I was interested in getting some rough numbers on publicly disclosed vulnerabilities in Symbian and Windows CE/Mobile platforms and applications. I cannot say with any degree of confidence that what I present below is reflective, simply due to the fact that different bugs get categorized under different vendors, platforms, or keywords. What I can document is the method I used to arrive at the below numbers. I used cve.mitre.org and did the following:
• searched by vendor, platform for Windows Mobile & Windows CE • searched for keyword MMS picking out those relevant • searched for keyword SMS picking out those relevant • searched for keyword Symbian • searched for keyword Nokia picking out those relevant
So the summary is that there are 16 for Windows CE/Mobile and six for Symbian. I guess this demonstrates people are finding vulnerabilities in these two platforms. If we take out the third party applications on Windows CE/...
Well, we’ve arrived at where we’ve been trying to get to for some time. That is to say that we now have the ability to release security advisories for Windows CE & Windows Mobile after working through the accepted responsible disclosure process with Microsoft. It hasn't been easy, with us initially reporting issues back in February 2006, but we’ve finally got here. This really marks a milestone for COTS mobile platforms even though we did achieve something similar back in 2003 with Nokia and their proprietary OS and recently with Palm OS, but getting vendor responses on mobile security issues (with maybe the exception of RIM) has historically been hard work.
A quick thanks to all those involved here at Symantec: Katie (before she left), Tyler, as well as the folks over...
O.K. - firstly - long time no blog. Secondly, apologies for that - a mixture of vacation, work, and work travel has recently seen me distracted a little from my blogging duties (my plate spinning is improving, however). Anyway, with the apologies out of the way, onto the subject of this blog. Recently I was invited by Microsoft to speak at BlueHat on Windows CE/Mobile security, even being given a guest spot on their blog and doing a podcast for them. Pedram from TippingPoint has provided a good summary of the talks that saves me from...
On the desktop we have many different executable compactors, compressors and encryptors. These are used to protect and/or obfuscate binary files. These can be employed by software authors and malicious code authors to protect their code from reverse engineering (though, typically in vain). A while back, we saw a surge of malicious code authors using these tools to obfuscate their code against signatures. It became a case of:
10 Download executable compactor
20 Pass existing malicious code through it
30 Release on Internet
40 Wait for signature to be added to antivirus
50 GOTO 10
This got a bit boring for antivirus vendors like Symantec, so we introduced executable decompression support to our AV engines (as discussed in the Internet Security Threat...
With the advent of Symbian 9 came a new capabilities model that could be seen as akin to mandatory access control, or MAC, which I’ve touched on briefly in the past . If you’re interested more in the Symbian 9 capabilities model, I recommend you go read the Embeddec.com article or purchase a copy of Symbian Platform Security Development Architecture from Symbian Press.
FlexiSpy is spyware program that runs on either the...
If you Google for either "Windows CE", "Windows Mobile" along with "rootkits" [1] [2] you don’t find anything on the subject. Back in the early part of this year I started a little skunk-works project (which resulted in an internal whitepaper) to understand the techniques that could be employed in rootkitting Windows Mobile devices, and how you would detect them if the bad guys got nasty and started doing so.
The results were, in short, not surprising. There are publicly known methods of API hooking on Windows CE. There is a publicly released keyboard logger in the compact .NET framework and there are numerous ways to load/inject DLLs into other processes. And, of course, direct kernel object modification is also possible.
The caveat about some of these methods and techniques is that your process needs to be fully trusted in order to weave its magic. So in a properly configured one-tier device that requires signing, or...
So time for another Mind Map. My generic one for Mobile devices last time was received pretty well. I put together the one below for Windows Mobile 6 as part of an internal research project on the new features Microsoft introduced (click for the bigger version) as well as ensuring that functionality in the previous version was captured.
I think it pretty much speaks for itself…. With ubiquity comes a vector/surface explosion... .
With the advent of Windows Mobile 6 came a file system filter driver for encrypting data on Secure Digital (SD) cards, which are frequently used to store sensitive data. Previously, to gain access to users' data, an attacker could simply steal their SD card. Breaking the device's PIN protection was completely unnecessary.
In order to protect users and enterprises alike, Microsoft implemented on-device encryption for SD cards. The down side, however, is that the master key used for this encryption is non-persistent between hard resets. There is currently no escrow mechanism, which is clearly stated by Microsoft: [1]
There isn't any key escrow or recovery in this release. We realize this is very important to many enterprise customers. Feel free to add your comments about how important this is to your organization as it helps us prioritize the work for the future. If you don't want key escrow, that would also be good to hear.
