Another related problem is foreign intelligence services approaching businessmen at trade fairs and exhibitions with the offer of "gifts." The gifts -- cameras and memory sticks, etc. -- have been found to contain electronic Trojan bugs, which provide remote access to users' computers. Like the checkout card reader attack mentioned above, you can't easily tell the device has been tampered with.
Products that have been infected prior to purchase have the potential to quickly destroy customer confidence in the product and the vendor. Any company building or commissioning IT equipment needs to ensure those devices are fundamentally secure from the moment they are created all the way through to delivery and installation. They need to be handled securely to prevent tampering or need to be switched to ensure the integrity of their products. I know some companies that only allow their employees to use BlackBerrys because they are made entirely in Mexico or Canada and many feel they have tighter control of their supply chain than the iPhone, which contains components manufactured all around the world including China, which is currently at the top of the list when it comes to cyberespionage.
Depending on the nature of your mobile workers' requirements, you may want to consider using devices developed for the National Security Agency's Secure Mobile Environment Portable Electronic Device (SME PED) program, such as the Sectéra Edge. Such devices are certified to protect wireless voice communications classified "top secret" as well as email and websites classified "secret."
Unless you are using a specialist device or software I would never assume that voice calls are secure, so like fax and email, never discuss confidential or sensitive issues on a mobile phone. For each mobile device which purchase, I would suggest that you run a test to see if it tries to make unusual connections via any of the network protocols it can use and review the traffic to ensure data is not being unintentionally sent from the phone. Thankfully, the actual number of software-based attacks on smartphones and PDAs is relatively low, and the few vulnerabilities discovered on smartphone operating systems tend to be fixed quickly. This is probably due to the intense completion among vendors in the enterprise market, where device security and avoiding being victimized by smartphone malware is becoming a key issue.
This was first published in March 2010