Video Screencast Help
Security Response

More on Windows CE/Mobile 5

Created: 12 Dec 2006 08:00:00 GMT • Updated: 23 Jan 2014 18:54:32 GMT
Ollie  Whitehouse's picture
0 0 Votes
Login to vote

Bonjour! Carrying on from my previous blog post, here is some more information on Windows CE/Mobile 5 security.


Windows CE and Mobile, like its desktop cousin, can suffer “shatter attacks” across processes. This includes processes running at different levels of trust (please see my previous blog post and the section on One-tier versus Two-tier). For those of you unfamiliar with what shatter attacks are, there is a Microsoft TechNet bulletin that addresses the original assertion that the shatter attack condition can exist.

There are some complexities with exploiting shatter attacks on Windows CE/Mobile aside from standard key-injection attacks, which I won’t go into, but suffice to say they still pose a problem. Microsoft have acknowledged the problem that the shatter class of attacks can pose and they have developed mitigation technologies for Windows Vista, in the form of User Interface Privilege Separation and its related technology, Mandatory Integrity Control.

Network Security Posture

On a port scan of a typical Windows Mobile device, we see the following the following ports open:
137/udp open netbios-ns
138/udp open netbios-dgm
1034/udp open ActiveSync Notifications
2948/udp open WAP-Push

This is interesting for a number of reasons, not least because this provides a means for an attacker to identify a host as being a Windows Mobile device on an access point for a 2.5G or 3G cellular networks (granted if the operator doesn’t do inter-subscriber segregation). Also, port 2948/udp was the port Collin Mulliner utilized in his MMS research on Windows Mobile 2003 SE (Windows CE 4.2) to demonstrate remote code execution on Windows Mobile (which I’ve yet to see a formal advisory be released from Microsoft about – or patch for that matter). Based on this, if the same code is used on Windows Mobile 5, this could be a valid vector of attack. Anyway, I personally think the above situation creates a business case for a personal firewall.

Shared Code

I’m not going to point out the bugs, but I am going to summarize this problem once and for all, so please take heed. Microsoft shares code between product groups, as you would expect. But, they do not (it would seem) identify all affected products in their advisories. During this particular research, Symantec identified numerous bugs in several components of Windows CE/Mobile that were obviously borrowed from the desktop. Yet, while the desktop incarnation had been patched and an advisory issued, the same could not be said for Windows CE/Mobile.

Conclusions for Now

The number of active threats out there for Windows CE/Mobile is very low – no one can argue that. But, it is my opinion that the levels are artificially low, for whatever reason. I think this is partly due to the relatively low number of Windows CE/Mobile devices out there compared to proprietary O/S-based cell phones and Symbian smart devices.

However, Windows CE/Mobile is gaining popularity in North America that can’t be disputed (and also in Europe, although to a lesser degree). If it continues to do so, then it will be attacked more aggressively (especially if the desktop becomes harder to attack). Hopefully, what the past two entries on Windows CE/Mobile have shown is that the level of security on these devices will be a problem, such as it has been on the desktop. If we don’t move to address this now, we run the risk of not learning from our mistakes of yester-year.