With the advent of Windows Mobile 6 came a file system filter driver for encrypting data on Secure Digital (SD) cards, which are frequently used to store sensitive data. Previously, to gain access to users' data, an attacker could simply steal their SD card. Breaking the device's PIN protection was completely unnecessary.
In order to protect users and enterprises alike, Microsoft implemented on-device encryption for SD cards. The down side, however, is that the master key used for this encryption is non-persistent between hard resets. There is currently no escrow mechanism, which is clearly stated by Microsoft: [1]
There isn't any key escrow or recovery in this release. We realize this is very important to many enterprise customers. Feel free to add your comments about how important this is to your organization as it helps us prioritize the work for the future. If you don't want key escrow, that would also be good to hear.
User Interface Spoofing and Its Impact on Security As you may have seen in James O’Connor’s paper, Attack Surface Analysis of Blackberry Devices, there is a bug/vulnerability in Blackberry devices that allows an attacker to spoof the interface that shows a .jad file's signing properties. A .jad file is a Java package format that is frequently used to distribute applications for mobile phones. This spoofing allows an attacker to make a .jad application appear to be signed by a legitimate user or company. The attacker accomplishes this by using a carefully constructed file with the appropriate amount of spaces within certain strings.
Because the susceptibility to this class of attacks is not unique to the BlackBerry or to .jad files, I thought it might make an interesting blog entry. I originally found something...
Some of you may have read my blog article last year about the BlackBerry mobile device: Hacking the BlackBerry along with the associated whitepaper, Blackberry Security: Ripe for the picking? We decided not to widely distribute that paper for a number of reasons, including the fact that the model reviewed was a tad on the old side (BlackBerry 7290 circa 2004). Well, fast-forward to 2007, when I was supplied with a shiny new BlackBerry Pearl 8100 and a blank sheet of paper.
As I alluded to in my previous blog, the Pearl represents a significant departure for Research In Motion; a departure from the world of purely corporate utility, and an arrival at the world of consumer-oriented features. The device sports a beautifully stylized slimline form-factor, a 1.3 megapixel camera, and a removable media card as standard. Of course, all the...
In May of 2006, for my second blog post for Symantec, I penned an entry entitled, "The Elephant Under the Carpet (and when I say 'carpet' I mean PDA). " The purpose of that post was to dispel the myth that Windows CE (and thus Windows Mobile) doesn't have security issues, and to point out that Microsoft had silently patched a number of security-related bugs. At that time, I couldn't see any Windows CE 5.0 security issues patched by Microsoft. This didn't seem right, so I decided it was time to review the situation. This blog post is an update to cover some issues since then.
If you look at Microsoft's Windows CE Critical Updates and Security site, [1] you'll see that there are no issues listed. It's important to point that, due to Microsoft's restrictions around getting information with regards to Windows Mobile, I will only be...
