LAS VEGAS - Traversing the carpeted walkways of the Las Vegas Convention Center last week, Caleb Sima looked like many other programmers at Comdex: young, lean, laid-back and with a taste for earth tones.

What was less apparent is that he also has a penchant for uncovering new security threats.

Also: Smaller Comdex alive and well, organizers say

"I dabble in cell phone security for fun," said the CTO and co-founder of Spi Dynamics, an Atlanta company that makes software for uncovering vulnerabilities in Web applications. Sima spoke on a panel about the growing handheld security threat, a hot topic at a conference where dozens of mobile network products were on display.

What Sima said he has learned dabbling with cell phone security is that no one - not software developers, carriers, corporate network executives and certainly not end users - appears to have looked seriously at this issue. This, despite the fact that millions of cell phones are now in the hands of corporate employees.

Sima recently began playing with Short Message Service (SMS) as a way to launch a denial-of-service attack against cell phone users, using his own phone and those of co-workers. "I can send 1,000 SMS messages to your cell phone in the blink of an eye," he said. "And I can do it anonymously." He created an SMS flood, as he terms it, that rendered his cell phone unable to make or take calls.

After the experiment, he contacted his cellular carrier, T-Mobile, and asked if it could stop or block an SMS flood. He said the answer was "no."

Rubbing salt into the wound was his subsequent discovery that T-Mobile charges the subscriber on the receiving end of the flood for every SMS message over a certain limit. Sima paid more than $30 for being attacked.

Two IT professionals from a big aerospace company sat glumly at the end of Sima's presentation. They heard him say, "People can attack your phones and PDAs very easily. "

"It's alarming," says Fred Brooks, who heads an IT team supporting executives at the aerospace company, which he requested not be named.

His end users have Research In Motion Blackberries, which sport an array of built-in security and data-protection features. But cell phones and smart phones are another matter.

"We forbid cell phones with cameras," Brooks says. "But how do you enforce that? We don't have the resources or the mandate to pat people down [and physically search them]."

That could be next, as network executives realize the scope and seriousness of the potential security problem.

"One of our enterprise customers stated the problem very clearly," says Dave Nagel, chairman and CEO of PalmSource, the recent Palm spinoff that has responsibility for the PalmOS operating system. "He said, 'I have a $250 device with $250 million worth of corporate data. How are you going to help us protect that?'

"A lot of the problems have to be solved in the network and in the device itself," Nagel says.

Whitepapers

• Gene Kim's Practical Steps to Mitigate Virtualization Security Risks
• Selecting Effective Virtual Directories
• A Modern Approach to On-Demand Email and Data Security
• Best Practices for HP Servers and HP Enterprise Virtual Array in a Microsoft Exchange
• Compliance, Protection, Recovery: A Layered Approach to Laptop Security
• Endpoint Security: Data Protection for IT, Freedom for Laptop Users

View more SECURITY whitepapers

Webcasts

• Key Considerations for a Successful 802.11n Deployment
• Solutions to the Toughest IT Challenges in Remote Offices
• Lowering the Cost of Email Archives
• High Availability for SQL Server 2005 Using Array-Based Replication and Host-Based Mirroring Technologies
• Technical Overview of Exchange Server 2007 with HP Servers and Storage
• Bringing Order and Security to your Mobile Workforce: Corporate Mobility Policy and Device Management On-Demand

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• Taking Virtualization Up a Notch
• Learn how to Keep your Mobile Workforce Connected
• The self-managed network

View more SECURITY special reports