Airscanner Vulnerability Summary: Windows Mobile Security Software Fails the Test
Microsoft claims that the Windows Mobile operating system is secure enough for the enterprise. That's not quite true, since unlike Windows XP, handhelds don't have advanced security architecture. For example, PocketPCs have no Kerberos authentication, Encrypting Filesystem, or a built-in firewall. In fact, even the much-touted Mobile2Mobile "secure" signing process for .DLLs and .exes can be bypassed with a simple buffer overflow, thus potentially allowing malware to take over your device1.
However, once you understand the limitations, you can then plan your Windows Mobile rollout more carefully. Fortunately, there is a great deal of 3rd party security software out there. Unfortunately, much of it is completely insecure. Sadly, Windows Mobile developers have not yet been held up to the same scrutiny as desktop software developers. For instance, you may think your "encrypted" or "secure" data is safe on a Pocket PC because the vendor stated as much, when in reality the data is insecure.
In this paper, we expose some weaknesses in 3rd-party security software for Pocket PC. Note that we are not assigning blame to any of the developers; in fact, some of them responded quickly and were eager to get feedback and to fix the bugs. On the other hand, some were angry, threatening, and even dismissive. For us, it doesn't matter if software has bugs. All software has flaws; that's why you should always use "layered" security. It is the responsiveness of a developer, and their willingness to fix the product, that helps us define a quality developer.
This is not an attempt to criticize any vendors. We selected the target applications at random using the search engines provided by reseller websites. We are also not disparaging the Windows Mobile platform. In fact, we love it and use it every day. We simply want to make it stronger and more secure. By raising user awareness, perhaps more people will pay more attention to how their data is stored. The principle of "security through obscurity" has long been a discredit.
Background
According to the 2005 Pointsec Mobile Usage Survey2 an estimated 22% of PDA owners have lost their devices. Combine this with the statistic that 81% of those lost devices had no protection (e.g. PIN or encryption), and the problem gets worse. Yet the same survey indicates that 37% of PDAs have sensitive information on them, such as passwords, bank account information, corporate data and more.
Thankfully, a security conscious person can find, download, and install a plethora of software that will help them remain productive, yet keep their data secure inside an encrypted file in the event the device is lost or stolen. On the surface, these programs are an excellent idea. Financial information, passwords, credit card numbers, and even project files can all be locked up and secured. In addition, passwords that are entered into the PDA for service oriented programs (e.g. remote access, email, chat, etc.) are protected from prying eyes using masking techniques so an attacker can learn that information. Unfortunately, as we discovered, more often than not the security mechanisms are nothing but an illusion at worst, or terribly flawed at best. The end result is that the user is placing their trust in a broken program that is insecure. This paper will address many of the issues we found and what you can look for when investigating the quality of your "secure" program.
1Airscanner will be releasing a paper illustrating this fourth quarter 2006.