FMS in the enterprise

Value-conscious consumers are increasingly wondering why they need to pay for two phones, and deciding to save by ditching their wireline phone. This is technically termed FMS – Fixed Mobile Substitution, . Will the same thing happen in the business phone world? There’s a precedent for it. Desktop computers are being routed from offices by mobile PCs. Could desktop phones be displaced by mobile ones in the same way? It has been reported that more than half of calls made from businesses are cellular, so the substitution in usage is well under way already.

There are several objections. The sound quality of cellular conversations is abysmal. The cost per minute is much higher. Business desk phones have all sorts of features that cell phones lack. The form factor of cell phones is inconvenient in some ways – you can’t clamp them to your ear with your shoulder, to free up your hands. Plus cordless phones have been available for PBXs for years, and they have sold very badly.

Almost everybody in business has a cell phone. There is no way that these people are going to abandon their cell phones, but if the technical and usability obstacles are removed, they may see no further need for a desk phone. Cutting this expense has to be attractive to businesses focussed on ROI.

Wi-Fi Security Risks

Ray Naraine talks about exploits on Wi-Fi networks, how easy they are, first with a tool called Silica, then with free software running on a Nokia N800.

Exploits of this type can be prevented by elementary network hygiene, using the authentication and encryption techniques of 802.11i.
A different kind of vulnerability has been described by “Johnny Cache.” This type of vulnerability is more insidious.

In lab tests it has been possible for a device masquerading as an access point to respond to probe frames (which must always be sent in the clear before any authentication can take place) with a mal-formed packet that causes a buffer overrun in the computer that is looking for a network. Because these buffer overruns are in the 802.11 driver they can be designed to execute hostile code in kernel mode.
Of course this type of vulnerability is specific to particular implementations of the Wi-Fi driver, and all the reported ones have been fixed. More reassuring, there is no reported case of this type of exploit actually being done in the wild. But the principle remains that a badly written network driver can compromise your security regardless of the higher level measures you take, and that wireless networks are more vulnerable to this type of exploit than wired.

So, is Wi-Fi too insecure for corporate use? Neither of the two classes of vulnerability discussed here seem to be stoppers. The Naraine exploits are addressed by simple common sense; the known driver vulnerabilities were repaired before anybody exploited them in the wild. There are almost certainly more like that waiting to be found, but on the scale of risks, this has so far ranked low compared to the many widely publicized instances of physical theft of a laptop.