S 5.81 Secure transmission of data over mobile phones

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: User, IT Security Officer

Mobile phones are normally used for voice transmission, but they may also be used to transmit data and faxes. Additional accessories are required for some of these services.

Short messages

Using the Short Message Service (SMS), texts with a maximum length of 160 characters can be sent from one mobile phone to another or also to email addresses. The transmission of short messages is always performed via the short message centre, which forwards the messages to the respective recipient.

Short messages are stored to the mobile phone until the memory space is exhausted. When the memory space is exhausted, no further short messages can be received. The network operator only tries to send further messages over a limited period of time. If no memory space is freed in due time, the short messages the network operator deletes the message.

Sometimes, the mobile phone can be used to change the period during which the network operator buffers the short messages. The preset value normally is between 24 and 48 hours. If not provided in the contract with the network operator, this option may not be used to extend the storage period, however. This period should not be shortened either.

In order to be able to send short messages, the telephone number of the short message centre (SMS gateway) must be preset using the corresponding menu on the mobile phone. This is usually already preconfigured on the SIM card by the network operator.

There are diverse WWW offers on the internet that can be used to send short messages at minimal costs. Using these web offers, it is easy to send a large number of short messages to a mobile phone. The effects of SMS spam are similar to those of email spam (see also T 5.75 Overload due to incoming e-mails). The voice mail and/or the memory space is not sufficient and serious enquiries are not delivered. Furthermore, the user may incur (possibly high) costs. The only way to prevent this is to not distribute your own telephone number too widely in advance, i.e. to not to publish the number in telephone directories, and/or to refrain from sending SMS for a certain period of time if damage has occurred.

It is not possible to reliably identify the sender of an SMS. This may at most be performed using the telephone number of the sender and this number is not always transmitted depending on the network operator and/or the configuration of the mobile phone. When sending short messages using the internet, no unambiguous identification generally takes place. All users should be aware of this in order to be able to properly assess the verisimilitude of a message. A message along the lines of "Due to a conversion we require your cash card PIN. Please send your PIN to the specified telephone number. - Your bank." should not be taken seriously. Depending on the content of a received short message, it makes sense to question whether this message actually comes from the specified sender.

It frequently happens that short messages are delivered to the wrong recipient, because the wrong telephone number was entered or a wrong entry was selected as recipient from the telephone book. Even if the displays of the mobile phones are small, the information about the recipient should be checked before sending.

Faxes

Mobile phones may also be used to send faxes to the fixed network using SMS. It is also possible to receive faxes if these meet the restrictions of SMS transmission, particularly that they only contain short text. Furthermore, faxes may also be sent and received using an IT system connected to the mobile phone (e.g. notebook).

During fax usage, it must be observed similarly to traditional fax machines (see module S 3.402 Fax machine) that

Email

Along with short messages, mobile phones may also be used to send and receive emails. Just like short messages, emails are often limited to 160 characters. If the network operator configured this service, the mobile phone is provided with its own email address.

For some network operators, the email services can be combined with other services. For example, incoming emails can be read out by a voice computer, forwarded to a fax machine, or forwarded to another email address. Outgoing emails can be dictated to the mobile phone and sent as audio file (WAV file).

Just like short messages and faxes, emails may also quickly exhaust the available memory space. Depending on the contract concluded with the network operator, only a limited number of emails may be sent and received per month when using the email function.

Potential security issues and safeguards when using the email function are described in module S 5.3 Groupware. In this case, it must be observed that the email function for mobile phones is strongly restricted when compared to other email applications. Just like SMS, the email function is also only designed for transmitting short and transient messages. Security safeguards such as encryption or signature are not possible in this context (except when using additional modules or specific devices).

The transitions between the different types of messages such as SMS, fax, and email are relatively fluent. For the users, the differences are generally not in the manner data is entered, but in the transmission format. The network operator may also offer further formats such as X.400 or paging at this point.

Data transmission

If the mobile phone is connected to another IT system (e.g. a notebook or an organiser), larger data volumes may also be transmitted. Here, the devices can be connected in different ways depending on the technologies supported by the two devices.

Plug-in card: A plug-in card (PC-Card, PCMCIA) is the conventional solution for connecting mobile phone and notebook. The majority of the plug-in cards can only be connected to the mobile phones of a certain manufacturer, however.
Soft modem: For this solution, a specific software is installed on the notebook in place of a plug-in card. The mobile phone is then simply connected to the notebook using the serial interface. In many cases, this solution is less expensive when compared to a plug-in card.
Infrared: An infrared interface can be used to transmit data without any cable from the mobile phone to an IT system (e.g. laptop or organiser). For this, both the mobile phone and the IT system must support IrDA. IrDA (Infrared Data Association) is a global standard for data transmissions using infrared.
Bluetooth: Bluetooth is a new standard according to which devices can exchange data with each other via radio over short distances. The Bluetooth technology uses the freely available radio network ISM (Industrial Scientific Medical) working with 2.45GHz,

During data transmission, e.g. from a laptop using GSM, the transmitted data should be encrypted beforehand on the terminal device. There are numerous programs which allow this to be done easily. Encryption before transmission protects the information along the entire route between sender and recipient. This goes beyond the protection of the air interface between mobile phone and base station, which is standard for GSM. Moreover, messages may also be equipped with a digital signature. Module S 1.7 Crypto-concept contains a description as to how adequate cryptographic procedures and systems can be selected and used.

Diverse providers can be found on the internet offering the download of additional ringtones, display symbols, or such like for different mobile phones. It should be taken into consideration that installing such data may render the device inoperative.

Data transmission should be properly controlled in all organisations. All data transmission devices should be approved and their use should be subject to unambiguous rules (see also S 2.204 Prevention of insecure network access).

In order that the data transmission using GMS interfaces does not cause any security gaps, it should be handled restrictively. For example, no mobile phone cards should be admissible for IT systems used to process sensitive data. This also holds true for all IT systems connected to a computer network, so that the firewall protection cannot be undermined.

Review questions: