IrDA that may contain malicious functions. Furthermore, an activated IrDA interface is an additional drain on the battery of the device.
Since the connection may only be established in a very limited area, eavesdropping on the communication is mostly ruled out. The existing low residual risk based on the scattered radiation of the IrDA components may be minimised further by using additional security mechanisms (e.g. authentication and encryption at an application level) or by replacing IrDA by cabled transmission.
Review questions:
- Are IrDA interfaces on all IT components disabled as long as they are not needed?