User Interface Spoofing and Its Impact on Security As you may have seen in James O’Connor’s paper, Attack Surface Analysis of Blackberry Devices, there is a bug/vulnerability in Blackberry devices that allows an attacker to spoof the interface that shows a .jad file's signing properties. A .jad file is a Java package format that is frequently used to distribute applications for mobile phones. This spoofing allows an attacker to make a .jad application appear to be signed by a legitimate user or company. The attacker accomplishes this by using a carefully constructed file with the appropriate amount of spaces within certain strings.
Because the susceptibility to this class of attacks is not unique to the BlackBerry or to .jad files, I thought it might make an interesting blog entry. I originally found something...
In May of 2006, for my second blog post for Symantec, I penned an entry entitled, "The Elephant Under the Carpet (and when I say 'carpet' I mean PDA). " The purpose of that post was to dispel the myth that Windows CE (and thus Windows Mobile) doesn't have security issues, and to point out that Microsoft had silently patched a number of security-related bugs. At that time, I couldn't see any Windows CE 5.0 security issues patched by Microsoft. This didn't seem right, so I decided it was time to review the situation. This blog post is an update to cover some issues since then.
If you look at Microsoft's Windows CE Critical Updates and Security site, [1] you'll see that there are no issues listed. It's important to point that, due to Microsoft's restrictions around getting information with regards to Windows Mobile, I will only be...
Recently my boss provided me with a license for some mind-mapping software (if you’re curious, it’s MindManager from MindJet). So, I took it for a spin on a subject close to my heart and if you’re a regular reader I’m betting you’ll be able to guess what it is – yep, mobile device threats.
For mobile device threats, I found that it was actually quite a good way to communicate the threats modern mobile devices face today. You can see the results below (click on the image for a larger version). This rocked for several reasons, not the least because it saved me from having to type out long and rambling descriptions while trying to poorly communicate their relationships. The threats shown below are the most applicable to modern smart devices, yet certain categories also apply to legacy mobile devices running proprietary operating systems.
So, it's Tuesday morning in London town and I've been up since 6:00 a.m. staring at a monitor, trying to free myself from PowerPoint hell (it's all rock and roll I tell ya!). Anyway, this morning I stumbled across an InfoWorld article entitled “Hackers to target mobile banking, study says.” This article seems to have been spun out of a press release by the Tower Group entitled “Increases in Mobile Fraud and ID Theft Could Hamper Mobile Payment / Banking Initiatives.” The press release, in turn, references a report entitled “Fraud, Virus and ID Theft: Mobile Malware Stands to Create a New Beginning.” While I've not read the report and may not agree with the notion that security issues hamper payment / banking initiatives (just look at the world that is the Internet—yeah, security really hampered that...
Back in November, I gave a presentation to a cellular industry conference entitled “Overcoming Mobile IM Security Threats.” The purpose of this presentation was to identify the types of threats that IM has faced in the desktop world, discuss how these threats could move to the mobile world, and cover how threats could be mitigated by operators and independent software vendors before services are launched.
The threats that utilize IM are well documented by Symantec and others. An interesting thing about Mobile IM is that users of these devices can and have started popping up on legacy Internet-based IM networks. There had been talk of operators going down the route of closed IM networks for their subscribers, but now it is clear that some operators are choosing public Internet-based IM networks. This means that these Mobile IM clients...
UMA (Unlicensed Mobile Access) is a set of specifications now known as “Generic access to the A/Gb interface; Stage 2.” The purpose of these specifications is to allow cellular operators to terminate cellular services over unlicensed mediums that utilize IP. The original specifications catered to Bluetooth and WiFi, so the benefits of such a technology should be obvious. In the home or in metropolitan areas, it allows operators to move away from technologies that are costly, slower, higher-latency, or bandwidth-limited. By doing so, they reduce their own costs and improve user experience.
In March 2006, I wrote an internal Symantec paper entitled “UMA Attack Surface Analysis.” The purpose of this paper was to discuss the increased risks that subscribers or operators may be exposed to as a result of deploying UMA technologies. While I’m not...
Collin Mulliner gave an updated version of his presentation at 23C3 in Berlin titled ‘Advanced Attacks Against PocketPC Phones’ (we originally blogged about it in August). As I previously mentioned, one of the vulnerabilities he discussed had, to my knowledge, still not been patched. Well Collin confirmed this in his presentation and also released a working exploit for the vulnerability to liven things...
